ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying Security log with Event ID 4609 startup events on a monitoring dashboard
Event ID 4609InformationSecurityWindows

Windows Event ID 4609 – Security: Windows is Starting Up

Event ID 4609 records when Windows begins its startup process. This security audit event fires during system boot and provides critical timing information for security monitoring and forensic analysis.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4609Security 5 methods 9 min
Event Reference

What This Event Means

Event ID 4609 represents one of the most fundamental audit events in Windows security logging. Generated by the Local Security Authority (LSA) subsystem, this event fires automatically during every system startup, providing an authoritative timestamp for when Windows begins its boot process.

The event occurs early in the boot sequence, after the kernel loads but before user logon services become available. This timing makes it particularly valuable for security monitoring because it establishes a clear demarcation point between system sessions. Security analysts use this event to identify gaps in logging that might indicate system tampering or unexpected shutdowns.

From a technical perspective, Event ID 4609 contains minimal payload data - primarily just the timestamp and basic system identification. However, its consistent generation makes it a reliable indicator of system health and availability. The event helps distinguish between planned maintenance windows and unexpected system failures by providing precise startup timing.

In enterprise environments, automated monitoring systems often use Event ID 4609 as a trigger for post-startup validation scripts, security baseline checks, and system health assessments. The event's reliability and consistent format across Windows versions make it ideal for automated processing and alerting systems.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Normal system startup after shutdown or restart
  • System recovery from unexpected power loss or crash
  • Restart following Windows Update installation
  • Manual system restart initiated by administrator
  • Automatic restart triggered by system policies or scheduled tasks
  • Recovery from system hibernation or sleep mode
  • Boot from system recovery or safe mode
Resolution Methods

Troubleshooting Steps

01

View Event Details in Event Viewer

Open Event Viewer to examine Event ID 4609 details and verify normal system startup patterns.

  1. Press Windows + R, type eventvwr.msc, and press Enter
  2. Navigate to Windows LogsSecurity
  3. In the Actions pane, click Filter Current Log
  4. Enter 4609 in the Event IDs field and click OK
  5. Double-click any Event ID 4609 entry to view details
  6. Check the General tab for timestamp and basic information
  7. Review the Details tab for XML data structure
Pro tip: Compare timestamps between Event ID 4609 (startup) and 4608 (shutdown) to calculate system uptime and identify unexpected restarts.
02

Query Startup Events with PowerShell

Use PowerShell to retrieve and analyze Event ID 4609 entries for pattern analysis and reporting.

  1. Open PowerShell as Administrator
  2. Query recent startup events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4609} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName
  3. Get startup events from the last 30 days:
    $StartDate = (Get-Date).AddDays(-30)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4609; StartTime=$StartDate} | Select-Object TimeCreated, @{Name='BootTime';Expression={$_.TimeCreated}}
  4. Export startup history to CSV:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4609} -MaxEvents 100 | Select-Object TimeCreated, MachineName | Export-Csv -Path "C:\Temp\StartupHistory.csv" -NoTypeInformation
  5. Calculate average time between restarts:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4609} -MaxEvents 10
$Intervals = for($i=0; $i -lt ($Events.Count-1); $i++) {
    ($Events[$i].TimeCreated - $Events[$i+1].TimeCreated).TotalHours
}
$AverageUptime = ($Intervals | Measure-Object -Average).Average
Write-Host "Average uptime: $([math]::Round($AverageUptime, 2)) hours"
03

Configure Advanced Security Auditing

Ensure proper audit policy configuration to guarantee Event ID 4609 generation and optimize security logging.

  1. Open Group Policy Editor by pressing Windows + R, typing gpedit.msc
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand System Audit PoliciesSystem
  4. Double-click Audit Security System Extension
  5. Check Configure the following audit events and select Success
  6. Apply the policy and run gpupdate /force
  7. Verify audit settings with PowerShell:
    auditpol /get /category:"System" /r | findstr "Security System Extension"
  8. Test by restarting the system and confirming Event ID 4609 appears in Security log
Warning: Modifying audit policies affects security log volume. Ensure adequate log retention and storage capacity.
04

Create Automated Startup Monitoring Script

Implement PowerShell monitoring to track system startup patterns and detect anomalies automatically.

  1. Create a monitoring script directory:
    New-Item -Path "C:\Scripts\StartupMonitor" -ItemType Directory -Force
  2. Create the monitoring script C:\Scripts\StartupMonitor\Monitor-Startup.ps1:
    # Startup Monitoring Script
$LogPath = "C:\Scripts\StartupMonitor\startup-log.txt"
$LastBoot = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4609} -MaxEvents 1
$BootTime = $LastBoot.TimeCreated
$Uptime = (Get-Date) - $BootTime

$LogEntry = "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss'): Boot at $BootTime, Uptime: $($Uptime.Days)d $($Uptime.Hours)h $($Uptime.Minutes)m"
Add-Content -Path $LogPath -Value $LogEntry

# Check for unexpected restarts (less than 1 hour uptime)
if ($Uptime.TotalHours -lt 1) {
    Write-EventLog -LogName Application -Source "StartupMonitor" -EventId 1001 -EntryType Warning -Message "Unexpected restart detected. Boot time: $BootTime"
}
  3. Register the script as a scheduled task:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\StartupMonitor\Monitor-Startup.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "StartupMonitor" -Action $Action -Trigger $Trigger -Principal $Principal
  4. Create custom event source for logging:
    New-EventLog -LogName Application -Source "StartupMonitor"
05

Implement SIEM Integration and Forensic Analysis

Configure advanced logging and SIEM integration for enterprise-level startup monitoring and security analysis.

  1. Enable Windows Event Forwarding for centralized collection:
    wecutil qc /q
winrm quickconfig -q
  2. Create custom XML query for Event ID 4609 forwarding:
    <QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[EventID=4609]]</Select>
  </Query>
</QueryList>
  3. Configure WinLogBeat for Elastic Stack integration by editing winlogbeat.yml:
    winlogbeat.event_logs:
  - name: Security
    event_id: 4609
    processors:
      - add_host_metadata:
          when.not.contains.tags: forwarded
  4. Set up PowerShell forensic analysis script:
    # Forensic Startup Analysis
$StartupEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4609} -MaxEvents 50
$ShutdownEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4608} -MaxEvents 50

# Correlate startup/shutdown pairs
$BootCycles = @()
foreach ($Startup in $StartupEvents) {
    $PriorShutdown = $ShutdownEvents | Where-Object {$_.TimeCreated -lt $Startup.TimeCreated} | Select-Object -First 1
    if ($PriorShutdown) {
        $DownTime = ($Startup.TimeCreated - $PriorShutdown.TimeCreated).TotalMinutes
        $BootCycles += [PSCustomObject]@{
            ShutdownTime = $PriorShutdown.TimeCreated
            StartupTime = $Startup.TimeCreated
            DowntimeMinutes = [math]::Round($DownTime, 2)
        }
    }
}
$BootCycles | Export-Csv -Path "C:\Temp\BootCycleAnalysis.csv" -NoTypeInformation
  5. Create alerting rules for anomalous patterns:
    # Alert on frequent restarts (more than 3 in 24 hours)
$RecentStarts = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4609; StartTime=(Get-Date).AddHours(-24)}
if ($RecentStarts.Count -gt 3) {
    Send-MailMessage -To "admin@company.com" -Subject "Frequent Restart Alert" -Body "System has restarted $($RecentStarts.Count) times in 24 hours" -SmtpServer "smtp.company.com"
}
Pro tip: Combine Event ID 4609 analysis with system performance counters and application logs for comprehensive startup performance monitoring.

Overview

Event ID 4609 is a fundamental security audit event that fires every time Windows begins its startup sequence. This event appears in the Security log and serves as a critical timestamp marker for system administrators and security analysts tracking system availability and potential security incidents.

The event generates during the early stages of Windows boot process, specifically when the security subsystem initializes. Unlike Event ID 4608 which indicates Windows is shutting down, Event ID 4609 marks the beginning of a new Windows session. This makes it invaluable for calculating system uptime, identifying unexpected reboots, and correlating security events with system startup times.

Security teams rely on this event for forensic analysis, compliance reporting, and monitoring system stability. The event contains minimal data but its timing is crucial for establishing baselines and detecting anomalies in system behavior. When combined with shutdown events, administrators can track complete system lifecycle patterns and identify potential issues affecting system availability.

Frequently Asked Questions

What does Event ID 4609 mean and when does it occur?+
Event ID 4609 indicates that Windows is starting up and appears in the Security log during every system boot. It fires when the Local Security Authority (LSA) subsystem initializes, providing a reliable timestamp for when Windows begins its startup process. This event is essential for tracking system availability, calculating uptime, and establishing baseline startup patterns for security monitoring.
How can I use Event ID 4609 to calculate system uptime?+
You can calculate uptime by finding the most recent Event ID 4609 and subtracting its timestamp from the current time. Use PowerShell: $LastBoot = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4609} -MaxEvents 1; $Uptime = (Get-Date) - $LastBoot.TimeCreated. This method is more reliable than using WMI or system information commands because it's based on actual security audit logs.
Why might Event ID 4609 be missing from my Security log?+
Event ID 4609 might be missing if security auditing is disabled, the Security log is full and overwriting old events, or if audit policies are not properly configured. Check that 'Audit Security System Extension' is enabled in Group Policy under Advanced Audit Policy Configuration. Also verify that the Security log has sufficient retention settings and isn't being cleared automatically.
Can Event ID 4609 help detect unauthorized system restarts?+
Yes, Event ID 4609 is excellent for detecting unexpected restarts. By monitoring the frequency and timing of these events, you can identify patterns that suggest unauthorized access, system instability, or malicious activity. Compare startup events with scheduled maintenance windows and user activity logs. Frequent restarts outside normal business hours or without corresponding shutdown events (ID 4608) may indicate security incidents.
How do I correlate Event ID 4609 with other system events for troubleshooting?+
Correlate Event ID 4609 with Event ID 4608 (shutdown), System log events around the same timeframe, and Application log entries. Use PowerShell to query multiple logs simultaneously: Get-WinEvent -FilterHashtable @{LogName='System','Security','Application'; StartTime=$StartupTime.AddMinutes(-5); EndTime=$StartupTime.AddMinutes(5)}. This helps identify what caused the restart and whether startup completed successfully.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4609 and related system startup events.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies to ensure proper generation of security events like Event ID 4609.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4609#windows-security#system-startup

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...