Audit Security System Extension
Applies To: Windows 7, Windows Server 2008 R2
This security policy setting determines whether the operating system audits events related to security system extensions, including any of the following events:
When a security extension code is loaded (such as an authentication, notification, or security package). A security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this are Kerberos and NTLM.
When a service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
Important
Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
Event volume: Low
These events are expected to appear more on a domain controller than on client computers or member servers.
Default: Not configured
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
| Event ID | Event message |
|---|---|
4610 |
An authentication package has been loaded by the Local Security Authority. |
4611 |
A trusted logon process has been registered with the Local Security Authority. |
4614 |
A notification package has been loaded by the Security Account Manager. |
4622 |
A security package has been loaded by the Local Security Authority. |
4697 |
A service was installed in the system. |