Event ID: 4693
Recovery of data protection master key was attempted
Recovery of data protection master key was attempted.
Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Key Information:
Key Identifier: %5
Recovery Server: %6
Recovery Key ID: %8
Recovery Reason: %7
Status Information:
Status Code: %9
This event generates every time that recovery is attempted for a DPAPI Master Key.
While unprotecting data, if DPAPI cannot use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call.
Failure event generates when a Master Key restore operation fails for some reason.
Auditing:
Always
Generally only necessary for troubleshooting purposes, but due the low volume is nevertheless recommended.
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Security ID |
SubjectUserSid |
%1 |
Any |
DOMAIN\Username
|
|
|
Account Name |
SubjectUserName |
%2 |
Any |
Username
|
|
|
Account Domain |
SubjectDomainName |
%3 |
Any |
DOMAIN
|
|
|
Logon ID |
SubjectLogonId |
%4 |
Any |
0x0307
|
|
|
Key Identifier |
MasterKeyId |
%5 |
Any |
16cfaea0-dbe3-4d92-9523-d494edb546bc
|
|
|
Recovery Server |
RecoveryServer |
%6 |
Any |
DC01.domain.local
|
|
|
Recovery Reason |
RecoveryReason |
%7 |
Any |
0x5c005c
|
|
|
Recovery Key ID |
RecoveryKeyId |
%8 |
Any |
806a0350-aeb1-4c56-91f9-ef16cf759291
|
|
|
Status Code |
FailureReason |
%9 |
Any |
0x380000
|
Account that requested backup operation.
All of a user's Master Keys are located in their user profile -> %APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The SID can be obtained in the XML view of this event. The name of the affected Master Key file matches the Key Identifier field in this event.
The name of the account that requested backup operation.
Unique identifier of a master key whose backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\decrypt the data using DPAPI. All of user's Master Keys are located in their user profile -> %APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The name of every Master Key file is its unique identifier
The name (typically the DNS name) of the computer that the user contacted to back up their Master Key. For domain joined machines, it’s typically a name of a domain controller. This parameter might not be captured in the event, and in that case will be empty.
Unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. In this field, you will see unique Recovery key ID that was used for Master key backup operation.
For Failure events, this field is typically empty.
The hexadecimal unique status code of performed operation. For Success events, this field is typically “0x380000”.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"DPAPI Activity"
LEFT/RIGHT arrow keys for navigation
Back to List