windows-itpro-docs/windows/security/threat-protection/auditing/audit-dpapi-activity.md

title, description, ms.assetid, ms.reviewer, manager, ms.author, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.localizationpriority, author, ms.date, ms.technology, ms.topic

title	description	ms.assetid	ms.reviewer	manager	ms.author	ms.pagetype	ms.prod	ms.mktglfcycl	ms.sitesec	ms.localizationpriority	author	ms.date	ms.technology	ms.topic
Audit DPAPI Activity	The policy setting, Audit DPAPI Activity, decides if encryption/decryption calls to the data protection application interface (DPAPI) generate audit events.	be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd		aaroncz	vinpa	security	windows-client	deploy	library	low	vinaypamnani-msft	09/06/2021	itpro-security	reference

Audit DPAPI Activity

Audit DPAPI Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).

Event volume: Low.

Computer Type	General Success	General Failure	Stronger Success	Stronger Failure	Comments
Domain Controller	IF	IF	IF	IF	IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.
Member Server	IF	IF	IF	IF	IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.
Workstation	IF	IF	IF	IF	IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.

Events List:

• 4692(S, F): Backup of data protection master key was attempted.

• 4693(S, F): Recovery of data protection master key was attempted.

• 4694(S, F): Protection of auditable protected data was attempted.

• 4695(S, F): Unprotection of auditable protected data was attempted.