| Operating Systems |
Windows Vista
Windows Server 2008
|
Category
• Subcategory | System
• Security System Extension |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
515
|
4611:
A trusted logon process has been registered with the Local Security Authority
On this page
An occurrence of event 4611 is logged at startup and occasionally afterwards for each logon process on the system.
A logon process is a trusted part of the operating system and handles the overall logon function for different logon methods including incoming RAS connections, RunAs, interactive logons initiated by CtrlAltDel, and network logons (as in drive mappings).
Because logon processes are such trusted functions, a rogue logon process would be a devastating security breach--but an improbable one, given the effort and skill required.
Standard logon processes for Windows Server 2008: Winlogon
Schannell
KSecDD
Secondary Logon Service (runas)
IKE
HTTP.SYS
SspTest
dsRole
DS Replication CredProvConsent (user account control)
Free Security Log Quick Reference Chart
Subject:
- Security ID: %1 - (SubjectUserSid in this case "SYSTEM" or S-1-5-18)
- Account Name: %2 (SubjectUserName)
- Account Domain: %3 (SubjectDomainName)
- Logon ID: %4 (SubjectLogonId)
- Logon Process Name: %5 (LogonProcessName)
Top 10 Events to Monitor
A trusted logon process has been registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.
Subject:
Security ID: SYSTEM
Account Name: MS4$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Process Name: IKE
----
Example from Server 2008 R2:
A trusted logon process has been registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.
Subject:
Security ID: SYSTEM
Account Name: WIN-KOSWZXC03L0$
Account Domain: W8R2
Logon ID: 0x3e7
Logon Process Name: Winlogon
Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this
|
|