Event ID 4904

An attempt was made to register a security event source 

An attempt was made to register a security event source.

Subject :
    Security ID:    %1
    Account Name:   %2
    Account Domain: %3
    Logon ID:       %4

Process:
    Process ID:   %7
    Process Name: %8

Event Source:
    Source Name:     %5
    Event Source ID: %6


This event generates every time a new security event source is registered. This event is typically triggered by the SYSTEM account as would typically list SYSTEM as the Security ID value.

You can typically see this event during system startup, if specific roles (Internet Information Services, or FSRM, for example) are installed in the system.

Auditing:     Always

Since the volume of this event is low, it's recommended to audit this event.


Volume:     Low


Microsoft Documentation

Event ID - 4904



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any SYSTEM
Account Name SubjectUserName %2 Any DC01$
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x3e7
Source Name AuditSourceName %5 Any FSRM Audit
Event Source ID EventSourceId %6 Any 0x1cc4e
Process ID ProcessId %7 Any 0x688
Process Name ProcessName %8 Any C:\Windows\System32\svchost.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Audit Policy Change"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
Audit Success
Audit Category:
Policy Change

Audit Subcategory:
Audit Policy Change
Legacy Events:
808

LEFT/RIGHT arrow keys for navigation

Back to List