An attempt was made to unregister a security event source
On this page
Windows allows applications to report their own security events to the security log by registering through Authorization Manager with LSA as a security event source using the AuthzRegisterSecurityEventSource function.
Later applications can unregister by calling AuthzUnregisterSecurityEventSource. Windows logs this event, 4904, when such an application calls AuthzUnregisterSecurityEventSource and thus provides an audit trail of applications that report custom security events. It is normal to see this event logged for several built-in components of Windows including IIS and DFS-R.
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
These fields tell you the program that unregistered the event source.
- Process ID: the process ID specified when the executable started as logged in 4688.
- Process Name: identifies the program executable.
- Source Name: Name of the event source. This is the same as the Event Sources: field in the Filter dialog in EventViewer.
- Event Source ID: unknown. Start discussion below if you have information to share on this field!
Top 10 Windows Security Events to Monitor
An attempt was made to unregister a security event source.
Security ID: SYSTEM
Account Name: WIN-857ZZX6RQHL$
Account Domain: ACME-FR
Logon ID: 0x3e7
Process ID: 0xd8
Process Name: C:\Windows\System32\inetsrv\inetinfo.exe
Source Name: IIS-METABASE
Event Source ID: 0x167763
Keep me up-to-date on the Windows Security Log.
*We will NOT share this