Event ID: 4692
Backup of data protection master key was attempted
Backup of data protection master key was attempted.
Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Key Information:
Key Identifier: %5
Recovery Server: %6
Recovery Key ID: %7
Status Information:
Status Code: %8
This event generates every time that a backup is attempted for the DPAPI Master Key.
Periodically, a domain-joined machine tries to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case their password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key. This event also generates every time a new DPAPI Master Key is generated.
Auditing:
Always
Generally only necessary for troubleshooting purposes, but due the low volume is nevertheless recommended.
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Security ID |
SubjectUserSid |
%1 |
Any |
DOMAIN\Username
|
|
|
Account Name |
SubjectUserName |
%2 |
Any |
Username
|
|
|
Account Domain |
SubjectDomainName |
%3 |
Any |
DOMAIN
|
|
|
Logon ID |
SubjectLogonId |
%4 |
Any |
0x0307
|
|
|
Key Identifier |
MasterKeyId |
%5 |
Any |
16cfaea0-dbe3-4d92-9523-d494edb546bc
|
|
|
Recovery Server |
RecoveryServer |
%6 |
Any |
DC01.domain.local
|
|
|
Recovery Key ID |
RecoveryKeyId |
%7 |
Any |
806a0350-aeb1-4c56-91f9-ef16cf759291
|
|
|
Status Code |
FailureReason |
%8 |
Any |
0x0
|
Account that requested backup operation.
All of a user's Master Keys are located in their user profile -> %APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The SID can be obtained in the XML view of this event. The name of the affected Master Key file matches the Key Identifier field in this event.
The name of the account that requested backup operation.
Unique identifier of a master key whose backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\decrypt the data using DPAPI. All of user's Master Keys are located in their user profile -> %APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The name of every Master Key file is its unique identifier
The name (typically the DNS name) of the computer that the user contacted to back up their Master Key. For domain joined machines, it’s typically a name of a domain controller. This parameter might not be captured in the event, and in that case will be empty.
Unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. In this field, you will see unique Recovery key ID that was used for Master key backup operation.
For Failure events, this field is typically empty.
The hexadecimal unique status code of performed operation. For Success events, this field is typically “0x0”. To see the meaning of the status code you need to convert it to the equivalent decimal value and use the “net helpmsg decimalvalue” command to see the description for a specific status code.
For example, if the status code is 0x3A the equivalent decimal value is 58. You would run "net helpmsg 58" which tells you:
The specified server cannot perform the requested operation.
In other words, status code 0x3A means that the specified server could not perform the requested operation regarding the attempted data protection master key backup.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"DPAPI Activity"
LEFT/RIGHT arrow keys for navigation
Back to List