> Windows Syscalls
ntoskrnl.exeT1562.002T1547.006

NtPrivilegedServiceAuditAlarm

Emits a Security event-log entry reporting a privileged service operation (event 4673).

Prototype

NTSTATUS NtPrivilegedServiceAuditAlarm(
  PUNICODE_STRING SubsystemName,
  PUNICODE_STRING ServiceName,
  HANDLE          ClientToken,
  PPRIVILEGE_SET  Privileges,
  BOOLEAN         AccessGranted
);

Arguments

NameTypeDirDescription
SubsystemNamePUNICODE_STRINGinSubsystem name shown in the resulting event, typically L"Security".
ServiceNamePUNICODE_STRINGinFree-form service name (e.g. L"DRIVERS", L"BackupService") attached to the event.
ClientTokenHANDLEinImpersonation token of the client whose privilege use is being recorded.
PrivilegesPPRIVILEGE_SETinSet of privileges exercised (e.g. {SeLoadDriverPrivilege}).
AccessGrantedBOOLEANinTRUE for a successful privileged operation, FALSE for an attempted-but-denied one.

Syscall IDs by Windows version

Windows versionSyscall IDBuild
Win10 15070x124win10-1507
Win10 16070x12Awin10-1607
Win10 17030x12Ewin10-1703
Win10 17090x130win10-1709
Win10 18030x132win10-1803
Win10 18090x133win10-1809
Win10 19030x134win10-1903
Win10 19090x134win10-1909
Win10 20040x139win10-2004
Win10 20H20x139win10-20h2
Win10 21H10x139win10-21h1
Win10 21H20x13Awin10-21h2
Win10 22H20x13Awin10-22h2
Win11 21H20x140win11-21h2
Win11 22H20x142win11-22h2
Win11 23H20x142win11-23h2
Win11 24H20x144win11-24h2
Server 20160x12Awinserver-2016
Server 20190x133winserver-2019
Server 20220x13Fwinserver-2022
Server 20250x144winserver-2025

Kernel module

ntoskrnl.exeNtPrivilegedServiceAuditAlarm

Related APIs

PrivilegedServiceAuditAlarmWPrivilegeCheckNtPrivilegeObjectAuditAlarmNtAccessCheckAndAuditAlarm

Syscall stub

4C 8B D1            mov r10, rcx
B8 44 01 00 00      mov eax, 0x144
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Sibling of NtPrivilegeObjectAuditAlarm — same shape, but for service-level (no per-object handle) privileged operations. Generates Security event 4673 ("A privileged service was called"). Canonical caller pattern: a service-mode component (e.g. the Service Control Manager loading a kernel driver via SeLoadDriverPrivilege, or the Plug and Play subsystem invoking SeUndockPrivilege) wants the action recorded under its own service identity. The 4673 event includes the service name supplied here, the privileges that were exercised, and the client token's user SID.

Common malware usage

Effectively none in commodity malware. The very purpose of the syscall is to leave a paper trail, which is the inverse of the malware operator's goal. The handful of in-the-wild observations are MS-signed components doing their normal job. Tools like Mimikatz that wield SeDebugPrivilege never call this syscall — they exercise the privilege silently because the Object Manager does not auto-audit privilege use.

Detection opportunities

Event 4673 volume on a clean workstation is dominated by a small set of legitimate operations (driver loads, scheduled-task runs as SYSTEM, WMI provider startups). Defenders should baseline 4673 by (ServiceName, PrivilegeList, ClientUserSid) and alert on novel tuples. Note: the *absence* of 4673 surrounding a SeLoadDriverPrivilege use (verifiable via service-control-manager Event 7045) is far more interesting than its presence — it signals either a non-SCM driver load (T1547.006) or audit-log tampering (T1562.002). Defender for Endpoint surfaces equivalent telemetry via the DeviceProcessEvents and DeviceEvents tables.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtPrivilegedServiceAuditAlarm (SSN 0x144, Win11 24H2)
NtPrivilegedServiceAuditAlarm PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 144h         ; SSN
    syscall
    ret
NtPrivilegedServiceAuditAlarm ENDP

cManual 4673 emission from a privileged backup service

// A backup component holding SeBackupPrivilege wants to explicitly record
// a 4673 every time it begins a privileged enumeration pass.

LUID seBackupLuid;
LookupPrivilegeValueW(NULL, SE_BACKUP_NAME, &seBackupLuid);

struct {
    PRIVILEGE_SET ps;
} pset = {
    .ps = { .PrivilegeCount = 1, .Control = PRIVILEGE_SET_ALL_NECESSARY,
            .Privilege = {{ .Luid = seBackupLuid, .Attributes = SE_PRIVILEGE_USED_FOR_ACCESS }} }
};

UNICODE_STRING sub = RTL_CONSTANT_STRING(L"Security");
UNICODE_STRING svc = RTL_CONSTANT_STRING(L"ContosoBackupService");

NTSTATUS s = NtPrivilegedServiceAuditAlarm(
    &sub, &svc,
    hClientToken,
    &pset.ps,
    TRUE);   // success

// Resulting Security event 4673 records:
//   Subject  : NT AUTHORITY\SYSTEM (the service)
//   Service  : ContosoBackupService
//   Privilege: SeBackupPrivilege

rustWin32 PrivilegedServiceAuditAlarmW wrapper

use windows_sys::Win32::Security::Authorization::PrivilegedServiceAuditAlarmW;
use windows_sys::Win32::Security::*;

unsafe {
    let ok = PrivilegedServiceAuditAlarmW(
        windows_sys::w!("Security"),
        windows_sys::w!("ContosoBackupService"),
        client_token,
        &priv_set as *const _ as *mut _,
        1, // access_granted
    );
    // ok != 0 -> Security 4673 emitted (subject to "Audit Privilege Use" policy).
}

MITRE ATT&CK mappings

Last verified: 2026-05-20