Windows Security Log Event ID 4904
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | Policy Change
• Audit Policy Change |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
808
|
4904: An attempt was made to register a security event source
On this page
Windows allows applications to report their own security events to the security log by registering with Authorization Manager as a security event source using the AuthzRegisterSecurityEventSource function. Windows logs this event, 4904, when such an application calls AuthzRegisterSecurityEventSource and thus provides an audit trail of applications that report custom security events. It is normal to see this event logged for several built-in components of Windows including IIS and DFS-R.
Process ID is the process ID specified when the executable started as logged in 4688.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Process Information:
These fields tell you the program that registered the event source. Process ID is the process ID specified when the executable started as logged in 4688. The Process Name identifies the program executable.
Event Source:
Source Name: Name of the event source. This is the same as the Event Sources: field in the Filter dialog in EventViewer.Event Source ID: unknown. Start discussio below if you have information to share on this field!
Setup PowerShell Audit Log Forwarding in 4 Minutes