question

VeenaSagar-2372 avatar image
0 Votes"
VeenaSagar-2372 asked DaisyZhou-MSFT commented

Event 4816 - RPC detected an integrity violation while decrypting an incoming message.

Hi,

I would like to get more details on the mentioned event. Especially the purpose of the field "Peer" and under what circumstance does this event occur?
All I could gather from this event was Peer address, protocol used and Host name.

Regards,
Veena

windows-10-securitywindows-server-2016windows-server-2012
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @VeenaSagar-2372,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello @VeenaSagar-2372,
I just want to confirm the current situations.

Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered VeenaSagar-2372 commented

Hello @VeenaSagar-2372,

Thank you for posting here.

Based on my research, the event 4816 generates if RPC detected an integrity violation while decrypting an incoming message.

Activities that violate the integrity of the security subsystem include the following:

1-Audited events are lost due to a failure of the auditing system.

2-A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.

3-A remote procedure call (RPC) integrity violation is detected.

4-A code integrity violation with an invalid hash value of an executable file is detected.

5-Cryptographic tasks are performed.


Regarding of the purpose of the field "Peer", I am sorry I cannot find any information about it.

Also it seems it is difficult to reproduce the event 4816 in my lab.

However, would you please tell us what actual issue you encounterred now?


Should you have any question or concern, please feel free to let us know.


References
4816(S): RPC detected an integrity violation while decrypting an incoming message.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4816

Audit System Integrity
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity



Best Regards,
Daisy Zhou

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Daisy,

Could you tell me more on what make this event trigger? I have already gone through the links you shared.
It would be quite helpful to trace back on its origin.

Regards,
Veena

0 Votes 0 ·

Hello @VeenaSagar-2372,

Thank you for your update.

It seems it is difficult for me to reproduce the event 4816 in my lab.

Could you please tell me if your issue is related to Event 4816? If so, could you please tell me the details.


Best Regards,
Daisy Zhou

0 Votes 0 ·

Hi,

I'll share the details on event 4816:

Destination Host Name is the Active directory.
Peer Name is one of the IPs from the organization.
Protocol Sequence is ncacn_ip_tcp.

I could see some firewall logs with service as DCE-RPC.
Other than that, no other information is available.

Regards,
Veena

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @VeenaSagar-2372,

Thank you for your update.

Can you see the detailed description about this Event ID 4816?

Do you have the issue for domain users or domain computers (maybe the user or computer is mentioned on the Event ID 4816)?

Similar case(but I can not see the answer without signing in)
RPC detected an integrity violation while decrypting an incoming message
https://www.experts-exchange.com/questions/28142776/RPC-detected-an-integrity-violation-while-decrypting-an-incoming-message.html



Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.