Windows Event ID 4614: A notification package has been loaded by the SAM
Windows Security Event ID 4614 records that the Security Account Manager loaded a notification package, which Microsoft describes as a password filter on modern Windows versions.
- Applicable version
- Windows Server 2008 and later; Windows Vista and later
- Last reviewed
- 2026-07-13
Trigger Scenarios
The event is generated when SAM loads password-filter DLLs during system startup from the Notification Packages registry value.
Key Fields
Notification Package Name
The loaded notification package name. Microsoft shows WDIGEST as an example; any newly observed package must match an approved password-filter inventory.
Registry source
Microsoft documents HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages as the value used to load these DLLs. This is the persistence location behind malicious password filters.
Computer
The affected host. Domain controllers deserve priority because password filters are invoked when domain passwords are set or changed.
Common False Positives
- Approved password-policy or identity-management software can install legitimate password filters.
- Operating-system or security-product updates may reload existing packages at startup.
Related Events
MITRE ATT&CK Mapping
- T1556.002Modify Authentication Process: Password Filter DLL
Detection Notes
T1556.002 is concrete when 4614 reports a Notification Package Name that was newly added to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. Microsoft states these packages are password filters loaded or called when passwords are set or changed, so a malicious package can observe password-change material; correlate with 4657 for the registry value write and with file telemetry for the corresponding DLL under C:\Windows\System32.
SecurityEvent
| where EventID == 4614
| project TimeGenerated, Computer, NotificationPackageNameindex=wineventlog EventCode=4614
| table _time, host, NotificationPackageNameNotification Package Name: pfilter
Computer: DC01