windows-itpro-docs/windows/keep-secure/audit-dpapi-activity.md

title, description, ms.assetid, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author

title	description	ms.assetid	ms.pagetype	ms.prod	ms.mktglfcycl	ms.sitesec	author
Audit DPAPI Activity (Windows 10)	This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).	be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd	security	w10	deploy	library	Mir0sh

Audit DPAPI Activity

Applies to

• Windows 10
• Windows Server 2016

Audit DPAPI Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).

Event volume: Low.

Computer Type	General Success	General Failure	Stronger Success	Stronger Failure	Comments
Domain Controller	IF	IF	IF	IF	IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.
Member Server	IF	IF	IF	IF	IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.
Workstation	IF	IF	IF	IF	IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.

Events List:

• 4692(S, F): Backup of data protection master key was attempted.

• 4693(S, F): Recovery of data protection master key was attempted.

• 4694(S, F): Protection of auditable protected data was attempted.

• 4695(S, F): Unprotection of auditable protected data was attempted.