How To Check Privileged Users on Windows

Cyber security is a very prominent issue in business today and Microsoft, as the creator of the most popular computer operating system in the world, fully recognizes the importance of it. Latest versions of Windows include built-in basic tools, such as UEFI secure boot, cryptographic processing and virtualization, designed to help protect your data from potential breaches, hacker attacks and malware.

However, all of these measures are not very effective against attacks coming from users who already have legitimate access to the system – malicious insiders. Successful prevention and detection of insider attacks requires a completely separate set of measures, such as protection of privileged accounts and user action monitoring.

Let us take a more detailed look at what Windows offers in this area out of the box and how built-in Windows features can be used to protect your company computers from insider threats.

Types of Windows accounts

In order to clearly assign privileges and preferences to a specific user, Windows employs various types of user accounts. Using a password-protected account is the easiest way to protect your data and system settings from being altered or even accessed without authorization. By restricting user privileges, you restrict their ability to conduct malicious actions.

Windows account policy changed over the years, to make it more secure and enterprise friendly. Slowly, Microsoft moved to less account types and less accounts created by default in order to minimize surface area of a potential attack.

All Windows 7 types feature the following three main types of accounts:

  • Administrator – account with the largest level of Windows privileges and a complete control over PC. Can make any changes and install any software.
  • Standard user – generic user account designed for everyday use with limit access to core system settings. Changes made by this accounts will not affect other users.
  • Guest – special account designed for one time use. It has no password and does not allow user to make any changes to the system

Windows 8 and Windows 10 also use local Standard and Administrator account types, but they also introduce a separate Microsoft account. This account can be used for multiple Windows devices and Microsoft services. It allows you to use your email to sign in an unlike local accounts, that can be used without a password, it is always password-protected.

The simple way to check administrator rights on Windows 7 and older versions is to use Control Panel. You can also change account type this way, if you have enough permissions for it. However, you can also do this via Local Users and Groups and even using CMD commands, such as whoami /priv.

Windows account system becomes a little more complicated when using domain accounts, but the basic principles are the same. Administrator has all the right and can make any system changes and collect all the necessary data using built-in monitoring and diagnostic tools. With smartly configured policies, it makes it possible to detect insider attacks, such as data misuse from non-privileged, accounts, but most of those tools will prove ineffective against users with Windows administrator rights.

Now, let’s look at what those tools are and how they can be utilized.

Windows Event Viewer

Windows Event Viewer is the most basic feature that logs every system event and sorts them into different categories. Traditionally, these categories included Application, Security, System, and Setup, however, since Windows Server 2012, Microsoft also included separate application and service logs, allowing to look up logs for a specific application with less clutter.

Event Viewer is easily searchable and can give you some insight into user actions, but ultimately, it is an administrative tool designed for troubleshooting applications and does not provide all the necessary information for insider threat detection.

Local policy editing and auditing

Microsoft also has a built-in auditing feature that allows you to track various events, such as object access, privilege use, logon events, policy changes, etc., on a per user basis. It can be used both with a Windows Server to audit remote and domain users and locally. This audit feature gives you an accurate picture for certain types of user activity and is fairly easy to use. The most useful feature is the ability to audit file access, which allows you to see when data was accessed or altered in any way. However, the capabilities of this feature are fairly limited in what it can monitor and how it presents its data, which makes it not very effective for detecting insider threats.

Network monitoring

There are several built-in ways to monitor network traffic in windows. You can use CMD commands to sniff packets or use Resource monitor Network feature. Resource monitor is an application, designed to track various performance metrics of the system, such as CPU and disk usage, but you can also use it to check network traffic. However, you cannot save any network usage data with it in order to review it later, which leaves only real-time monitoring on the table, making it fairly ineffective for insider threats and data misuse protection.


Windows family of operating system have various built-in monitoring tools, all of which are ultimately designed for troubleshooting and fall short when it comes to employee monitoring and protection from insider threats. Windows account system can be effective when users are kept with low level of privileges and their passwords are thoroughly protected, but it cannot provide any protection or give any insight into actions of privileged users. The question then is how to check privileged users on Windows and get an insight into their actions?

If you wish to truly protect your company from insider threats, you would be much better off using a professional privileged activity monitoring solution, specifically designed to record user actions. Such system is thoroughly protected and is able to gather and sort all the necessary data in order to provide effective prevention and detection of insider threats.

Irfan Shakeel
Irfan Shakeel, the founder of ehacking project, he also hosts cyber security training classes at EH Academy. He has discovered many vulnerabilities in the famous platforms (like Google, Dailymotion, Harvard University & etc.). He specializes in Network hacking, VoIP pentesting & digital forensics. He is the author of the book title “Hacking from Scratch”.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...