Microsoft-Windows-Crypto-DPAPI
28 events across 3 channels
Event ID 1 — DPAPI created Master key.
Message
Fields
| Name | Description |
|---|---|
MasterKeyGUID | GUID. |
UserStorage | User Storage Area. |
Example Event
system:
provider: Microsoft-Windows-Crypto-DPAPI
guid: 89FE8F40-CDCE-464E-8217-15EF97D4C7C3
event_source_name: ''
event_id: 1
version: 0
level: 4
task: 2
opcode: 0
keywords: 9223372036854775810
time_created: '2023-11-06T06:23:22.512371+00:00'
event_record_id: 51
correlation:
ActivityID: 626F7C94-1079-0002-5F7D-6F627910DA01
execution:
process_id: 848
thread_id: 932
channel: Microsoft-Windows-Crypto-DPAPI/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
MasterKeyGUID: 8E755BE6-88EB-4BF9-8FCE-4B1358A2DEAC
UserStorage: C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2 — DPAPI deleted Master key.
Message
Fields
| Name | Description |
|---|---|
GUID | — |
User_Storage_Area | — |
MasterKeyGUID | — |
UserStorage | — |
Event ID 3 — Master key access failed.
Message
Fields
| Name | Description |
|---|---|
GUID | — |
Success | — |
Last_error | — |
MasterKeyGUID | — |
LastError | — |
MasterKeyDisposition | — |
Event ID 4 — Password Change triggered.
Message
Fields
| Name | Description |
|---|---|
Status | — |
Event ID 5 — Synchronization of Master keys triggered.
Message
Example Event
system:
provider: Microsoft-Windows-Crypto-DPAPI
guid: 89FE8F40-CDCE-464E-8217-15EF97D4C7C3
event_source_name: ''
event_id: 5
version: 0
level: 4
task: 2
opcode: 0
keywords: 9223372036854775810
time_created: '2022-04-07T16:57:17.536444+00:00'
event_record_id: 46
correlation:
ActivityID: E0AAB88C-4A9F-0000-71B9-AAE09F4AD801
execution:
process_id: 664
thread_id: 824
channel: Microsoft-Windows-Crypto-DPAPI/Operational
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4097 — DPAPI BackUp service started
Message
Example Event
system:
provider: Microsoft-Windows-Crypto-DPAPI
guid: 89FE8F40-CDCE-464E-8217-15EF97D4C7C3
event_source_name: ''
event_id: 4097
version: 0
level: 4
task: 1
opcode: 0
keywords: 4611686018427387905
time_created: '2022-04-07T16:53:02.786035+00:00'
event_record_id: 3
correlation:
ActivityID: E0AAB88C-4A9F-0000-71B9-AAE09F4AD801
execution:
process_id: 664
thread_id: 668
channel: Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: S-1-5-18
event_data: {}
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4098 — DPAPI BackUp service stopped
Message
Event ID 4099 — DPAPI BackUp service setup of preferred backup keys failed.
Message
Fields
| Name | Description |
|---|---|
FailureReason | — |
Status | Error code. |
Example Event
system:
provider: Microsoft-Windows-Crypto-DPAPI
guid: 89FE8F40-CDCE-464E-8217-15EF97D4C7C3
event_source_name: ''
event_id: 4099
version: 0
level: 2
task: 1
opcode: 0
keywords: 4611686018427387905
time_created: '2022-04-07T17:32:00.129643+00:00'
event_record_id: 5
correlation:
ActivityID: E0AAB88C-4A9F-0000-71B9-AAE09F4AD801
execution:
process_id: 664
thread_id: 4812
channel: Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: S-1-5-18
event_data:
FailureReason: Getting preferred backup key GUID failed.
Status: '0xc0000034'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8193 — System credentials creation in LSASS failed.
Message
Fields
| Name | Description |
|---|---|
Status | — |
Event ID 8194 — DPAPI Master key file open failed.
Message
Fields
| Name | Description |
|---|---|
FileName | — |
Access | — |
Event ID 8195 — Master key encryption in memory failed
Message
Event ID 8196 — Master key decryption in memory failed
Message
Example Event
system:
provider: Microsoft-Windows-Crypto-DPAPI
guid: 89FE8F40-CDCE-464E-8217-15EF97D4C7C3
event_source_name: ''
event_id: 8196
version: 0
level: 2
task: 2
opcode: 0
keywords: 9223372036854775810
time_created: '2022-04-07T08:18:33.398223+00:00'
event_record_id: 25
correlation:
ActivityID: 7AAB4249-4A57-0000-F449-AB7A574AD801
execution:
process_id: 648
thread_id: 4060
channel: Microsoft-Windows-Crypto-DPAPI/Operational
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: S-1-5-18
event_data: {}
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8197 — DPAPI Protect failed.
Message
Fields
| Name | Description |
|---|---|
Status | — |
ReasonForFailure | — |
Event ID 8198 — DPAPI Unprotect failed.
Message
Fields
| Name | Description |
|---|---|
Status | — |
ReasonForFailure | — |
Event ID 8199 — Synchronization of Master keys failed.
Message
Fields
| Name | Description |
|---|---|
Credential_Key_Identifier | — |
User_Name | — |
User_Sid | — |
CredKeyIdentifier | — |
UserName | — |
UserSid | — |
Event ID 8200 — Master key's record successfully logged to Diagnostic file.
Message
Fields
| Name | Description |
|---|---|
MasterKeyGUID | GUID. |
EncryptCredID | — |
EncryptCredKey | — |
Example Event
system:
provider: Microsoft-Windows-Crypto-DPAPI
guid: 89FE8F40-CDCE-464E-8217-15EF97D4C7C3
event_source_name: ''
event_id: 8200
version: 0
level: 4
task: 32
opcode: 0
keywords: 9223372036854775840
time_created: '2023-11-06T06:23:22.525334+00:00'
event_record_id: 52
correlation:
ActivityID: 626F7C94-1079-0002-5F7D-6F627910DA01
execution:
process_id: 848
thread_id: 888
channel: Microsoft-Windows-Crypto-DPAPI/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
MasterKeyGUID: 8E755BE6-88EB-4BF9-8FCE-4B1358A2DEAC
EncryptCredID: 00000000-0000-0000-0000-000000000000
EncryptCredKey: 0163A518CE6A252FD79B229C27BC6BEB9D05710A
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8201 — Master key's record failed to log to Diagnostic file.
Message
Fields
| Name | Description |
|---|---|
GUID | — |
MasterKeyGUID | — |
Event ID 8202 — Master Key decryption failed but a record of this key can be found in the Diagnostic file.
Message
Fields
| Name | Description |
|---|---|
GUID | — |
MasterKeyGUID | — |
Event ID 8203 — Master Key decryption failed because no record of this key can be found in the Diagnostic file.
Message
Fields
| Name | Description |
|---|---|
GUID | — |
MasterKeyGUID | — |
Event ID 8204 — Master Key decryption failed because the encryption cred mismatches the decryption cred.
Message
Fields
| Name | Description |
|---|---|
GUID | — |
EncryptCredID | — |
EncryptCredKey | — |
DecryptCredID | — |
DecryptCredKey | — |
MasterKeyGUID | — |
Event ID 8205 — Master Key decryption failed but the encryption cred matches the decryption cred.
Message
Fields
| Name | Description |
|---|---|
GUID | — |
EncryptCredID | — |
EncryptCredKey | — |
DecryptCredID | — |
DecryptCredKey | — |
MasterKeyGUID | — |
Event ID 8206 — CredHist file decryption failed
Message
Event ID 8207 — Diagnostic File operation received a NULL credential key.
Message
Event ID 12289 — DPAPI found credential key.
Message
Fields
| Name | Description |
|---|---|
CredKeyIdentifier | Credential Key Identifier. |
UserName | — |
UserSid | — |
Example Event
system:
provider: Microsoft-Windows-Crypto-DPAPI
guid: 89FE8F40-CDCE-464E-8217-15EF97D4C7C3
event_source_name: ''
event_id: 12289
version: 0
level: 4
task: 8
opcode: 0
keywords: 9223372036854775816
time_created: '2023-11-05T22:32:20.183219+00:00'
event_record_id: 60
correlation:
ActivityID: E4DB489E-1037-0001-0C49-DBE43710DA01
execution:
process_id: 808
thread_id: 844
channel: Microsoft-Windows-Crypto-DPAPI/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
CredKeyIdentifier: 1252116F853845A8FF2D58933C34AA9AF5F449F00879735FEE2F257A4036020E
UserName: User
UserSid: S-1-5-21-1992711665-1655669231-58201500-1000
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 12290 — Credential key does not exist.
Message
Event ID 16385 — DPAPIDefInformationEvent
Message
Fields
| Name | Description |
|---|---|
OperationType | — |
DataDescription | — |
MasterKeyGUID | — |
Flags | — |
ProtectionFlags | — |
ReturnValue | — |
CallerProcessStartKey | — |
CallerProcessID | — |
CallerProcessCreationTime | — |
PlainTextDataSize | — |
Community Notes
Exposes the DPAPI operations (protect/unprotect) and the calling process. Disabled by default. See this Google Security blog post: Detecting browser data theft using Windows Event Logs.Event ID 16386 — DPAPI tried to backup its master key.
Message
Fields
| Name | Description |
|---|---|
fLegacy | — |
fWeakCrypt | — |
dwFallbackLastError | — |
dwEncryptLastError | — |
dwRestoreLastError | — |
Event ID 16387 — DPAPI tried to backup its master key.
Message
Fields
| Name | Description |
|---|---|
fLegacy | — |
fWeakCrypt | — |
dwLastError | — |