4608 Windows is starting up
Written when the LSASS process starts and the auditing subsystem (the log-collection mechanism) is initialized. It is the reference point marking an OS startup.
Overview
The subcategory is Audit Security State Change. It is recorded when LSASS.EXE (the core process that handles authentication and auditing) starts and the auditing feature comes up, normally during OS startup. It carries no specific data fields.
How it is triggered
- When the auditing subsystem is initialized during system startup (power-on or restart).
- Generally one per boot. Every security event afterward is recorded within the uptime that begins from this 4608.
Security review points
- Lets you track system startups. Pair it with the stop event 1100 or 4609 (Windows shutting down) to build an up/down timeline.
- Unplanned or frequent restarts can indicate attempts to destabilize or crash a system, or deliberate reboots to apply settings.
- If a lone 4608 appears after the log was cut off, pay attention to the gap before it (a missing stop event).
Notes for log review
- It appears on every startup even in normal operation; it is a reference event, not noise. Look at “is the timing unplanned” rather than the count.
- Because it is the start of auditing, checking which accounts or services began running right after the 4608 (logons or service starts) helps you understand boot-time behavior.
Key fields
It carries no specific data fields. Use Computer and TimeCreated to confirm the host and time of startup.