Event ID: 4692

Backup of data protection master key was attempted

Backup of data protection master key was attempted.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Key Information:
    Key Identifier:     %5
    Recovery Server:    %6
    Recovery Key ID:    %7

Status Information:
    Status Code:        %8

This event generates every time that a backup is attempted for the DPAPI Master Key.

Periodically, a domain-joined machine tries to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case their password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key. This event also generates every time a new DPAPI Master Key is generated.

Auditing:     Always

Generally only necessary for troubleshooting purposes, but due the low volume is nevertheless recommended.

Volume:     Low

Microsoft Documentation

Event ID - 4692

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\Username
Account Name SubjectUserName %2 Any Username
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x0307
Key Identifier MasterKeyId %5 Any 16cfaea0-dbe3-4d92-9523-d494edb546bc
Recovery Server RecoveryServer %6 Any DC01.domain.local
Recovery Key ID RecoveryKeyId %7 Any 806a0350-aeb1-4c56-91f9-ef16cf759291
Status Code FailureReason %8 Any 0x0

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"DPAPI Activity"

LEFT/RIGHT arrow keys for navigation

Back to List