Windows Security Log Event ID 4905

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Policy Change
 • Audit Policy Change
Type Success
Corresponding events
in Windows 2003
and before

4905: An attempt was made to unregister a security event source

On this page

Windows allows applications to report their own security events to the security log by registering through Authorization Manager with LSA as a security event source using the AuthzRegisterSecurityEventSource function. 

Later applications can unregister by calling AuthzUnregisterSecurityEventSource.  Windows logs this event, 4904, when such an application calls AuthzUnregisterSecurityEventSource and thus provides an audit trail of applications that report custom security events.  It is normal to see this event logged for several built-in components of Windows including IIS and DFS-R.

Free Security Log Resources by Randy

Description Fields in 4905


The user and logon session that performed the action.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Process Information:

These fields tell you the program that unregistered the event source.

  • Process ID: the process ID specified when the executable started as logged in 4688.
  • Process Name: identifies the program executable. 

Event Source:

  • Source Name: Name of the event source.  This is the same as the Event Sources: field in the Filter dialog in EventViewer.
  • Event Source ID: unknown.  Start discussion below if you have information to share on this field!


Supercharger Free Edition

Your entire Windows Event Collection environment on a single pane of glass.



Examples of 4905

An attempt was made to unregister a security event source.


   Security ID:  SYSTEM
   Account Name:  WIN-857ZZX6RQHL$
   Account Domain:  ACME-FR
   Logon ID:  0x3e7


   Process ID: 0xd8
   Process Name: C:\Windows\System32\inetsrv\inetinfo.exe

Event Source:

   Source Name: IIS-METABASE
   Event Source ID: 0x167763

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources