Audit DPAPI Activity

Article
2021-09-06

Audit DPAPI Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).

Event volume: Low.

Computer Type	General Success	General Failure	Stronger Success	Stronger Failure	Comments
Domain Controller	IF	IF	IF	IF	IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.
Member Server	IF	IF	IF	IF	IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.
Workstation	IF	IF	IF	IF	IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting.

Events List:

4692(S, F): Backup of data protection master key was attempted.
4693(S, F): Recovery of data protection master key was attempted.
4694(S, F): Protection of auditable protected data was attempted.
4695(S, F): Unprotection of auditable protected data was attempted.