With this privilege, the user can initiate a process to replace the default

Replace a process-level token. token associated with a started subprocess.

SeAssignPrimaryTokenPrivilege

Create symbolic links. Can reveal security flaws in programmes that are not built to handle symbolic connections.
SeCreateSymbolicLinkPrivilege
Checked by NtCreatePagingFile, which is the function used to create a new paging file. Create a pagefile.
SeCreatePagefilePrivilege
Increase a process working set. To raise the minimal working set, SetProcessWorkingSetSize must be called.
SeIncreaseWorkingSetPrivilege
Checked by the process manager and is required to raise the priority of a process. Increase scheduling priority.
SeIncreaseBasePriorityPrivilege
When using NtQuerySystemInformation to obtain information for a
Profile single process. specific process, Superfetch and the prefetcher check this value.
Checked by NtLockVirtualMemory, the kernel implementation of VirtualLock. Lock pages in memory. SeProfileSingleProcessPrivilege
SeLockMemoryPrivilege

NtShutdownSystem and NtRaiseHardError, which display a system

Checked by the SRM when raising the integrity level of an object owned by another user. Modify an object label.
SeRelabelPrivilege error dialogue box on the interactive terminal, are used to check for
Shutdown the system. problems.
SeShutdownPrivilege
Checked by NtCreateProfile, the function used to perform profiling of
the system. This is used by the Kernprof tool, for example. Profile system performance.
SeSystemProfilePrivilege The Credential Management checks to see if it can trust the caller with
Access Credential Manager as a trusted caller. unencrypted access to credentials.
SeTrustedCredManAccessPrivilege
Checked by the object manager when creating a permanent object. Create permanent shared objects.
SeCreatePermanentPrivilege
Generate security audit. With this privilege, the user can add entries to the security log.
SeAuditPrivilege
Enforced when changing a process’s working set thresholds, a
process’s paged and nonpaged pool quotas, and a process’s CPU
Allows a process to create a token which it can then use to get access to
rate quota. Adjust memory quotas for a process.
SeIncreaseQuotaPrivilege any local resources when the process uses NtCreateToken() or other
Create a token object. token-creation APIs.
SeCreateTokenPrivilege
Checked by the SAM on a domain controller when creating a machine account in a domain. Add workstations to the domain.
SeMachineAccountPrivilege
This privilege causes the system to grant all write access control to any
file, regardless of the ACL specified for the file. Any access request other
Load and unload device drivers. than write is still evaluated with the ACL.
Winlogon checks that remote callers of the InitiateSystemShutdown function have this privilege. Force shutdown from a remote system. SeLoadDriverPrivilege
SeRemoteShutdownPrivilege

Debug programs. Required to debug and adjust the memory of a process owned by another account.
Required to change the time or date. Change the system time. SeDebugPrivilege
SeSystemtimePrivilege

With this privilege, the user can specify object access auditing options
Determines which users can connect to the device from the network Access this computer from the network
SeNetworkLogonRight for individual resources, such as files, Active Directory objects, and
Manage auditing and security log. registry keys.
SeSecurityPrivilege
This policy setting determines which users can start an interactive session on the device Allow log on locally
SeInteractiveLogonRight
This user right allows a process to impersonate any user without
authentication. The process can therefore gain access to the same local
This policy setting determines which users or groups can access the Windows Privileges Act as part of the operating system. resources as that user.
SeTcbPrivilege
sign-in screen of a remote device through a Remote Desktop Services
connection. Allow log on through Remote Desktop Services
SeRemoteInteractiveLogonRight
With this privilege, the user can bypass file and directory, registry, and
other persistent object permissions for the purposes of backing up the
This policy setting determines which users can create global objects that are available to all sessions Create global objects Backup file and directories. system.
SeCreateGlobalPrivilege SeBackupPrivilege

This security setting determines which users are prevented from Enforced by file system drivers during a volume open operation, which
accessing a device over the network Deny access to this computer from the network Perform volume maintenance tasks. is required to perform disk-checking.
SeDenyNetworkLogonRight SeManageVolumePrivilege

This policy setting determines which accounts are prevented from Grant access to any file or directory, regardless of the security
logging on by using a batch-queue tool to schedule and start jobs descriptor that’s present: WRITE_DAC, WRITE_OWNER,
automatically in the future Deny log on as a batch job ACCESS_SYSTEM_SECURITY, FILE_GENERIC_WRITE, FILE_ADD_FILE,
SeDenyBatchLogonRight Restore files and directories. FILE_ADD_SUBDIRECTORY and DELETE.
SeRestorePrivilege

This policy setting determines which users are prevented from logging
on to the service applications on a device Deny log on as a service Change the time zone. Required to change the time zone.
SeDenyServiceLogonRight SeTimeZonePrivilege

This policy setting determines which users are prevented from logging Bypass traverse checking. Avoid checking permissions on intermediate directories of a multilevel directory lookup.
SeChangeNotifyPrivilege
on directly at the device's console Deny log on locally
SeDenyInteractiveLogonRight

With this privilege, the user can set the Trusted for Delegation setting
This policy setting determines which users are prevented from logging Enable computer and user accounts to be trusted for delegation. on a user or computer object.
SeEnableDelegationPrivilege
on to the device through a Remote Desktop connection through
Remote Desktop Services Deny log on through Remote Desktop Services
SeDenyRemoteInteractiveLogonRight
Required to use the LDAP directory synchronization services. It allows
Synchronize directory service data. the holder to read all objects and properties in the directory.
SeSyncAgentPrivilege
This policy setting determines which accounts can sign in by using a
batch-queue tool such as the Task Scheduler service Log on as a batch job
SeBatchLogonRight
his privilege allows the owner value to be set only to those values that
Take ownership of files and other objects. the holder may legitimately assign as the owner of an object.
SeTakeOwnershipPrivilege
This policy setting determines which service accounts can register a process as a service Log on as a service
SeServiceLogonRight

This policy setting determines which programs are allowed to
impersonate a user or another specified account and act on behalf of
the user
Impersonate a client after authentication. With this privilege, the user can impersonate other accounts.
SeImpersonatePrivilege
Obtain an impersonation token for another user in the same session
SeDelegateSessionUserImpersonatePrivilege Required to modify the nonvolatile RAM of systems that use this type
Modify firmware environment variables. of memory to store configuration information.
SeSystemEnvironmentPrivilege

Remove computer from a docking station. Checked by the user-mode Plug and Play manager when a computer undock is initiated.
@hackinarticles https://github.com/Ignitetechnologies https://in.linkedin.com/company/hackingarticles SeUndockPrivilege