From version 9.1 SPlunkUF supports running in its own LowPriv context.

Installation

msiexec.exe /i splunkforwarder-9.1xxxxxxxx.msi AGREETOLICENSE=yes USE_VIRTUAL_ACCOUNT=1 /quiet

Service will run as - "NT SERVICE\SplunkForwarder"

"NT SERVICE\SplunkForwarder" must be added to the "EventLog Readers" group

Add-LocalGroupMember -Group "Event Log Readers" -Member "NT SERVICE\SplunkForwarder"

On a Swedish client with 9.1.1

Add-LocalGroupMember -Group "Händelseloggläsare" -Member "NT SERVICE\SplunkForwarder"

Manually change run-as account on service

sc.exe config "splunkforwarder" obj="NT SERVICE\SplunkForwarder"

Or back to LocalSystem

Sc.exe config "splunkforwarder" obj="LocalSystem" password=""

Check account running SPlunkUF

(Get-WmiObject Win32_Service -Filter "Name='splunkforwarder'").StartName