An audit failure log for “Microsoft Windows security auditing". Can this be ignored?

ほげ ほげ 5 Reputation points
2024-08-15T08:57:29.2366667+00:00

Since no conclusion with a clear answer is posted on the Japanese site no matter how long I wait, I will ask the question again on the English site.

Since the Windows Update of July 2024, one audit of the following failure is recorded on the Event Viewer each time immediately after PC startup.
I am not sure of the cause because the content is only “encryption operation”.

To be sure, I recovered the C drive partition to the one before Windows Update, but the failure audit did not disappear. File sharing, web browsing, etc. are fine. sfc /scannow is also fine. I have also reinstalled resident software, including security software, but to no avail.

Is it safe to leave this one failed audit alone, I don't want to reinstall the OS.
Is there any suspicion of malware?
There is no problem with the operation of the system, software, file sharing/internet connection, etc.
Also, this unit does not connect to mobile devices or card readers.

Event 5061 Microsoft Windows security auditing.
Task Category: System Integrity
Security ID: SYSTEM
SubjectUserSid: S-1-5-18 (*LocalSystem account. Well-known SIDs)
Logon ID: 0x3e7

Encryption Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 143696ba-0b98-01d1-eecc-6e833c9aa5c0
Key Type: User Key.

Encryption operation:
Operation: Decrypt.
Return code: 0xC000000D

cap2 - コピー

cap2-2 - コピー

cap2-3 - コピー

Also,
certutil -store -user my
but only printed the following two lines, but no personal certificates

my "personal"
CertUtil: The -store command completed successfully.

When I ran certmgr.msc, there was not a single certificate in Certificates -> Personal, and the same is true when I logged in as Administrator. That's just creepy.

無題

I consider any postings that do not have a clear and well-reasoned conclusion as an act of cold-bloodedness.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,461 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Wesley Li 8,355 Reputation points
    2024-08-21T15:33:48.86+00:00

    Hello

    Is the machine joined to domain? Have we configured any audit policies to the machine?

    Open administrator command line and run "auditpol.exe /get /category:*" then check the audit policies to the machine. Compare it with the default machine's settings.

    As the event written in Japanese, it is hard for us to recognize. But we could try to check the key name and type. Then check the certificate store for the related key for more information. If it is a machine key type, we may need to check it in machine store not user store.

    Try to open administrator powershell command line then run "powershell -Command Get-ChildItem -Recurse Cert:" to list all the certificates. Then search them whether there is any certificate related to the event key name. Or try to list from a known good machine. The related certificate may be missing in this machine.


  2. ほげ ほげ 5 Reputation points
    2024-08-22T06:41:45.4533333+00:00

    This machine has not joined the domain. I have never set up an audit policy on this machine.

    "auditpol.exe /get /category:*"

    As with other PCs that do not record failure audits, there are settings to record "successes and failures" only in the following four places.
    System - System Integrity
    System - Other System Events
    Logon/Logoff - Logon
    Logon/Logoff - Network Policy Server

    I have looked for the first letter of Key Name "143696" against the results of running "powershell -Command Get-ChildItem -Recurse Cert:" but cannot find it.

    Please let me know how to check it in the machine store.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.