> Windows Syscalls
ntoskrnl.exeT1562.002T1134

NtPrivilegeObjectAuditAlarm

Emits a Security event-log entry reporting the use of one or more privileges on a specific object.

Prototype

NTSTATUS NtPrivilegeObjectAuditAlarm(
  PUNICODE_STRING SubsystemName,
  PVOID           HandleId,
  HANDLE          ClientToken,
  ACCESS_MASK     DesiredAccess,
  PPRIVILEGE_SET  Privileges,
  BOOLEAN         AccessGranted
);

Arguments

NameTypeDirDescription
SubsystemNamePUNICODE_STRINGinSubsystem name shown in the resulting event, e.g. L"Security".
HandleIdPVOIDinOpaque per-handle identifier for correlation with the matching open/close events.
ClientTokenHANDLEinImpersonation token of the client whose privilege use is being logged.
DesiredAccessACCESS_MASKinAccess mask the client was attempting to exercise when the privilege was checked.
PrivilegesPPRIVILEGE_SETinSet of privileges that were checked, e.g. {SE_SECURITY_PRIVILEGE} for SACL access.
AccessGrantedBOOLEANinTRUE if the operation succeeded (logged as 4673/4674 success), FALSE if it failed.

Syscall IDs by Windows version

Windows versionSyscall IDBuild
Win10 15070x123win10-1507
Win10 16070x129win10-1607
Win10 17030x12Dwin10-1703
Win10 17090x12Fwin10-1709
Win10 18030x131win10-1803
Win10 18090x132win10-1809
Win10 19030x133win10-1903
Win10 19090x133win10-1909
Win10 20040x138win10-2004
Win10 20H20x138win10-20h2
Win10 21H10x138win10-21h1
Win10 21H20x139win10-21h2
Win10 22H20x139win10-22h2
Win11 21H20x13Fwin11-21h2
Win11 22H20x141win11-22h2
Win11 23H20x141win11-23h2
Win11 24H20x143win11-24h2
Server 20160x129winserver-2016
Server 20190x132winserver-2019
Server 20220x13Ewinserver-2022
Server 20250x143winserver-2025

Kernel module

ntoskrnl.exeNtPrivilegeObjectAuditAlarm

Related APIs

ObjectPrivilegeAuditAlarmWPrivilegeCheckNtPrivilegedServiceAuditAlarmNtAccessCheckAndAuditAlarm

Syscall stub

4C 8B D1            mov r10, rcx
B8 43 01 00 00      mov eax, 0x143
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Generates Security event 4674 ("An operation was attempted on a privileged object") whenever a privileged operation against an *object* (not a service action — see NtPrivilegedServiceAuditAlarm for that) is checked. The classic example is calling backup APIs that internally exercise SeBackupPrivilege on a per-file basis: each privileged file open emits a 4674. The caller is responsible for invoking the syscall — privilege use is not audited automatically by the Object Manager, so a privileged subsystem that wants log fidelity must call it explicitly. Sysmon's Event ID 4673/4674 traces (when Sysmon is configured with the corresponding rules) back-fill the same data with additional process context.

Common malware usage

Almost none. Malware that uses privileges typically does so silently — calling NtPrivilegeObjectAuditAlarm would generate the very log entry it is trying to avoid. The only legitimate callers are MS-supplied subsystems that *want* audit fidelity (LSASS, ntdsa.dll, the Backup service, Defender for Identity sensors). Any caller outside that small set is suspicious primarily because it is so unusual.

Detection opportunities

Volume on a normal workstation is near-zero unless backup jobs are running. Sudden absence of expected 4674 events during a known privileged operation (e.g. a scheduled volume shadow copy) is a stronger signal than presence — it indicates the Event Log subsystem has been impaired (T1562.002). For positive detection, focus on 4674 events with privilege == SeDebugPrivilege, SeTcbPrivilege, or SeLoadDriverPrivilege issued by an unsigned image or by an image not normally seen with those privileges.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtPrivilegeObjectAuditAlarm (SSN 0x143, Win11 24H2)
NtPrivilegeObjectAuditAlarm PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 143h         ; SSN
    syscall
    ret
NtPrivilegeObjectAuditAlarm ENDP

cBackup service emitting a 4674 per protected file

// A backup service holding SeBackupPrivilege walks the volume and, for each
// file it opens via FILE_FLAG_BACKUP_SEMANTICS, explicitly emits a 4674
// so the Security log records *which* files were touched with the privilege.

LUID seBackupLuid;
LookupPrivilegeValueW(NULL, SE_BACKUP_NAME, &seBackupLuid);

struct {
    PRIVILEGE_SET ps;
    LUID_AND_ATTRIBUTES extra; // tail for >1 privilege
} pset = {
    .ps = { .PrivilegeCount = 1, .Control = PRIVILEGE_SET_ALL_NECESSARY,
            .Privilege = {{ .Luid = seBackupLuid, .Attributes = SE_PRIVILEGE_USED_FOR_ACCESS }} }
};
UNICODE_STRING sub = RTL_CONSTANT_STRING(L"Security");

NtPrivilegeObjectAuditAlarm(
    &sub,
    (PVOID)hFile,           // handle id
    hClientToken,
    FILE_GENERIC_READ,
    &pset.ps,
    TRUE);                  // access granted

rustWin32 PrivilegeCheck + ObjectPrivilegeAuditAlarmW

// The Win32 wrappers are PrivilegeCheck (decision) +
// ObjectPrivilegeAuditAlarmW (audit emission).
use windows_sys::Win32::Security::Authorization::ObjectPrivilegeAuditAlarmW;
use windows_sys::Win32::Security::*;

unsafe {
    let ok = ObjectPrivilegeAuditAlarmW(
        windows_sys::w!("Security"),
        handle_id as *mut _,
        client_token,
        desired_access,
        &priv_set as *const _ as *mut _,
        1, // access_granted
    );
    // ok != 0 -> the 4674 was emitted (assuming "Audit Privilege Use"
    // policy is enabled).
}

MITRE ATT&CK mappings

Last verified: 2026-05-20