Windows Security Log Event ID 4615

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
 • System Integrity
Type Success
Corresponding events
in Windows 2003
and before

4615: Invalid use of LPC port

On this page

LPC is used for communication between threads or processes or for communication between kernel mode and user mode components. The communication can be on the same computer between the client and server functions. In 2000 there were several LPC port spoofing vulnerabilities patched for Windows NT.

I haven't been able to produce this event. Have you? If so, please start a discussion (see above) and post a sample along with any comments you may have! Don't forget to sanitize any private information.

Free Security Log Resources by Randy

Description Fields in 4615


  •  Security ID:  %1
  •  Account Name:  %2
  •  Account Domain:  %3
  •  Logon ID:  %4

Process Information:

  •  PID:   %7
  •  Name:   %8

Other Information:

  • Invalid Use:  %5
  • LPC Server Port Name: %6

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.



Examples of 4615

Invalid use of LPC port.

Security ID:  %1
     Account Name:  %2
     Account Domain:  %3
     Logon ID:  %4

Process Information:
PID:   %7
     Name:   %8

Other Information:
     Invalid Use:  %5
LPC Server Port Name: %6

Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA's use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources