deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-23 02:37:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/device-security/auditing/event-4610.md
Brian Lich 33c3fb2e74 New TOC for docs.microsoft.com
2017-04-19 14:12:47 -07:00

3.3 KiB
Raw Blame History

title, description, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author
title description ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author
4610(S) An authentication package has been loaded by the Local Security Authority. (Windows 10) Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority. security w10 deploy library Mir0sh

4610(S): An authentication package has been loaded by the Local Security Authority.

Applies to

  • Windows 10
  • Windows Server 2016
Event 4610 illustration

Subcategory: Audit Security System Extension

Event Description:

This event generates every time Authentication Package has been loaded by the Local Security Authority (LSA).

Each time the system starts, the LSA loads the Authentication Package DLLs from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages registry value and performs the initialization sequence for every package located in these DLLs.

Note

  For recommendations, see Security Monitoring Recommendations for this event.


Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4610</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>12289</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8020000000000000</Keywords> 
 <TimeCreated SystemTime="2015-10-14T03:36:41.391489300Z" /> 
 <EventRecordID>1048138</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="516" ThreadID="520" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="AuthenticationPackageName">C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data> 
 </EventData>
 </Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Field Descriptions:

Authentication Package Name [Type = UnicodeString]: the name of loaded Authentication Package. The format is: DLL_PATH_AND_NAME: AUTHENTICATION_PACKAGE_NAME.

By default the only one Authentication Package loaded by Windows 10 is “MICROSOFT_AUTHENTICATION_PACKAGE_V1_0”.

Security Monitoring Recommendations

For 4610(S): An authentication package has been loaded by the Local Security Authority.

  • Report all “Authentication Package Name” not equals “C:\Windows\system32\msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0”, because by default this is the only Authentication Package loaded by Windows 10.

  • Typically this event has an informational purpose. If you have a pre-defined list of allowed Authentication Packages in the system, then you can check whether “Authentication Package Name” is in your defined list.