question

Spellboundvfx-6478 avatar image
0 Votes"
Spellboundvfx-6478 asked FanFan-MSFT commented

Audit failure 5061 and 5038

Hi,

Am receiving frequent security audit failures under the category 5038& 5061 in my windows 10 PC.The version iam using is 1903.Can anybody tell me the reason behind the failures in the audit as i couldn't find solution through googling.Another important think is that the error doesn't happened in the previous version 1803 and below that.

Thanks in advance

windows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
 
Just want to confirm the current situations.
If the event was stopped if you disable the audit policy.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·

Hi,
Were the Audit failure 5061 and 5038 still received?

0 Votes 0 ·

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully.

The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password.

https://technet.microsoft.com/en-us/library/ff182311%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396#BKMK_1

Check the local group policy if any audit policy was configured.

Best Regards,

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

But actually, 4625 denotes audit failure for user logon error.What about 5061 and 5038 event ids.??

0 Votes 0 ·

Hi,

5061(S, F): Cryptographic operation.
This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a Key Storage Provider (KSP). This event generates only if one of the following KSPs were used:
Microsoft Software Key Storage Provider
Microsoft Smart Card Key Storage Provider
For your reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5061

5038 This event generates by Code Integrity feature, if signature of a file is not valid.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038

Please check if the Audit System Integrity (determines whether the operating system audits events that violate the integrity of the security subsystem) was configured on the local group policy.
Best Regards,

0 Votes 0 ·