Event ID: 4695

Unprotection of auditable protected data was attempted

Unprotection of auditable protected data was attempted.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Protected Data:
    Data Description:       %6
    Key Identifier:         %5
    Protected Data Flags:   %7
    Protection Algorithms:  %8

Status Information:
    Status Code:            %9

This event generates if DPAPI CryptUnprotectData function was used to unprotect “auditable” data, which is data that was encrypted using CryptProtectData function with CRYPTPROTECT_AUDIT flag enabled. "Auditable" data is logged as event ID 4694.

Auditing:     Always

Generally only necessary for troubleshooting purposes, but due the low volume is nevertheless recommended.

Volume:     Low

Microsoft Documentation

Event ID - 4695

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"DPAPI Activity"

LEFT/RIGHT arrow keys for navigation

Back to List