Event ID 4622: A security package has been loaded by the Local Security Authority.
|Description||This event generates every time Security Package has been loaded by the Local Security Authority (LSA).|
|Subcategory||Security system extension|
- Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
- Each time the system starts, the LSA loads the Security Package DLLs from: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages registry value and performs the initialization sequence for every package located in these DLLs.
- It is also possible to add security package dynamically using AddSecurityPackagefunction, not only during system startup process.
This event logs the following information:
|Security Package Name [Type = UnicodeString]||The name of loaded Security Package. The format is: DLL_PATH_AND_NAME: SECURITY_PACKAGE_NAME.|
Reasons to monitor this event:
Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “Security Package Name” field value in the whitelist or not.
Event 4622 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10