4615 Invalid use of LPC port
An event defined to mark another application accessing the LPC port reserved for the LSA. In practice, however, this event is said never to occur.
Overview
The subcategory is Audit System Integrity. It is meant for the case where an application that should not use it accesses the LPC (Local Procedure Call: an inter-process communication mechanism within one machine) port that the LSA uses to talk to the kernel. It is defined by design, but the original docs explicitly note that “this event appears never to occur.”
How it is triggered
- By definition, when an application accesses the LSA’s reserved LPC port, inadvertently or intentionally.
- It is essentially never observed in production.
Security review points
- If it did occur, it could mean a process is trying to tamper with the LSA-to-kernel channel, so investigate that process.
- Microsoft offers no specific monitoring recommendation either. Treat it simply as “anomalous if seen.”
Notes for log review
- Since it normally never appears, do not make it the centerpiece of a detection rule. In the unlikely event it shows up, scrutinize it starting from the process name and PID.
Key fields
| Field | Meaning |
|---|---|
Invalid Use / LPC Server Port Name | The nature of the misuse and the target port name |
Process Information (PID / Name) | The accessing process |
Glossary
- LPC (Local Procedure Call) — an internal channel for processes on the same machine to communicate.