Event ID: 4695Unprotection of auditable protected data was attempted
Unprotection of auditable protected data was attempted. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Protected Data: Data Description: %6 Key Identifier: %5 Protected Data Flags: %7 Protection Algorithms: %8 Status Information: Status Code: %9
This event generates if DPAPI CryptUnprotectData function was used to unprotect “auditable” data, which is data that was encrypted using CryptProtectData function with CRYPTPROTECT_AUDIT flag enabled. "Auditable" data is logged as event ID 4694.
Generally only necessary for troubleshooting purposes, but due the low volume is nevertheless recommended.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"DPAPI Activity"
LEFT/RIGHT arrow keys for navigationBack to List