Event ID 4695

Unprotection of auditable protected data was attempted 

Unprotection of auditable protected data was attempted.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Protected Data:
    Data Description:       %6
    Key Identifier:         %5
    Protected Data Flags:   %7
    Protection Algorithms:  %8

Status Information:
    Status Code:            %9


This event generates if DPAPI CryptUnprotectData function was used to unprotect “auditable” data, which is data that was encrypted using CryptProtectData function with CRYPTPROTECT_AUDIT flag enabled. "Auditable" data is logged as event ID 4694.

Auditing:     Always

Generally only necessary for troubleshooting purposes, but due the low volume is nevertheless recommended.


Volume:     Low


Microsoft Documentation

Event ID - 4695


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"DPAPI Activity"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success Audit Failure
Audit Category:
Detailed Tracking

Audit Subcategory:
DPAPI Activity

LEFT/RIGHT arrow keys for navigation

Back to List