4611 A trusted logon process has been registered with the LSA
Written when a process that handles logon is confirmed and registered with the LSA as a trusted logon process. From then on, logon requests from that source are accepted.
Overview
The subcategory is Audit Security System Extension. A logon process is a trusted OS component (such as Winlogon) that coordinates the various logon methods (network, interactive, and so on). Strictly speaking the event comes not from the registration itself but from a confirmation that the process is a trusted logon process. It is seen during OS startup and during user logon and authentication.
How it is triggered
- Initialization at system startup.
- When a logon process is confirmed by the LSA during logon and authentication.
- It is normally driven by the
SYSTEMaccount (an internal OS account), registering legitimate processes such asWinlogon.
Security review points
- Report any case where the subject
Subject\Security IDis notSYSTEM. It can indicate that a non-legitimate account is trying to register a logon process. - If
Logon Process Nameis anything other than a known legitimate process (Winlogon,User32, and so on), check it against an allow list. Registration of a suspicious logon process can be a move to interpose on the authentication path.
Notes for log review
- It is mostly informational and appears regularly with startup and logon. Because the values (process name, subject) are stable, watching for deviations with an allow list is practical.
- Narrowing to “subject is not
SYSTEM” tends to leave only what is worth investigating.
Key fields
| Field | Meaning |
|---|---|
Subject\Security ID | The subject that performed the registration; usually SYSTEM |
Logon Process Name | The registered logon process name (for example, Winlogon) |
Logon ID | Used to match other events in the same session (such as 4624) |