Event ID: 4904

An attempt was made to register a security event source

An attempt was made to register a security event source.

Subject :
    Security ID:    %1
    Account Name:   %2
    Account Domain: %3
    Logon ID:       %4

    Process ID:   %7
    Process Name: %8

Event Source:
    Source Name:     %5
    Event Source ID: %6

This event generates every time a new security event source is registered. This event is typically triggered by the SYSTEM account as would typically list SYSTEM as the Security ID value.

You can typically see this event during system startup, if specific roles (Internet Information Services, or FSRM, for example) are installed in the system.

Auditing:     Always

Since the volume of this event is low, it's recommended to audit this event.

Volume:     Low

Microsoft Documentation

Event ID - 4904

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any SYSTEM
Account Name SubjectUserName %2 Any DC01$
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x3e7
Source Name AuditSourceName %5 Any FSRM Audit
Event Source ID EventSourceId %6 Any 0x1cc4e
Process ID ProcessId %7 Any 0x688
Process Name ProcessName %8 Any C:\Windows\System32\svchost.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Audit Policy Change"

LEFT/RIGHT arrow keys for navigation

Back to List