Event ID: 4611

A trusted logon process has been registered with the Local Security Authority

A trusted logon process has been registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.

    Security ID:    %1
    Account Name:   %2
    Account Domain: %3
    Logon ID:       %4

Logon Process Name: %5
Microsoft Documentation

Event ID - 4611

This event indicates that a logon process has registered with the Local Security Authority (LSA). Also, logon requests will now be accepted from this source.

At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates.

A logon process is a trusted part of the operating system that handles the overall logon function for different logon methods (network, interactive, etc.).

You typically see these events during operating system startup or user logon and authentication actions.

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-18
Account Name SubjectUserName %2 Any ComputerName$
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x3e7
Logon Process Name LogonProcessName %5 Any Winlogon

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Security System Extension"
How to enable Windows Auditing

LEFT/RIGHT arrow keys for navigation

Back to List