Windows Security Log Event ID 4611

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
System
 • Security System Extension
Type Success
Corresponding events
in Windows 2003
and before
515  

4611: A trusted logon process has been registered with the Local Security Authority

On this page

An occurrence of event 4611 is logged at startup and occasionally afterwards for each logon process on the system.

A logon process is a trusted part of the operating system and handles the overall logon function for different logon methods including incoming RAS connections, RunAs, interactive logons initiated by CtrlAltDel, and network logons (as in drive mappings).

Because logon processes are such trusted functions, a rogue logon process would be a devastating security breach--but an improbable one, given the effort and skill required.

Standard logon processes for Windows Server 2008:

  • Winlogon
  • Schannell
  • KSecDD
  • Secondary Logon Service (runas)
  • IKE
  • HTTP.SYS
  • SspTest
  • dsRole
  • DS Replication CredProvConsent (user account control)

Free Security Log Resources by Randy

Description Fields in 4611

 Subject:

  •  Security ID:  %1 - (SubjectUserSid in this case "SYSTEM" or S-1-5-18)
  •  Account Name:  %2 (SubjectUserName)
  •  Account Domain:  %3 (SubjectDomainName)
  •  Logon ID:  %4 (SubjectLogonId)
  •  Logon Process Name:  %5 (LogonProcessName)

Supercharger Enterprise


 

Examples of 4611

A trusted logon process has been registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.

Subject:

Security ID:  SYSTEM
Account Name:  MS4$
Account Domain:  WORKGROUP
Logon ID:  0x3e7

Logon Process Name:  IKE


Example from Server 2008 R2:

A trusted logon process has been registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.

Subject:
  Security ID:  SYSTEM
  Account Name:  WIN-KOSWZXC03L0$
  Account Domain:  W8R2
  Logon ID:  0x3e7

Logon Process Name:  Winlogon

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources