Event ID: 4693

Recovery of data protection master key was attempted

Recovery of data protection master key was attempted.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Key Information:
    Key Identifier:     %5
    Recovery Server:    %6
    Recovery Key ID:    %8
    Recovery Reason:    %7

Status Information:
    Status Code:        %9

This event generates every time that recovery is attempted for a DPAPI Master Key.

While unprotecting data, if DPAPI cannot use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call.

Failure event generates when a Master Key restore operation fails for some reason.

Auditing:     Always

Generally only necessary for troubleshooting purposes, but due the low volume is nevertheless recommended.

Volume:     Low

Microsoft Documentation

Event ID - 4693

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\Username
Account Name SubjectUserName %2 Any Username
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x0307
Key Identifier MasterKeyId %5 Any 16cfaea0-dbe3-4d92-9523-d494edb546bc
Recovery Server RecoveryServer %6 Any DC01.domain.local
Recovery Reason RecoveryReason %7 Any 0x5c005c
Recovery Key ID RecoveryKeyId %8 Any 806a0350-aeb1-4c56-91f9-ef16cf759291
Status Code FailureReason %9 Any 0x380000

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"DPAPI Activity"

LEFT/RIGHT arrow keys for navigation

Back to List