Windows Security Log Event ID 4905
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | Policy Change
• Audit Policy Change |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
809
|
4905: An attempt was made to unregister a security event source
On this page
Windows allows applications to report their own security events to the security log by registering through Authorization Manager with LSA as a security event source using the AuthzRegisterSecurityEventSource function.
Later applications can unregister by calling AuthzUnregisterSecurityEventSource. Windows logs this event, 4904, when such an application calls AuthzUnregisterSecurityEventSource and thus provides an audit trail of applications that report custom security events. It is normal to see this event logged for several built-in components of Windows including IIS and DFS-R.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Process Information:
These fields tell you the program that unregistered the event source.
- Process ID: the process ID specified when the executable started as logged in 4688.
- Process Name: identifies the program executable.
Event Source:
- Source Name: Name of the event source. This is the same as the Event Sources: field in the Filter dialog in EventViewer.
- Event Source ID: unknown. Start discussion below if you have information to share on this field!
Setup PowerShell Audit Log Forwarding in 4 Minutes