4695(S, F): Unprotection of auditable protected data was attempted.

Article
09/07/2021

This event generates if DPAPI CryptUnprotectData() function was used to unprotect “auditable” data that was encrypted using CryptProtectData() function with CRYPTPROTECT_AUDIT flag (dwFlags) enabled.

There is no example of this event in this document.

Subcategory: Audit DPAPI Activity

Event Schema:

Unprotection of auditable protected data was attempted.

Subject:

Security ID:%1

Account Name:%2

Account Domain:%3

Logon ID:%4

Protected Data:

Data Description:%6

Key Identifier:%5

Protected Data Flags:%7

Protection Algorithms:%8

Status Information:

Status Code:%9

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.

Partager via

4695(S, F): Unprotection of auditable protected data was attempted.

Security Monitoring Recommendations

Ressources supplémentaires