Large number of Event ID 4674 - seBackupPrivilege RRS feed

  • Question

  • I'm getting a large number of 4674 events on one of my 2 work computers (my laptop) with my non-admin account, and most of them reference the SeBackupPrivilige on files like firefox.exe. I am not in the Backup Operators group and a GPO report shows that User Rights Assignment for Backing up files is set to Backup Operators. I have verified that my account does not have full ntfs rights to system or program folders (eg, C:\Program Files (x86)\Mozilla Firefox).

    Running whoami /priv, I get:


    Privilege Name                Description                          State   
    ============================= ==================================== ========
    SeShutdownPrivilege           Shut down the system                 Disabled
    SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
    SeUndockPrivilege             Remove computer from docking station Disabled
    SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
    SeTimeZonePrivilege           Change the time zone                 Disabled

    Any idea how I might be getting the SeBackupPrivilege, or if there is some way for me to stop these events from logging just for my user id? I don't want to impact the normal logging function.

    As I say, this is on one of two computers. Both computers are in the same domain and get most of the same policies except for a few things set especially for laptops. My desktop computer does not have this problem.


    Thursday, August 13, 2020 3:56 PM

All replies

  • Moved to new Q and A site.


    Thursday, August 13, 2020 4:21 PM