Udostępnij za pośrednictwem


4695(S, F): Unprotection of auditable protected data was attempted.

This event generates if DPAPI CryptUnprotectData() function was used to unprotect “auditable” data that was encrypted using CryptProtectData() function with CRYPTPROTECT_AUDIT flag (dwFlags) enabled.

There is no example of this event in this document.

Subcategory: Audit DPAPI Activity

Event Schema:

Unprotection of auditable protected data was attempted.

Subject:

Security ID:%1

Account Name:%2

Account Domain:%3

Logon ID:%4

Protected Data:

Data Description:%6

Key Identifier:%5

Protected Data Flags:%7

Protection Algorithms:%8

Status Information:

Status Code:%9

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Security Monitoring Recommendations

  • There is no recommendation for this event in this document.

  • This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.