deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-22 02:07:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/device-security/auditing/event-4695.md
Nicholas Brower 1ae3f0b230 Merged PR 4822: "msdate update (generated from most recent commit date)" 
"msdate update (generated from most recent commit date)"
2017-12-05 22:36:05 +00:00

65 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: 4695(S, F) Unprotection of auditable protected data was attempted. (Windows 10)
description: Describes security event 4695(S, F) Unprotection of auditable protected data was attempted.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
ms.date: 04/19/2017
---
# 4695(S, F): Unprotection of auditable protected data was attempted.
**Applies to**
- Windows 10
- Windows Server 2016
This event generates if [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) [CryptUnprotectData](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380882(v=vs.85).aspx)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
There is no example of this event in this document.
***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
***Event Schema:***
*Unprotection of auditable protected data was attempted.*
*Subject:*
> *Security ID:%1*
>
> *Account Name:%2*
>
> *Account Domain:%3*
>
> *Logon ID:%4*
*Protected Data:*
> *Data Description:%6*
>
> *Key Identifier:%5*
>
> *Protected Data Flags:%7*
>
> *Protection Algorithms:%8*
*Status Information:*
> *Status Code:%9*
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.
- This event is typically an informational event and it is difficult to detect any malicious activity using this event. Its mainly used for DPAPI troubleshooting.
Reference in New Issue View Git Blame Copy Permalink