4622(S): A security package has been loaded by the Local Security Authority.

Event 4622 illustration

Subcategory: Audit Security System Extension

Event Description:

This event generates every time Security Package has been loaded by the Local Security Authority (LSA).

Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.

Each time the system starts, the LSA loads the Security Package DLLs from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages registry value and performs the initialization sequence for every package located in these DLLs.

It is also possible to add security package dynamically using AddSecurityPackage function, not only during system startup process.

Note  For recommendations, see Security Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <TimeCreated SystemTime="2015-10-14T03:36:41.359331100Z" /> 
 <Correlation /> 
 <Execution ProcessID="516" ThreadID="520" /> 
 <Security /> 
- <EventData>
 <Data Name="SecurityPackageName">C:\\Windows\\system32\\kerberos.DLL : Kerberos</Data> 

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Field Descriptions:

Security Package Name [Type = UnicodeString]: the name of loaded Security Package. The format is: DLL_PATH_AND_NAME: SECURITY_PACKAGE_NAME.

These are some Security Package DLLs loaded by default in Windows 10:

  • C:\Windows\system32\schannel.DLL : Microsoft Unified Security Protocol Provider

  • C:\Windows\system32\schannel.DLL : Schannel

  • C:\Windows\system32\cloudAP.DLL : CloudAP

  • C:\Windows\system32\wdigest.DLL : WDigest

  • C:\Windows\system32\pku2u.DLL : pku2u

  • C:\Windows\system32\tspkg.DLL : TSSSP

  • C:\Windows\system32\msv1_0.DLL : NTLM

  • C:\Windows\system32\kerberos.DLL : Kerberos

  • C:\Windows\system32\negoexts.DLL : NegoExtender

  • C:\Windows\system32\lsasrv.dll : Negotiate

Security Monitoring Recommendations

For 4622(S): A security package has been loaded by the Local Security Authority.

  • Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “Security Package Name” field value in the allowlist or not.