Audit DPAPI Activity

Applies to

  • Windows 10
  • Windows Server 2016

Audit DPAPI Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).

Event volume: Low.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller IF IF IF IF IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.
Member Server IF IF IF IF IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.
Workstation IF IF IF IF IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.

Events List:

  • 4692(S, F): Backup of data protection master key was attempted.

  • 4693(S, F): Recovery of data protection master key was attempted.

  • 4694(S, F): Protection of auditable protected data was attempted.

  • 4695(S, F): Unprotection of auditable protected data was attempted.