deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 00:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/device-security/auditing/event-4695.md
Brian Lich 33c3fb2e74 New TOC for docs.microsoft.com
2017-04-19 14:12:47 -07:00

1.7 KiB
Raw Blame History

title, description, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author
title description ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author
4695(S, F) Unprotection of auditable protected data was attempted. (Windows 10) Describes security event 4695(S, F) Unprotection of auditable protected data was attempted. security w10 deploy library Mir0sh

4695(S, F): Unprotection of auditable protected data was attempted.

Applies to

  • Windows 10
  • Windows Server 2016

This event generates if DPAPI CryptUnprotectData() function was used to unprotect “auditable” data that was encrypted using CryptProtectData() function with CRYPTPROTECT_AUDIT flag (dwFlags) enabled.

There is no example of this event in this document.

Subcategory: Audit DPAPI Activity

Event Schema:

Unprotection of auditable protected data was attempted.

Subject:

Security ID:%1

Account Name:%2

Account Domain:%3

Logon ID:%4

Protected Data:

Data Description:%6

Key Identifier:%5

Protected Data Flags:%7

Protection Algorithms:%8

Status Information:

Status Code:%9

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Security Monitoring Recommendations

  • There is no recommendation for this event in this document.

  • This event is typically an informational event and it is difficult to detect any malicious activity using this event. Its mainly used for DPAPI troubleshooting.