Microsoft-Windows-CAPI2
74 events across 3 channels
Event ID 10 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CertGetCertificateChainStart.EventAuxInfo | — |
CertGetCertificateChainStart.CorrelationAuxInfo | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 10,
"version": 0,
"level": 4,
"task": 11,
"opcode": 1,
"keywords": 4611686018427387907,
"time_created": "2026-03-13T20:00:05.355110+00:00",
"event_record_id": 3575,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertGetCertificateChainStart": {
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{CF0BD453-CD94-4F51-B22E-F268FB8E1C35}",
"SeqNumber": "2"
}
}
},
"message": ""
}
Event ID 11 — For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CertGetCertificateChain.Certificate | — |
CertGetCertificateChain.AdditionalStore | — |
CertGetCertificateChain.ExtendedKeyUsage | — |
CertGetCertificateChain.Flags | — |
CertGetCertificateChain.ChainEngineInfo | — |
CertGetCertificateChain.CertificateChain | — |
CertGetCertificateChain.EventAuxInfo | — |
CertGetCertificateChain.CorrelationAuxInfo | — |
CertGetCertificateChain.Result | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 2,
"task": 11,
"opcode": 2,
"keywords": 4611686018427387907,
"time_created": "2026-03-13T20:00:05.356343+00:00",
"event_record_id": 3576,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertGetCertificateChain": {
"Certificate": {
"fileRef": "34A2F214EBABF43CA29A70786CAE64B34426AFD5.cer",
"subjectName": "Microsoft Time-Stamp Service"
},
"AdditionalStore": {
"Certificate": {
"fileRef": "580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D.cer",
"subjectName": "Microsoft Windows Production PCA 2011"
},
"Certificate_1": {
"fileRef": "BBD2C438000344F439BFDFE5ABAC3223357CD67F.cer",
"subjectName": "Microsoft Windows"
},
"Certificate_2": {
"fileRef": "36056A5662DCADECF82CC14C8B80EC5E0BCC59A6.cer",
"subjectName": "Microsoft Time-Stamp PCA 2010"
},
"Certificate_3": {
"fileRef": "34A2F214EBABF43CA29A70786CAE64B34426AFD5.cer",
"subjectName": "Microsoft Time-Stamp Service"
}
},
"ExtendedKeyUsage": null,
"Flags": {
"value": "4",
"CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL": "true"
},
"ChainEngineInfo": {
"context": "user"
},
"CertificateChain": {
"chainRef": "{CF25F10C-0EAF-4A4D-9077-D259B9BFF745}",
"TrustStatus": {
"ErrorStatus": {
"value": "1",
"CERT_TRUST_IS_NOT_TIME_VALID": "true"
},
"InfoStatus": {
"value": "100",
"CERT_TRUST_HAS_PREFERRED_ISSUER": "true"
}
},
"ChainElement": {
"Certificate": {
"fileRef": "34A2F214EBABF43CA29A70786CAE64B34426AFD5.cer",
"subjectName": "Microsoft Time-Stamp Service"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"TrustStatus": {
"ErrorStatus": {
"value": "1",
"CERT_TRUST_IS_NOT_TIME_VALID": "true"
},
"InfoStatus": {
"value": "102",
"CERT_TRUST_HAS_KEY_MATCH_ISSUER": "true",
"CERT_TRUST_HAS_PREFERRED_ISSUER": "true"
}
},
"ApplicationUsage": {
"Usage": {
"oid": "1.3.6.1.5.5.7.3.8",
"name": "Time Stamping"
}
},
"IssuanceUsage": null
},
"ChainElement_1": {
"Certificate": {
"fileRef": "36056A5662DCADECF82CC14C8B80EC5E0BCC59A6.cer",
"subjectName": "Microsoft Time-Stamp PCA 2010"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"TrustStatus": {
"ErrorStatus": {
"value": "0"
},
"InfoStatus": {
"value": "102",
"CERT_TRUST_HAS_KEY_MATCH_ISSUER": "true",
"CERT_TRUST_HAS_PREFERRED_ISSUER": "true"
}
},
"ApplicationUsage": {
"Usage": {
"oid": "1.3.6.1.5.5.7.3.8",
"name": "Time Stamping"
}
},
"IssuanceUsage": {
"Usage": {
"oid": "1.3.6.1.4.1.311.76.509.1.1"
}
}
},
"ChainElement_2": {
"Certificate": {
"fileRef": "3B1EFD3A66EA28B16697394703A72CA340A05BD5.cer",
"subjectName": "Microsoft Root Certificate Authority 2010"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"TrustStatus": {
"ErrorStatus": {
"value": "0"
},
"InfoStatus": {
"value": "13C",
"CERT_TRUST_HAS_NAME_MATCH_ISSUER": "true",
"CERT_TRUST_IS_SELF_SIGNED": "true",
"CERT_TRUST_AUTO_UPDATE_CA_REVOCATION": "true",
"CERT_TRUST_AUTO_UPDATE_END_REVOCATION": "true",
"CERT_TRUST_HAS_PREFERRED_ISSUER": "true"
}
},
"ApplicationUsage": {
"any": "true"
},
"IssuanceUsage": {
"any": "true"
}
}
},
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{CF0BD453-CD94-4F51-B22E-F268FB8E1C35}",
"SeqNumber": "3"
},
"Result": {
"value": "800B0101",
"Value": "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."
}
}
},
"message": ""
}
References #
Event ID 12 — For more details for this event, please refer to the "Details" section
Event ID 13 — For more details for this event, please refer to the "Details" section
Event ID 14 — For more details for this event, please refer to the "Details" section
Event ID 15 — For more details for this event, please refer to the "Details" section
Event ID 16 — For more details for this event, please refer to the "Details" section
Event ID 17 — For more details for this event, please refer to the "Details" section
Event ID 18 — For more details for this event, please refer to the "Details" section
Event ID 19 — For more details for this event, please refer to the "Details" section
Event ID 20 — For more details for this event, please refer to the "Details" section
Event ID 21 — For more details for this event, please refer to the "Details" section
Event ID 22 — For more details for this event, please refer to the "Details" section
Event ID 23 — For more details for this event, please refer to the "Details" section
Event ID 24 — For more details for this event, please refer to the "Details" section
Event ID 30 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CertVerifyCertificateChainPolicy.Policy | — |
CertVerifyCertificateChainPolicy.Certificate | — |
CertVerifyCertificateChainPolicy.CertificateChain | — |
CertVerifyCertificateChainPolicy.Flags | — |
CertVerifyCertificateChainPolicy.Status | — |
CertVerifyCertificateChainPolicy.EventAuxInfo | — |
CertVerifyCertificateChainPolicy.CorrelationAuxInfo | — |
CertVerifyCertificateChainPolicy.Result | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 30,
"version": 0,
"level": 4,
"task": 30,
"opcode": 0,
"keywords": 4611686018427387905,
"time_created": "2026-03-13T20:00:05.311044+00:00",
"event_record_id": 3571,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertVerifyCertificateChainPolicy": {
"Policy": {
"type": "CERT_CHAIN_POLICY_MICROSOFT_ROOT",
"constant": "7"
},
"Certificate": {
"fileRef": "FE51E838A087BB561BBB2DD9BA20143384A03B3F.cer",
"subjectName": "Microsoft Windows"
},
"CertificateChain": {
"chainRef": "{422C2A8A-2D14-43B7-8F70-6DD1C807BC48}"
},
"Flags": {
"value": "0"
},
"Status": {
"chainIndex": "0",
"elementIndex": "0"
},
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{2FB27E5B-20C4-4277-99EF-3ADDA4EF8CBB}",
"SeqNumber": "1"
},
"Result": {
"value": "0"
}
}
},
"message": ""
}
Event ID 40 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CertVerifyRevocationStart.EventAuxInfo | — |
CertVerifyRevocationStart.CorrelationAuxInfo | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 40,
"version": 0,
"level": 4,
"task": 41,
"opcode": 1,
"keywords": 4611686018427387909,
"time_created": "2026-03-13T21:05:59.181502+00:00",
"event_record_id": 113702,
"correlation": {},
"execution": {
"process_id": 9432,
"thread_id": 7728
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertVerifyRevocationStart": {
"EventAuxInfo": {
"ProcessName": "certsrv.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{9B67B555-351F-4EE4-92A7-DEFFE0227D19}",
"SeqNumber": "2"
}
}
},
"message": ""
}
Event ID 41 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CertVerifyRevocation.Certificate | — |
CertVerifyRevocation.IssuerCertificate | — |
CertVerifyRevocation.Flags | — |
CertVerifyRevocation.AdditionalParameters | — |
CertVerifyRevocation.RevocationStatus | — |
CertVerifyRevocation.CertificateRevocationList | — |
CertVerifyRevocation.CertificateRevocationList_1 | — |
CertVerifyRevocation.EventAuxInfo | — |
CertVerifyRevocation.CorrelationAuxInfo | — |
CertVerifyRevocation.Result | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 41,
"version": 0,
"level": 4,
"task": 41,
"opcode": 2,
"keywords": 4611686018427387909,
"time_created": "2026-03-13T21:05:59.181662+00:00",
"event_record_id": 113703,
"correlation": {},
"execution": {
"process_id": 9432,
"thread_id": 7728
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertVerifyRevocation": {
"Certificate": {
"fileRef": "F56EABB3328B76F923BFCB6D35C23BDE16D14A00.cer",
"subjectName": "WebServer2"
},
"IssuerCertificate": {
"fileRef": "8EAE36D131A05BF026C6A588F9496A8A617AF247.cer",
"subjectName": "EvtGen-Root-CA"
},
"Flags": {
"value": "0"
},
"AdditionalParameters": {
"timeToUse": "2026-03-13T21:05:59Z",
"currentTime": "2026-03-13T21:05:59.175Z",
"urlRetrievalTimeout": "PT15S"
},
"RevocationStatus": {
"index": "0",
"error": "0",
"reason": "0",
"actualFreshnessTime": "PT30M47S",
"thirdPartyProviderUsed": "C:\\Windows\\System32\\cryptnet.dll"
},
"CertificateRevocationList": {
"location": "Store",
"fileRef": "4AAC12FAC7DC7A42102EB458352AC2AA33C1901F.crl",
"issuerName": "EvtGen-Root-CA"
},
"CertificateRevocationList_1": {
"deltaCRL": "true",
"location": "Store",
"fileRef": "93FDE3883D5439220A2E9D0DB3BBBA6F655FED38.crl",
"issuerName": "EvtGen-Root-CA"
},
"EventAuxInfo": {
"ProcessName": "certsrv.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{9B67B555-351F-4EE4-92A7-DEFFE0227D19}",
"SeqNumber": "3"
},
"Result": {
"value": "0"
}
}
},
"message": ""
}
Event ID 42 — For more details for this event, please refer to the "Details" section
Event ID 50 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CryptRetrieveObjectByUrlCacheStart.EventAuxInfo | — |
CryptRetrieveObjectByUrlCacheStart.CorrelationAuxInfo | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 50,
"version": 0,
"level": 4,
"task": 51,
"opcode": 1,
"keywords": 4611686018427387950,
"time_created": "2026-03-13T21:19:03.663813+00:00",
"event_record_id": 218641,
"correlation": {},
"execution": {
"process_id": 8448,
"thread_id": 4164
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"CryptRetrieveObjectByUrlCacheStart": {
"EventAuxInfo": {
"ProcessName": "appidcertstorecheck.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{F4EEE8BD-2D02-4D08-A1E6-8C28B86BBBC6}",
"SeqNumber": "3"
}
}
},
"message": ""
}
Event ID 51 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CryptRetrieveObjectByUrlCache.URL | — |
CryptRetrieveObjectByUrlCache.Object | — |
CryptRetrieveObjectByUrlCache.Flags | — |
CryptRetrieveObjectByUrlCache.AuxInfo | — |
CryptRetrieveObjectByUrlCache.CacheInfo | — |
CryptRetrieveObjectByUrlCache.RetrievedObjects | — |
CryptRetrieveObjectByUrlCache.EventAuxInfo | — |
CryptRetrieveObjectByUrlCache.CorrelationAuxInfo | — |
CryptRetrieveObjectByUrlCache.Result | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 51,
"version": 0,
"level": 4,
"task": 51,
"opcode": 2,
"keywords": 4611686018427387950,
"time_created": "2026-03-13T21:19:03.663904+00:00",
"event_record_id": 218642,
"correlation": {},
"execution": {
"process_id": 8448,
"thread_id": 4164
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"CryptRetrieveObjectByUrlCache": {
"URL": {
"scheme": "http",
"Value": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D"
},
"Object": {
"type": "CONTEXT_OID_OCSP_RESP",
"constant": "6"
},
"Flags": {
"value": "2002",
"CRYPT_CACHE_ONLY_RETRIEVAL": "true",
"CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true"
},
"AuxInfo": {
"maxUrlRetrievalByteCount": "104857600",
"cacheFileNamePrefix": "698460A0B6E60F2F602361424D832905_"
},
"CacheInfo": {
"lastSyncTime": "2026-03-08T23:13:43.967Z",
"URLCachePrefetchInfo": {
"objectType": "CRYPTNET_URL_CACHE_PRE_FETCH_OCSP",
"thisUpdateTime": "2026-03-08T20:34:50Z",
"nextUpdateTime": "2026-03-15T20:34:50Z"
},
"URLCacheFlushInfo": {
"expireTime": "2026-03-15T20:34:50Z"
},
"URLCacheResponseInfo": {
"responseType": "CRYPTNET_URL_CACHE_RESPONSE_HTTP",
"responseValidated": "true",
"maxAge": "4235"
}
},
"RetrievedObjects": {
"OCSPResponse": {
"fileRef": "DA84BCCE985586609B0DC52E3817E6FAC937D736.bin"
}
},
"EventAuxInfo": {
"ProcessName": "appidcertstorecheck.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{F4EEE8BD-2D02-4D08-A1E6-8C28B86BBBC6}",
"SeqNumber": "4"
},
"Result": {
"value": "0"
}
}
},
"message": ""
}
Event ID 52 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CryptRetrieveObjectByUrlWireStart.EventAuxInfo | — |
CryptRetrieveObjectByUrlWireStart.CorrelationAuxInfo | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 52,
"version": 0,
"level": 4,
"task": 53,
"opcode": 1,
"keywords": 4611686018427387958,
"time_created": "2026-03-13T23:21:02.811164+00:00",
"event_record_id": 460529,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 12528
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CryptRetrieveObjectByUrlWireStart": {
"EventAuxInfo": {
"ProcessName": "lsass.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{8F0E8D7E-9D5A-47E8-B5B4-A696EA3386DA}",
"SeqNumber": "2"
}
}
},
"message": ""
}
Event ID 53 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CryptRetrieveObjectByUrlWire.URL | — |
CryptRetrieveObjectByUrlWire.Object | — |
CryptRetrieveObjectByUrlWire.Timeout | — |
CryptRetrieveObjectByUrlWire.Flags | — |
CryptRetrieveObjectByUrlWire.AuxInfo | — |
CryptRetrieveObjectByUrlWire.AdditionalInfo | — |
CryptRetrieveObjectByUrlWire.EventAuxInfo | — |
CryptRetrieveObjectByUrlWire.CorrelationAuxInfo | — |
CryptRetrieveObjectByUrlWire.Result | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 53,
"version": 0,
"level": 2,
"task": 53,
"opcode": 2,
"keywords": 4611686018427387958,
"time_created": "2026-03-13T23:21:02.811256+00:00",
"event_record_id": 460530,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 12528
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CryptRetrieveObjectByUrlWire": {
"URL": {
"scheme": "http",
"Value": "http://aia.ludus.domain/aia/EvtGen-Root-CA.crt/MFQwUjBQME4wTDAJBgUrDgMCGgUABBR5CkEQ6HJKjbgGJDMbu8kNl53AdAQUEP1C85qzyuKWqEZYr0KRnRTFDycCE0oAAAAlDt%2BriiA7UroAAAAAACU%3D"
},
"Object": {
"type": "CONTEXT_OID_OCSP_RESP",
"constant": "6"
},
"Timeout": "PT15S",
"Flags": {
"value": "200C",
"CRYPT_WIRE_ONLY_RETRIEVAL": "true",
"CRYPT_DONT_CACHE_RESULT": "true",
"CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true"
},
"AuxInfo": {
"cacheFileNamePrefix": "58D87B4C947D6EF61B681B320176D308_"
},
"AdditionalInfo": {
"NetworkConnectivityStatus": {
"value": "1",
"_SENSAPI_NETWORK_ALIVE_LAN": "true"
},
"Action": {
"name": "Call_WinHttpSendRequest",
"Error": {
"value": "2EE7",
"Value": "The server name or address could not be resolved"
}
}
},
"EventAuxInfo": {
"ProcessName": "lsass.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{8F0E8D7E-9D5A-47E8-B5B4-A696EA3386DA}",
"SeqNumber": "3"
},
"Result": {
"value": "2EE7"
}
}
},
"message": ""
}
Event ID 60 — For more details for this event, please refer to the "Details" section
Event ID 70 — For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CryptAcquireCertificatePrivateKey | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 70,
"version": 0,
"level": 4,
"task": 70,
"opcode": 0,
"keywords": 4611686018427388032,
"time_created": "2020-07-11T13:21:11.693103Z",
"event_record_id": 13969076,
"correlation": {},
"execution": {
"process_id": 5708,
"thread_id": 5712
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "wec02",
"security": {
"user_id": "S-1-5-21-1153173314-1076311963-3278442693-500"
}
},
"user_data": {
"CryptAcquireCertificatePrivateKey": {
"Certificate": {
"#attributes": {
"fileRef": "3CD6B0EFAF68549EFE9ED2316426FCD7FF81A6A8.cer",
"subjectName": "wec02.offsec.lan"
}
},
"Flags": {
"#attributes": {
"value": "10000",
"CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG": "true"
}
},
"EventAuxInfo": {
"#attributes": {
"ProcessName": "mimikatz.exe"
}
},
"CorrelationAuxInfo": {
"#attributes": {
"TaskId": "{973F48B9-7001-410B-A904-B1DD8692B60A}",
"SeqNumber": "2"
}
},
"Result": {
"#attributes": {
"value": "0"
}
}
}
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Certificate Private Key Acquired source medium: Detects when an application acquires a certificate private key
Splunk # view in reference
- Windows Steal Authentication Certificates CryptoAPI source: The following analytic detects the extraction of authentication certificates using Windows Event Log - CAPI2 (CryptoAPI 2). It leverages EventID 70, which is generated when a certificate's private key is acquired. This detection is significant because it can identify potential misuse of certificates, such as those extracted by tools like Mimikatz or Cobalt Strike. If confirmed malicious, this activity could allow attackers to impersonate users, escalate privileges, or access sensitive information, posing a severe risk to the organization's security.
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 71 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CryptSignCertificate.Certificate | — |
CryptSignCertificate.EventAuxInfo | — |
CryptSignCertificate.CorrelationAuxInfo | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 71,
"version": 0,
"level": 4,
"task": 71,
"opcode": 0,
"keywords": 4611686018427388032,
"time_created": "2026-03-13T21:05:59.101778+00:00",
"event_record_id": 113698,
"correlation": {},
"execution": {
"process_id": 3132,
"thread_id": 12024
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"CryptSignCertificate": {
"Certificate": {
"fileRef": "530FF03004DB9A2DE6A659CCFA9233C1C808D765.cer",
"subjectName": "WebServer2"
},
"EventAuxInfo": {
"ProcessName": "certreq.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{90B3BCCA-6FA5-4FEF-AAAD-955C9F311974}",
"SeqNumber": "2"
}
}
},
"message": ""
}
Event ID 80 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
WinVerifyTrustStart.EventAuxInfo | — |
WinVerifyTrustStart.CorrelationAuxInfo | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 80,
"version": 0,
"level": 4,
"task": 80,
"opcode": 1,
"keywords": 4611686018427387968,
"time_created": "2026-03-13T20:00:05.355104+00:00",
"event_record_id": 3574,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"WinVerifyTrustStart": {
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{CF0BD453-CD94-4F51-B22E-F268FB8E1C35}",
"SeqNumber": "1"
}
}
},
"message": ""
}
Event ID 81 — For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
WinVerifyTrust.ActionID | — |
WinVerifyTrust.UIChoice | — |
WinVerifyTrust.RevocationCheck | — |
WinVerifyTrust.StateAction | — |
WinVerifyTrust.Flags | — |
WinVerifyTrust.CatalogInfo | — |
WinVerifyTrust.DigestInfo | — |
WinVerifyTrust.RegPolicySetting | — |
WinVerifyTrust.SignatureSettingsFlags | — |
WinVerifyTrust.SignerInfo | — |
WinVerifyTrust.CertificateChain | — |
WinVerifyTrust.TimestampInfo | — |
WinVerifyTrust.TimestampChain | — |
WinVerifyTrust.EventAuxInfo | — |
WinVerifyTrust.CorrelationAuxInfo | — |
WinVerifyTrust.Result | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 81,
"version": 0,
"level": 4,
"task": 80,
"opcode": 2,
"keywords": 4611686018427387968,
"time_created": "2026-03-13T20:00:05.310932+00:00",
"event_record_id": 3570,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"WinVerifyTrust": {
"ActionID": "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"UIChoice": {
"value": "2",
"Value": "WTD_UI_NONE"
},
"RevocationCheck": {
"value": "1",
"WTD_REVOKE_WHOLECHAIN": "true"
},
"StateAction": {
"value": "1",
"Value": "WTD_STATEACTION_VERIFY"
},
"Flags": {
"value": "80001440",
"WTD_REVOCATION_CHECK_CHAIN": "true",
"WTD_USE_DEFAULT_OSVER_CHECK": "true",
"WTD_CACHE_ONLY_URL_RETRIEVAL": "true",
"CPD_USE_NT5_CHAIN_FLAG": "true"
},
"CatalogInfo": {
"filePath": "C:\\Windows\\system32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\HyperV-UX-UI-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.cat",
"Member": {
"tag": "50663E8AAB49E7F04F52B4364ACE3B775A0696EF",
"filePath": "C:\\Windows\\WinSxS\\msil_microsoft.virtualiz..on.client.resources_31bf3856ad364e35_10.0.22621.1_en-us_916cee91268b6c0a\\Microsoft.Virtualization.client.resources.dll",
"hasFileHandle": "true",
"hash": "50663E8AAB49E7F04F52B4364ACE3B775A0696EF",
"hashFilePath": "\\Windows\\WinSxS\\msil_microsoft.virtualiz..on.client.resources_31bf3856ad364e35_10.0.22621.1_en-us_916cee91268b6c0a\\Microsoft.Virtualization.client.resources.dll"
}
},
"DigestInfo": {
"digestAlgorithm": "SHA1",
"digest": "50663E8AAB49E7F04F52B4364ACE3B775A0696EF"
},
"RegPolicySetting": {
"value": "23C00",
"WTPF_OFFLINEOK_IND": "true",
"WTPF_OFFLINEOK_COM": "true",
"WTPF_OFFLINEOKNBU_IND": "true",
"WTPF_OFFLINEOKNBU_COM": "true",
"WTPF_IGNOREREVOCATIONONTS": "true"
},
"SignatureSettingsFlags": {
"value": "20000000",
"WSS_OUT_FILE_SUPPORTS_SEAL": "true"
},
"SignerInfo": {
"DigestAlgorithm": {
"oid": "2.16.840.1.101.3.4.2.1",
"hashName": "SHA256"
}
},
"CertificateChain": {
"chainRef": "{422C2A8A-2D14-43B7-8F70-6DD1C807BC48}"
},
"TimestampInfo": {
"format": "RFC 3161",
"DigestAlgorithm": {
"oid": "2.16.840.1.101.3.4.2.1",
"hashName": "SHA256"
},
"SignTime": "2022-05-07T04:33:12.256Z"
},
"TimestampChain": {
"chainRef": "{EB187775-EA45-4715-9648-CA7864F79031}"
},
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{116ED906-7813-42DD-902B-79FD5BF3FB24}",
"SeqNumber": "11"
},
"Result": {
"value": "0"
}
}
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows SIP WinVerifyTrust Failed Trust Validation source: The following analytic detects failed trust validation attempts using Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, which indicates that "The digital signature of the object did not verify." This detection leverages the CAPI2 Operational log to identify instances where digital signatures fail to validate. Monitoring this activity is crucial as it can indicate attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, this activity could allow attackers to bypass security controls and execute unauthorized code, leading to potential system compromise.
Event ID 82 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CryptCATAdminEnumCatalogFromHash.CATQueryInfo | — |
CryptCATAdminEnumCatalogFromHash.AdditionalInfo | — |
CryptCATAdminEnumCatalogFromHash.EventAuxInfo | — |
CryptCATAdminEnumCatalogFromHash.CorrelationAuxInfo | — |
CryptCATAdminEnumCatalogFromHash.Result | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 82,
"version": 0,
"level": 2,
"task": 82,
"opcode": 0,
"keywords": 4611686018427388928,
"time_created": "2026-03-13T20:00:05.312348+00:00",
"event_record_id": 3572,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CryptCATAdminEnumCatalogFromHash": {
"CATQueryInfo": {
"nextEnum": "true",
"hash": "50663E8AAB49E7F04F52B4364ACE3B775A0696EF",
"targetFilePath": "\\Windows\\WinSxS\\msil_microsoft.virtualiz..on.client.resources_31bf3856ad364e35_10.0.22621.1_en-us_916cee91268b6c0a\\Microsoft.Virtualization.client.resources.dll"
},
"AdditionalInfo": {
"Action": {
"name": "Call_CryptSvcCatDBEnumCatalogs_NotFound",
"parameter1": "{127D0A1D-4EF2-11D1-8608-00C04FC295EE}"
},
"CryptSvcCatalogs": {
"Catalog": {
"inCache": "true",
"Value": "C:\\Windows\\system32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\HyperV-UX-UI-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.cat"
}
}
},
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{D7D77015-48B1-487B-BFDE-B417A15BF88E}",
"SeqNumber": "1"
},
"Result": {
"value": "490",
"Value": "Element not found."
}
}
},
"message": ""
}
Event ID 90 — For more details for this event, please refer to the "Details" section
Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
X509Objects.Certificate | — |
X509Objects.Certificate_1 | — |
X509Objects.Certificate_2 | — |
X509Objects.Certificate_3 | — |
X509Objects.Certificate_4 | — |
X509Objects.EventAuxInfo | — |
X509Objects.CorrelationAuxInfo | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 90,
"version": 0,
"level": 4,
"task": 90,
"opcode": 0,
"keywords": 4611686018427388416,
"time_created": "2026-03-13T20:00:05.310893+00:00",
"event_record_id": 3569,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"X509Objects": {
"Certificate": {
"fileRef": "3B1EFD3A66EA28B16697394703A72CA340A05BD5.cer",
"subjectName": "Microsoft Root Certificate Authority 2010",
"Subject": {
"CN": "Microsoft Root Certificate Authority 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SubjectKeyID": {
"computed": "false",
"hash": "D5F656CB8FE8A25C6268D13D94905BD7CE9A18C4"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"Issuer": {
"CN": "Microsoft Root Certificate Authority 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SerialNumber": "28CC3A25BFBA44AC449A9B586B4339AA",
"NotBefore": "2010-06-23T21:57:24Z",
"NotAfter": "2035-06-23T22:04:01Z",
"Extensions": {
"KeyUsage": {
"value": "86",
"CERT_DIGITAL_SIGNATURE_KEY_USAGE": "true",
"CERT_KEY_CERT_SIGN_KEY_USAGE": "true",
"CERT_CRL_SIGN_KEY_USAGE": "true"
},
"BasicConstraints": {
"critical": "true",
"cA": "true"
}
},
"Properties": {
"FriendlyName": "Microsoft Root Certificate Authority 2010"
}
},
"Certificate_1": {
"fileRef": "580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D.cer",
"subjectName": "Microsoft Windows Production PCA 2011",
"Subject": {
"CN": "Microsoft Windows Production PCA 2011",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SubjectKeyID": {
"computed": "false",
"hash": "A92902398E16C49778CD90F99E4F9AE17C55AF53"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "2048"
},
"Issuer": {
"CN": "Microsoft Root Certificate Authority 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SerialNumber": "61077656000000000008",
"NotBefore": "2011-10-19T18:41:42Z",
"NotAfter": "2026-10-19T18:51:42Z",
"Extensions": {
"KeyUsage": {
"value": "86",
"CERT_DIGITAL_SIGNATURE_KEY_USAGE": "true",
"CERT_KEY_CERT_SIGN_KEY_USAGE": "true",
"CERT_CRL_SIGN_KEY_USAGE": "true"
},
"BasicConstraints": {
"critical": "true",
"cA": "true"
},
"AuthorityKeyIdentifier": {
"KeyID": {
"hash": "D5F656CB8FE8A25C6268D13D94905BD7CE9A18C4"
}
}
}
},
"Certificate_2": {
"fileRef": "FE51E838A087BB561BBB2DD9BA20143384A03B3F.cer",
"subjectName": "Microsoft Windows",
"Subject": {
"CN": "Microsoft Windows",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SubjectKeyID": {
"computed": "false",
"hash": "48853A4312E340D4AB798F78D2D289F81D327938"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "2048"
},
"Issuer": {
"CN": "Microsoft Windows Production PCA 2011",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SerialNumber": "330000033C89C66A7B45BB1FBD00000000033C",
"NotBefore": "2021-09-02T18:23:41Z",
"NotAfter": "2022-09-01T18:23:41Z",
"Extensions": {
"ExtendedKeyUsage": {
"Usage": {
"oid": "1.3.6.1.4.1.311.10.3.6",
"name": "Windows System Component Verification"
},
"Usage_1": {
"oid": "1.3.6.1.5.5.7.3.3",
"name": "Code Signing"
}
},
"SubjectAltName": {
"DirectoryName": {
"SERIALNUMBER": "229879+467580",
"OU": "Microsoft Ireland Operations Limited"
}
},
"AuthorityKeyIdentifier": {
"KeyID": {
"hash": "A92902398E16C49778CD90F99E4F9AE17C55AF53"
}
},
"BasicConstraints": {
"critical": "true",
"cA": "false"
}
}
},
"Certificate_3": {
"fileRef": "36056A5662DCADECF82CC14C8B80EC5E0BCC59A6.cer",
"subjectName": "Microsoft Time-Stamp PCA 2010",
"Subject": {
"CN": "Microsoft Time-Stamp PCA 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SubjectKeyID": {
"computed": "false",
"hash": "9FA7155D005E625D83F4E5D265A71B533519E972"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"Issuer": {
"CN": "Microsoft Root Certificate Authority 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SerialNumber": "3300000015C5E76B9E029B4999000000000015",
"NotBefore": "2021-09-30T18:22:25Z",
"NotAfter": "2030-09-30T18:32:25Z",
"Extensions": {
"CertificatePolicies": {
"Policy": {
"oid": "1.3.6.1.4.1.311.76.509.1.1"
}
},
"ExtendedKeyUsage": {
"Usage": {
"oid": "1.3.6.1.5.5.7.3.8",
"name": "Time Stamping"
}
},
"KeyUsage": {
"value": "86",
"CERT_DIGITAL_SIGNATURE_KEY_USAGE": "true",
"CERT_KEY_CERT_SIGN_KEY_USAGE": "true",
"CERT_CRL_SIGN_KEY_USAGE": "true"
},
"BasicConstraints": {
"critical": "true",
"cA": "true"
},
"AuthorityKeyIdentifier": {
"KeyID": {
"hash": "D5F656CB8FE8A25C6268D13D94905BD7CE9A18C4"
}
}
}
},
"Certificate_4": {
"fileRef": "1306B88D68DA71B39853EFBDE72749EE14828B98.cer",
"subjectName": "Microsoft Time-Stamp Service",
"Subject": {
"CN": "Microsoft Time-Stamp Service",
"OU": "Thales TSS ESN:3E7A-E359-A25D",
"OU_1": "Microsoft America Operations",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SubjectKeyID": {
"computed": "false",
"hash": "72B92E50D8294E91B8916C142F44CF0B618CD0E8"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"Issuer": {
"CN": "Microsoft Time-Stamp PCA 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SerialNumber": "33000001A0E9BB8CBB0EA2D17A0001000001A0",
"NotBefore": "2021-12-02T19:05:23Z",
"NotAfter": "2023-02-28T19:05:23Z",
"Extensions": {
"AuthorityKeyIdentifier": {
"KeyID": {
"hash": "9FA7155D005E625D83F4E5D265A71B533519E972"
}
},
"BasicConstraints": {
"critical": "true",
"cA": "false"
},
"ExtendedKeyUsage": {
"Usage": {
"oid": "1.3.6.1.5.5.7.3.8",
"name": "Time Stamping"
}
}
}
},
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{116ED906-7813-42DD-902B-79FD5BF3FB24}",
"SeqNumber": "10"
}
}
},
"message": ""
}
Event ID 256 — The Cryptographic Services service failed to initialize the Catalog Database.
Event ID 257 — The Cryptographic Services service failed to initialize the Catalog Database.
Event ID 512 — The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.
Event ID 513 — Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Event ID 4097 — Successful auto update of third-party root certificate:: Subject: <OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.
#Description
Successful auto update of third-party root certificate:: Subject: <> Sha1 thumbprint: <>.
Message #
Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "Microsoft-Windows-CAPI2",
"event_id": 4097,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2023-11-05T23:13:48.717808+00:00",
"event_record_id": 1679,
"correlation": {},
"execution": {
"process_id": 1140,
"thread_id": 1340
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"OU=Go Daddy Class 2 Certification Authority, O=\"The Go Daddy Group, Inc.\", C=US",
"2796BAE63F1801E277261BA0D77770028F20EEE4"
]
},
"message": "Successful auto update of third-party root certificate:: Subject: <OU=Go Daddy Class 2 Certification Authority, O=\"The Go Daddy Group, Inc.\", C=US> Sha1 thumbprint: <2796BAE63F1801E277261BA0D77770028F20EEE4>."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4098 — Successful auto update retrieval of third-party root list cab from: <1>.
Event ID 4099 — Failed auto update retrieval of third-party root list cab from: <1> with error: 2.
Event ID 4100 — Successful auto update retrieval of third-party root certificate from: <URL>.
#Description
Successful auto update retrieval of third-party root certificate from: <URL>.
Message #
Fields #
| Name | Description |
|---|---|
URL UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "Microsoft-Windows-CAPI2",
"event_id": 4100,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2016-08-24T21:26:02.343750Z",
"event_record_id": 1650,
"correlation": {},
"execution": {
"process_id": 1124,
"thread_id": 1712
},
"channel": "Application",
"computer": "IE10Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4101 — Failed auto update retrieval of third-party root certificate from: <1> with error: 2.
Event ID 4102 — Reached crypt32 threshold of 1 events and will suspend logging for 2 minutes.
Event ID 4103 — Successful auto update retrieval of third-party root list sequence number from: <1>.
Event ID 4104 — Failed auto update retrieval of third-party root list sequence number from: <1> with error: 2.
Event ID 4105 — Untrusted root certificate:: Subject: <1> Sha1 thumbprint: <2>.
Event ID 4106 — Partial Chain:: Issuer: <1> Subject Sha1 thumbprint: <2>.
Event ID 4107 — Failed extract of third-party root list from auto update cab at: <1> with error: 2.
Event ID 4108 — Successful auto delete of third-party root certificate:: Subject: <OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.
#Description
Successful auto delete of third-party root certificate:: Subject: <> Sha1 thumbprint: <>.
Message #
Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "Microsoft-Windows-CAPI2",
"event_id": 4108,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T17:04:18.250448+00:00",
"event_record_id": 217,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 2344
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"OU=Class 3 Public Primary Certification Authority, O=\"VeriSign, Inc.\", C=US",
"4F65566336DB6598581D584A596C87934D5F2AB4"
]
},
"message": "Successful auto delete of third-party root certificate:: Subject: <OU=Class 3 Public Primary Certification Authority, O=\"VeriSign, Inc.\", C=US> Sha1 thumbprint: <4F65566336DB6598581D584A596C87934D5F2AB4>."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4109 — Successful auto property update of third-party root certificate:: Subject: <OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.
#Description
Successful auto property update of third-party root certificate:: Subject: <> Sha1 thumbprint: <>.
Message #
Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "Microsoft-Windows-CAPI2",
"event_id": 4109,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T17:04:18.250448+00:00",
"event_record_id": 216,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 2344
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"OU=Class 3 Public Primary Certification Authority, O=\"VeriSign, Inc.\", C=US",
"742C3192E607E424EB4549542BE1BBC53E6174E2"
]
},
"message": "Successful auto property update of third-party root certificate:: Subject: <OU=Class 3 Public Primary Certification Authority, O=\"VeriSign, Inc.\", C=US> Sha1 thumbprint: <742C3192E607E424EB4549542BE1BBC53E6174E2>."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4110 — Failed to add certificate to Third-Party Root Certification Authorities store with error: 2.
Event ID 4111 — Successful auto update of third-party root list with effective date: Tuesday, February 22, 2022 11:44:40 AM.
#Description
Successful auto update of third-party root list with effective date: .
Message #
Fields #
| Name | Description |
|---|---|
Data | Successful auto update of third-party root list with effective date. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "Microsoft-Windows-CAPI2",
"event_id": 4111,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T17:04:18.250448+00:00",
"event_record_id": 218,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 2344
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"Tuesday, February 22, 2022 11:44:40 AM"
]
},
"message": "Successful auto update of third-party root list with effective date: Tuesday, February 22, 2022 11:44:40 AM."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4112 — Successful auto update of disallowed certificate list with effective date: Tuesday, March 16, 2021 12:29:24 AM.
#Description
Successful auto update of disallowed certificate list with effective date: .
Message #
Fields #
| Name | Description |
|---|---|
Data | Successful auto update of disallowed certificate list with effective date. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "Microsoft-Windows-CAPI2",
"event_id": 4112,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:11:02.801955+00:00",
"event_record_id": 49,
"correlation": {},
"execution": {
"process_id": 2436,
"thread_id": 4712
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"Tuesday, March 16, 2021 12:29:24 AM"
]
},
"message": "Successful auto update of disallowed certificate list with effective date: Tuesday, March 16, 2021 12:29:24 AM."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4113 — Successful auto update of pin rules with effective date: Wednesday, May 31, 2017 4:28:59 PM.
#Description
Successful auto update of pin rules with effective date: .
Message #
Fields #
| Name | Description |
|---|---|
Data | Successful auto update of pin rules with effective date. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "Microsoft-Windows-CAPI2",
"event_id": 4113,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T08:12:04.333773+00:00",
"event_record_id": 82,
"correlation": {},
"execution": {
"process_id": 2436,
"thread_id": 5476
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"Wednesday, May 31, 2017 4:28:59 PM"
]
},
"message": "Successful auto update of pin rules with effective date: Wednesday, May 31, 2017 4:28:59 PM."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4114 — Server: Server has unexpected certificates under trusted authority: <2> with thumbprint: 3.
Event ID 4115 — Added public key pinning rule for domain: 1 with header thumbprint: 2.
Event ID 4116 — Server: Server has unexpected certificates under trusted authority: <2> with thumbprint: 3.
Event ID 4117 — Server: Server has unexpected certificates under trusted authority: <2> with thumbprint: 3.
Event ID 4128 — Successful pre-fetch of certificate revocation list from: <1>.
Event ID 4129 — Failed pre-fetch of certificate revocation list from: <1> with error: 2.
Event ID 4130 — Certificate signature verify failed.
Event ID 4131 — LDAP CryptRetrieveObjectByUrlW failed.
Event ID 4176 — PFX operation failed as AuthSafes count doesn't lie in expected range.
Event ID 4177 — PFX operation failed as Iteration count doesn't lie in expected range.
Event ID 4178 — PFX operation failed as SafeBags count doesn't lie in expected range.
Event ID 8192 — The catalog file FileName is being added to subsystem Subsystem.
Event ID 8193 — Addition of the catalog file completed.
Description
Addition of the catalog file completed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 8194 — The catalog file FileName is being removed from the subsystem Subsystem.
Event ID 8195 — Removal of the catalog file completed.
Description
Removal of the catalog file completed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 8196 — The catalog file FileName is being synced to the subsystem Subsystem.
Event ID 8197 — Sync of the catalog file completed.
Description
Sync of the catalog file completed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 8198 — The Catalog Database is being rebuilt for subsystem Subsystem.
Event ID 8199 — Rebuild of the Catalog Database for the chosen subsystem has completed.
Description
Rebuild of the Catalog Database for the chosen subsystem has completed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 8200 — A hash of type Algorithm, length Length and value Value is being searched for in subsystem Subsystem.
Description
A hash of type Algorithm, length Length and value Value is being searched for in subsystem Subsystem.
Message #
Fields #
| Name | Description |
|---|---|
Subsystem UnicodeString | — |
Algorithm UnicodeString | — |
Length UInt16 | — |
Value Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": "8200",
"version": "0",
"level": "4",
"task": "504",
"opcode": "1",
"keywords": 2305843009213694976,
"time_created": "2026-03-15T04:33:35.927555800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{41e24003-66ef-4c4c-bc94-d04eacefbd05}"
},
"execution": {
"process_id": "3884",
"thread_id": "11064"
},
"channel": "Microsoft-Windows-CAPI2/Catalog Database Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Subsystem": "{127D0A1D-4EF2-11D1-8608-00C04FC295EE}",
"Algorithm": "SHA256",
"Length": "32",
"Value": "0xCDFFB01C853487D9DE0CC720C74021BDE443DD9CC0C399017C194290332B43C1"
},
"message": ""
}
Event ID 8201 — The hash search completed and was found in Count catalogs.
Description
The hash search completed and was found in Count catalogs. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Count UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": "8201",
"version": "0",
"level": "4",
"task": "504",
"opcode": "2",
"keywords": 2305843009213694976,
"time_created": "2026-03-15T04:33:35.927601800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{41e24003-66ef-4c4c-bc94-d04eacefbd05}"
},
"execution": {
"process_id": "3884",
"thread_id": "11064"
},
"channel": "Microsoft-Windows-CAPI2/Catalog Database Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": "0x0",
"Count": " 0"
},
"message": ""
}
Event ID 8202 — Sync of subsystem Subsystem has started.
Event ID 8203 — Sync of the subsystem completed.
Description
Sync of the subsystem completed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |