Windows Security Log Event ID 4610
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | System
• Security System Extension |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
514
|
4610: An authentication package has been loaded by the Local Security Authority
On this page
Event 4610 is logged once at startup for each authentication package on the system.
An authentication package is a DLL that encapsulates a given form of authentication, such as NTLM or Kerberos. The Local Security Authority calls into the appropriate authentication package during the logon process to find out if the user is authentic.
Although a third party can develop an authentication package, few do so, except for smart card and token manufacturers. The only authentication package logged by Windows Server 2008 is C:\Windows\system32\msv1_0.dll : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 which is just one of the authentication options supported by Windows (See 514 for a list of standard authentication packages on Windows Server 2003). The other authentication options supported by Windows Server 2008 appear to now be part of a larger package called a security package. See 4622. From MSDN: "A security package that functions as an authentication package and implements the functionality required by SSPI is called a security support provider/authentication package (SSP/AP)."
The security implication of event 4610, realistically, is low. Although a rogue package could cause great harm by stealing credentials at the time of logon, the effort required in developing and installing a rogue authentication package is significant.
Free Security Log Resources by Randy
- Authentication Package Name: %1
Supercharger Enterprise
Load Balancing for Windows Event Collection