Windows Security Log Event ID 515

515: A trusted logon process has registered with the Local Security Authority

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

An occurrence of event 515 is logged at startup and occasionally afterwards for each logon process on the system.

A logon process is a trusted part of the operating system and handles the overall logon function for different logon methods including incoming RAS connections, RunAs, interactive logons initiated by CtrlAltDel, and network logons (as in drive mappings).

Because logon processes are such trusted functions, a rogue logon process would be a devastating security breach--but an improbable one, given the effort and skill required.

Standard logon process for Windows Server 2003: 

• KSecDD
• RASMAN
• Secondary Logon Service
• LAN Manager Workstation Service
• CHAP
• DCOMSCM
• Winlogon
• Winlogon\MSGina

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 515

• Logon Process Name: name of the logon process

Supercharger Enterprise

Load Balancing for Windows Event Collection

 

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy