Table of contents
Collapse the table of content
Expand the table of content

4614(S): A notification package has been loaded by the Security Account Manager.

Andrei Miroshnikov|Last Updated: 6/3/2016
2 Contributors

Applies to

  • Windows 10
  • Windows Server 2016

Event 4614 illustration

Subcategory: Audit Security System Extension

Event Description:

This event generates every time a Notification Package has been loaded by the Security Account Manager.

In reality, starting with Windows Vista, a notification package should be interpreted as afs Password Filter.

Password Filters are DLLs that are loaded or called when passwords are set or changed.

Each time a system starts, it loads the notification package DLLs from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages registry value and performs the initialization sequence for every package.

Note  For recommendations, see Security Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <TimeCreated SystemTime="2015-10-14T03:36:43.073484900Z" /> 
 <Correlation /> 
 <Execution ProcessID="516" ThreadID="520" /> 
 <Security /> 
- <EventData>
 <Data Name="NotificationPackageName">WDIGEST</Data> 

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Field Descriptions:

Notification Package Name [Type = UnicodeString]: the name of loaded Notification Package.

Security Monitoring Recommendations

For 4614(S): A notification package has been loaded by the Security Account Manager.

  • Typically this event has an informational purpose. If you defined the list of allowed Notification Packages in the system, then you can check is “Notification Package Name” field value in the whitelist or not.
© 2017 Microsoft