Event 4816 - RPC detected an integrity violation while decrypting an incoming message.

Veena Sagar 61 Reputation points
2021-02-19T04:34:04.127+00:00

Hi,

I would like to get more details on the mentioned event. Especially the purpose of the field "Peer" and under what circumstance does this event occur?
All I could gather from this event was Peer address, protocol used and Host name.

Regards,
Veena

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,378 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,532 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,758 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,706 Reputation points Microsoft Vendor
    2021-02-19T06:27:04.643+00:00

    Hello @Veena Sagar ,

    Thank you for posting here.

    Based on my research, the event 4816 generates if RPC detected an integrity violation while decrypting an incoming message.

    Activities that violate the integrity of the security subsystem include the following:

    1-Audited events are lost due to a failure of the auditing system.

    2-A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.

    3-A remote procedure call (RPC) integrity violation is detected.

    4-A code integrity violation with an invalid hash value of an executable file is detected.

    5-Cryptographic tasks are performed.

    Regarding of the purpose of the field "Peer", I am sorry I cannot find any information about it.

    Also it seems it is difficult to reproduce the event 4816 in my lab.

    However, would you please tell us what actual issue you encounterred now?

    Should you have any question or concern, please feel free to let us know.

    References
    4816(S): RPC detected an integrity violation while decrypting an incoming message.
    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4816

    Audit System Integrity
    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity

    Best Regards,
    Daisy Zhou

  2. Daisy Zhou 18,706 Reputation points Microsoft Vendor
    2021-02-23T09:00:10.373+00:00

    Hello @Veena Sagar ,

    Thank you for your update.

    Can you see the detailed description about this Event ID 4816?

    Do you have the issue for domain users or domain computers (maybe the user or computer is mentioned on the Event ID 4816)?

    Similar case(but I can not see the answer without signing in)
    RPC detected an integrity violation while decrypting an incoming message
    https://www.experts-exchange.com/questions/28142776/RPC-detected-an-integrity-violation-while-decrypting-an-incoming-message.html

    Best Regards,
    Daisy Zhou

    0 comments