ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying authentication event logs and security audit information
Event ID 4611InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4611 – LSA: A trusted logon process has been assigned to an authentication package

Event ID 4611 fires when the Local Security Authority (LSA) assigns a trusted logon process to an authentication package, indicating normal authentication subsystem initialization or configuration changes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4611Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

The Local Security Authority (LSA) is Windows' core security subsystem responsible for enforcing security policies, managing user authentication, and maintaining security tokens. Event ID 4611 specifically tracks when LSA assigns trusted logon processes to authentication packages, which is fundamental to Windows security architecture.

Authentication packages are dynamic link libraries (DLLs) that implement specific authentication protocols. Common packages include msv1_0.dll for NTLM authentication, kerberos.dll for Kerberos protocol, and wdigest.dll for digest authentication. Each package requires a trusted logon process - a privileged component that can interact directly with LSA to process credentials securely.

The trusted logon process assignment ensures that only authorized code can handle sensitive authentication operations. This prevents malicious software from intercepting credentials or manipulating authentication flows. The event includes details about which authentication package received the assignment and the associated logon process identifier.

In enterprise environments, this event helps administrators understand which authentication mechanisms are active, particularly important when implementing single sign-on solutions, smart card authentication, or third-party authentication providers. The timing and frequency of these events can indicate system health and proper authentication subsystem initialization.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • System startup and LSA subsystem initialization
  • Authentication service startup (like Active Directory Domain Services)
  • Installation of third-party authentication providers or smart card middleware
  • Dynamic loading of authentication packages during runtime
  • Group Policy changes affecting authentication package configuration
  • Security software installation that registers custom authentication modules
  • Windows Update installation affecting authentication components
  • Service restart of authentication-related Windows services
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4611 to understand which authentication package and logon process are involved.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4611 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4611 in the Event IDs field and click OK
  5. Double-click on a recent Event ID 4611 entry to view details
  6. Review the General tab for authentication package name and logon process information
  7. Check the Details tab for additional technical information including process IDs and package identifiers

The event details will show which authentication package was assigned a trusted logon process, helping you correlate with recent system changes or installations.

02

Query Events with PowerShell

Use PowerShell to programmatically analyze Event ID 4611 occurrences and identify patterns or anomalies.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4611 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4611} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. For detailed analysis of authentication packages:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4611} | ForEach-Object { [xml]$xml = $_.ToXml(); $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'AuthenticationPackageName'} | Select-Object '#text' }
  4. Check for events in the last 24 hours:
    $StartTime = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4611; StartTime=$StartTime} | Group-Object {$_.TimeCreated.Date} | Select-Object Name, Count
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4611} -MaxEvents 100 | Export-Csv -Path "C:\Temp\Event4611_Analysis.csv" -NoTypeInformation

This PowerShell approach allows you to identify trends, unusual authentication package assignments, or correlate events with system changes.

03

Verify Authentication Package Registry Configuration

Examine the registry to understand which authentication packages are configured and validate their legitimacy.

  1. Open Registry Editor by pressing Win + R, typing regedit, and pressing Enter
  2. Navigate to the LSA authentication packages key:
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa
  3. Examine the Authentication Packages value to see configured authentication DLLs
  4. Check the Security Packages value for additional security providers
  5. Verify each listed package exists in the system directory:
    $AuthPackages = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "Authentication Packages")."Authentication Packages"
foreach ($package in $AuthPackages) {
    $path = "$env:SystemRoot\System32\$package.dll"
    if (Test-Path $path) {
        Get-ItemProperty $path | Select-Object Name, VersionInfo
    } else {
        Write-Warning "Package $package.dll not found"
    }
}
  6. For notification packages, check:
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
Warning: Do not modify LSA registry settings without proper testing, as incorrect changes can prevent system authentication and cause boot failures.
04

Monitor Authentication Service Status and Dependencies

Investigate the health and configuration of authentication-related Windows services that trigger Event ID 4611.

  1. Check critical authentication services status:
    $AuthServices = @('LanmanServer', 'LanmanWorkstation', 'Netlogon', 'NTDS', 'KDC')
foreach ($service in $AuthServices) {
    try {
        Get-Service -Name $service -ErrorAction Stop | Select-Object Name, Status, StartType
    } catch {
        Write-Host "Service $service not found (normal on workstations)" -ForegroundColor Yellow
    }
}
  2. Review service dependencies that might affect authentication:
    Get-Service -Name 'LanmanServer' | Select-Object -ExpandProperty ServicesDependedOn
  3. Check for recent service restarts in System log:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=7036; StartTime=(Get-Date).AddHours(-24)} | Where-Object {$_.Message -match 'authentication|logon|security'} | Format-Table TimeCreated, Message -Wrap
  4. Verify domain controller connectivity (domain-joined systems):
    nltest /dsgetdc:$env:USERDNSDOMAIN
  5. Test authentication package functionality:
    klist tickets

This method helps identify service-related issues that might cause abnormal authentication package assignments or failures.

05

Advanced Troubleshooting with LSA Audit Policies

Configure advanced auditing to gain deeper insights into authentication package behavior and potential security concerns.

  1. Enable detailed LSA auditing using Group Policy or auditpol:
    auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
  2. Enable authentication policy change auditing:
    auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
  3. Check current audit policy settings:
    auditpol /get /category:"Logon/Logoff"
  4. Monitor for suspicious authentication package installations by creating a custom event log filter:
    $Query = @"

  
    
  

"@
Get-WinEvent -FilterXml $Query
  5. Create a scheduled task to monitor unusual authentication package assignments:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4611; StartTime=(Get-Date).AddMinutes(-5)} | Out-File C:\Logs\Auth_Monitor.log -Append"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 5)
Register-ScheduledTask -TaskName "AuthPackageMonitor" -Action $Action -Trigger $Trigger -Description "Monitor Event ID 4611 for security analysis"
Pro tip: In high-security environments, baseline normal authentication package assignments and alert on deviations, as malicious software sometimes installs rogue authentication packages.

Overview

Event ID 4611 is generated by the Local Security Authority (LSA) subsystem when a trusted logon process is successfully assigned to an authentication package. This event occurs during system startup, service initialization, or when authentication components are dynamically loaded. The LSA manages authentication packages like Kerberos, NTLM, and custom authentication providers, ensuring secure credential processing.

This event appears in the Security log and indicates normal operation of Windows authentication infrastructure. Each authentication package requires a trusted logon process to handle credential validation, token generation, and security context establishment. The event provides visibility into which authentication mechanisms are active on your system.

System administrators typically see this event during boot sequences, after installing authentication-related software, or when domain controllers initialize authentication services. While informational in nature, monitoring these events helps track authentication subsystem health and detect unauthorized authentication package installations.

Frequently Asked Questions

What does Event ID 4611 mean and should I be concerned?+
Event ID 4611 indicates that the Local Security Authority (LSA) has successfully assigned a trusted logon process to an authentication package. This is typically a normal, informational event that occurs during system startup or when authentication services initialize. You should only be concerned if you see unexpected authentication packages being assigned or if these events correlate with authentication failures or security incidents. The event itself represents proper functioning of Windows authentication infrastructure.
How often should I expect to see Event ID 4611 in my logs?+
The frequency of Event ID 4611 depends on your system configuration and role. On workstations, you'll typically see these events during boot and when authentication services start. Domain controllers and servers with multiple authentication packages may generate more frequent events. Generally, you should see consistent patterns - if the frequency suddenly increases or decreases significantly, it may indicate system changes, service issues, or potential security concerns that warrant investigation.
Can Event ID 4611 indicate a security threat or malware activity?+
While Event ID 4611 is normally benign, it can potentially indicate security threats if malicious software installs rogue authentication packages. Attackers sometimes use custom authentication packages to intercept credentials or bypass security controls. Monitor for unknown or suspicious authentication package names, unusual timing of these events, or correlation with other security alerts. Always verify that authentication packages listed in these events correspond to legitimate, expected software installations.
What authentication packages are considered normal in Windows environments?+
Common legitimate authentication packages include msv1_0.dll (NTLM authentication), kerberos.dll (Kerberos protocol), wdigest.dll (digest authentication), tspkg.dll (Terminal Services), and pku2u.dll (PKU2U protocol). In Active Directory environments, you'll also see packages related to smart card authentication and third-party SSO solutions. Any package not matching your organization's approved authentication methods should be investigated. Document your baseline authentication packages to identify unauthorized additions.
How can I troubleshoot authentication issues related to Event ID 4611?+
Start by correlating Event ID 4611 with authentication failure events (like 4625 or 4776) to identify problematic packages. Use PowerShell to analyze patterns and timing of authentication package assignments. Verify that all listed authentication packages exist in System32 and have valid digital signatures. Check service dependencies and ensure authentication-related services are running properly. If issues persist, enable detailed LSA auditing and consider using tools like Process Monitor to track authentication package loading during system startup.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including authentication-related eventshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Local Security Authority ArchitectureTechnical documentation on LSA authentication architecture and authentication packageshttps://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4611#windows-security#authentication

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...