Microsoft-Windows-Crypto-DPAPI

28 events across 3 channels

Event ID	Title	Channel
1	DPAPI created Master key.	Operational
2	DPAPI deleted Master key.	Operational
3	Master key access failed.	Operational
4	Password Change triggered.	Operational
5	Synchronization of Master keys triggered.	Operational
4097	DPAPI BackUp service started	BackUpKeySvc
4098	DPAPI BackUp service stopped	BackUpKeySvc
4099	DPAPI BackUp service setup of preferred backup keys failed.	BackUpKeySvc
8193	System credentials creation in LSASS failed.	Debug
8194	DPAPI Master key file open failed.	Debug
8195	Master key encryption in memory failed	Debug
8196	Master key decryption in memory failed	Operational
8197	DPAPI Protect failed.	Debug
8198	DPAPI Unprotect failed.	Operational
8199	Synchronization of Master keys failed.	Operational
8200	Master key's record successfully logged to Diagnostic file.	Operational
8201	Master key's record failed to log to Diagnostic file.	Operational
8202	Master Key decryption failed but a record of this key can be found in the …	Operational
8203	Master Key decryption failed because no record of this key can be found in the …	Operational
8204	Master Key decryption failed because the encryption cred mismatches the …	Operational
8205	Master Key decryption failed but the encryption cred matches the decryption …	Operational
8206	CredHist file decryption failed	Operational
8207	Diagnostic File operation received a NULL credential key.	Operational
12289	DPAPI found credential key.	Operational
12290	Credential key does not exist.	Operational
16385	DPAPIDefInformationEvent	Debug
16386	DPAPI tried to backup its master key.	Operational
16387	DPAPI tried to backup its master key.	Operational

Event ID 1 — DPAPI created Master key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: MasterKeyOperation

Description

DPAPI created Master key.

Message #

DPAPI created Master key.

 	GUID: %1
 	User Storage Area: %2

Fields #

Name	Description
`MasterKeyGUID` GUID	GUID.
`UserStorage` UnicodeString	User Storage Area.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775810,
    "time_created": "2023-11-06T06:23:22.512371+00:00",
    "event_record_id": 51,
    "correlation": {
      "ActivityID": "626F7C94-1079-0002-5F7D-6F627910DA01"
    },
    "execution": {
      "process_id": 848,
      "thread_id": 932
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "MasterKeyGUID": "8E755BE6-88EB-4BF9-8FCE-4B1358A2DEAC",
    "UserStorage": "C:\\Windows\\system32\\Microsoft\\Protect\\S-1-5-18\\User\\"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2 — DPAPI deleted Master key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: MasterKeyOperation

Description

DPAPI deleted Master key.

Message #

DPAPI deleted Master key.

 	GUID: %1
 	User Storage Area: %2

Fields #

Name	Description
`GUID` UnicodeString	—
`User_Storage_Area` UnicodeString	—
`MasterKeyGUID` UnicodeString	—
`UserStorage` UnicodeString	—

Event ID 3 — Master key access failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: MasterKeyOperation

Description

Master key access failed.

Message #

Master key access failed.

 	GUID: %1
 	Success: %2
 	Last error: %3
 	Master key disposition: %3

Fields #

Name	Description
`GUID`	—
`Success` Boolean	—
`Last_error`	—
`MasterKeyGUID` GUID	—
`LastError` HexInt32	—
`MasterKeyDisposition` HexInt32	—

Event ID 4 — Password Change triggered.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: MasterKeyOperation

Description

Password Change triggered.

Message #

Password Change triggered.

 	Status: %1

Fields #

Name	Description
`Status` HexInt32	— NTSTATUS reference

Event ID 5 — Synchronization of Master keys triggered.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: MasterKeyOperation

Description

Synchronization of Master keys triggered.

Message #

Synchronization of Master keys triggered.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 5,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775810,
    "time_created": "2022-04-07T16:57:17.536444+00:00",
    "event_record_id": 46,
    "correlation": {
      "ActivityID": "E0AAB88C-4A9F-0000-71B9-AAE09F4AD801"
    },
    "execution": {
      "process_id": 664,
      "thread_id": 824
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4097 — DPAPI BackUp service started

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: BackUpKeySvc
Level: Informational
Task: BackUpServiceOperation

Description

DPAPI BackUp service started.

Message #

DPAPI BackUp service started

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 4097,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 4611686018427387905,
    "time_created": "2022-04-07T16:53:02.786035+00:00",
    "event_record_id": 3,
    "correlation": {
      "ActivityID": "E0AAB88C-4A9F-0000-71B9-AAE09F4AD801"
    },
    "execution": {
      "process_id": 664,
      "thread_id": 668
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4098 — DPAPI BackUp service stopped

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: BackUpKeySvc
Task: BackUpServiceOperation

Description

DPAPI BackUp service stopped.

Message #

DPAPI BackUp service stopped

Event ID 4099 — DPAPI BackUp service setup of preferred backup keys failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: BackUpKeySvc
Level: Error
Task: BackUpServiceOperation

Description

DPAPI BackUp service setup of preferred backup keys failed.

Message #

DPAPI BackUp service setup of preferred backup keys failed.
 	%1
 	Error code: %2

Fields #

Name Description

Name	Description
`FailureReason` UnicodeString	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` HexInt32	Error code. NTSTATUS reference

FailureReason UnicodeString

—

Known values

%%2304: An Error occured during Logon.
%%2305: The specified user account has expired.
%%2306: The NetLogon component is not active.
%%2307: Account locked out.
%%2308: The user has not been granted the requested logon type at this machine.
%%2309: The specified account's password has expired.
%%2310: Account currently disabled.
%%2311: Account logon time restriction violation.
%%2312: User not allowed to logon at this computer.
%%2313: Unknown user name or bad password.
%%2314: Domain sid inconsistent.
%%2315: Smartcard logon is required and was not used.

Status HexInt32 Error code. NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 4099,
    "version": 0,
    "level": 2,
    "task": 1,
    "opcode": 0,
    "keywords": 4611686018427387905,
    "time_created": "2022-04-07T17:32:00.129643+00:00",
    "event_record_id": 5,
    "correlation": {
      "ActivityID": "E0AAB88C-4A9F-0000-71B9-AAE09F4AD801"
    },
    "execution": {
      "process_id": 664,
      "thread_id": 4812
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "FailureReason": "Getting preferred backup key GUID failed.",
    "Status": "0xc0000034"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 8193 — System credentials creation in LSASS failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Debug
Task: MasterKeyOperation

Description

System credentials creation in LSASS failed.

Message #

System credentials creation in LSASS failed. 

 	Status: %1

Fields #

Name	Description
`Status` HexInt32	— NTSTATUS reference

Event ID 8194 — DPAPI Master key file open failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Debug
Level: Error
Task: MasterKeyOperation

Description

DPAPI Master key file open failed.

Message #

DPAPI Master key file open failed.

 	FileName: %1
 	Access: %2

Fields #

Name	Description
`FileName` UnicodeString	—
`Access` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 8194,
    "version": 0,
    "level": 2,
    "task": 2,
    "opcode": 0,
    "keywords": 2305843009213693954,
    "time_created": "2026-03-13T22:00:14.597294+00:00",
    "event_record_id": 302,
    "correlation": {
      "ActivityID": "FEA40379-5168-4493-AA3C-6999C3C385A3"
    },
    "execution": {
      "process_id": 984,
      "thread_id": 4348
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Debug",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "FileName": "SYNCHIST",
    "Access": "0x80000000"
  },
  "message": ""
}

Event ID 8195 — Master key encryption in memory failed

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Debug
Task: MasterKeyOperation

Description

Master key encryption in memory failed.

Message #

Master key encryption in memory failed

Event ID 8196 — Master key decryption in memory failed

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Error
Task: MasterKeyOperation

Description

Master key decryption in memory failed.

Message #

Master key decryption in memory failed

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 8196,
    "version": 0,
    "level": 2,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775810,
    "time_created": "2022-04-07T08:18:33.398223+00:00",
    "event_record_id": 25,
    "correlation": {
      "ActivityID": "7AAB4249-4A57-0000-F449-AB7A574AD801"
    },
    "execution": {
      "process_id": 648,
      "thread_id": 4060
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 8197 — DPAPI Protect failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Debug
Level: Error
Task: DataProtectionOperation

Description

DPAPI Protect failed .

Message #

DPAPI Protect failed .

 	Status: %1
 	ReasonForFailure: %2

Fields #

Name	Description
`Status` HexInt32	— NTSTATUS reference
`ReasonForFailure` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 8197,
    "version": 0,
    "level": 2,
    "task": 4,
    "opcode": 0,
    "keywords": 2305843009213693956,
    "time_created": "2026-03-13T20:16:23.515882+00:00",
    "event_record_id": 38,
    "correlation": {
      "ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
    },
    "execution": {
      "process_id": 968,
      "thread_id": 8876
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Debug",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": "0x2",
    "ReasonForFailure": 6
  },
  "message": ""
}

Event ID 8198 — DPAPI Unprotect failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Error
Task: DataProtectionOperation

Description

DPAPI Unprotect failed .

Message #

DPAPI Unprotect failed .

 	Status: %1
 	ReasonForFailure: %2

Fields #

Name	Description
`Status` HexInt32	— NTSTATUS reference
`ReasonForFailure` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 8198,
    "version": 0,
    "level": 2,
    "task": 4,
    "opcode": 0,
    "keywords": 9223372036854775812,
    "time_created": "2026-03-13T20:16:26.151897+00:00",
    "event_record_id": 178,
    "correlation": {
      "ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
    },
    "execution": {
      "process_id": 968,
      "thread_id": 7192
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": "0x91012",
    "ReasonForFailure": 0
  },
  "message": ""
}

Event ID 8199 — Synchronization of Master keys failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: MasterKeyOperation

Description

Synchronization of Master keys failed.

Message #

Synchronization of Master keys failed. 

 	Credential Key Identifier: %1
 	User Name: %2
 	User Sid: %3

Fields #

Name	Description
`Credential_Key_Identifier` Binary	—
`User_Name` UnicodeString	—
`User_Sid` SID	—
`CredKeyIdentifier` Binary	—
`UserName` UnicodeString	—
`UserSid` SID	—

Event ID 8200 — Master key's record successfully logged to Diagnostic file.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: DiagnosticFileCheck

Description

Master key's record successfully logged to Diagnostic file.

Message #

Master key's record successfully logged to Diagnostic file.

 	GUID: %1
 	EncryptCredID: %2
 	EncryptCredKey: %3

Fields #

Name	Description
`MasterKeyGUID` GUID	GUID.
`EncryptCredID` GUID	—
`EncryptCredKey` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 8200,
    "version": 0,
    "level": 4,
    "task": 32,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2023-11-06T06:23:22.525334+00:00",
    "event_record_id": 52,
    "correlation": {
      "ActivityID": "626F7C94-1079-0002-5F7D-6F627910DA01"
    },
    "execution": {
      "process_id": 848,
      "thread_id": 888
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "MasterKeyGUID": "8E755BE6-88EB-4BF9-8FCE-4B1358A2DEAC",
    "EncryptCredID": "00000000-0000-0000-0000-000000000000",
    "EncryptCredKey": "0163A518CE6A252FD79B229C27BC6BEB9D05710A"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 8201 — Master key's record failed to log to Diagnostic file.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Master key's record failed to log to Diagnostic file.

Message #

Master key's record failed to log to Diagnostic file.

 	GUID: %1

Fields #

Name	Description
`GUID` GUID	—
`MasterKeyGUID` GUID	—

Event ID 8202 — Master Key decryption failed but a record of this key can be found in the Diagnostic file.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Master Key decryption failed but a record of this key can be found in the Diagnostic file.

Message #

Master Key decryption failed but a record of this key can be found in the Diagnostic file.

 	GUID: %1

Fields #

Name	Description
`GUID` GUID	—
`MasterKeyGUID` GUID	—

Event ID 8203 — Master Key decryption failed because no record of this key can be found in the Diagnostic file.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Master Key decryption failed because no record of this key can be found in the Diagnostic file.

Message #

Master Key decryption failed because no record of this key can be found in the Diagnostic file.

 	GUID: %1

Fields #

Name	Description
`GUID` GUID	—
`MasterKeyGUID` GUID	—

Event ID 8204 — Master Key decryption failed because the encryption cred mismatches the decryption cred.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Master Key decryption failed because the encryption cred mismatches the decryption cred.

Message #

Master Key decryption failed because the encryption cred mismatches the decryption cred.

 	GUID: %1
 	EncryptCredID: %2
 	EncryptCredKey: %3
 	DecryptCredID: %4
 	DecryptCredKey: %5

Fields #

Name	Description
`GUID` GUID	—
`EncryptCredID` GUID	—
`EncryptCredKey` Binary	—
`DecryptCredID` GUID	—
`DecryptCredKey` Binary	—
`MasterKeyGUID` GUID	—

Event ID 8205 — Master Key decryption failed but the encryption cred matches the decryption cred.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Master Key decryption failed but the encryption cred matches the decryption cred.

Message #

Master Key decryption failed but the encryption cred matches the decryption cred.

 	GUID: %1
 	EncryptCredID: %2
 	EncryptCredKey: %3
 	DecryptCredID: %4
 	DecryptCredKey: %5

Fields #

Name	Description
`GUID` GUID	—
`EncryptCredID` GUID	—
`EncryptCredKey` Binary	—
`DecryptCredID` GUID	—
`DecryptCredKey` Binary	—
`MasterKeyGUID` GUID	—

Event ID 8206 — CredHist file decryption failed

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: CredentialHistoryFileOperation

Description

CredHist file decryption failed.

Message #

CredHist file decryption failed

Event ID 8207 — Diagnostic File operation received a NULL credential key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Diagnostic File operation received a NULL credential key.

Message #

Diagnostic File operation received a NULL credential key.

Event ID 12289 — DPAPI found credential key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: CredentialKeyOperation

Description

DPAPI found credential key.

Message #

DPAPI found credential key.

 	Credential Key Identifier: %1
 	User Name: %2
 	User Sid: %3

Fields #

Name	Description
`CredKeyIdentifier` Binary	Credential Key Identifier.
`UserName` UnicodeString	—
`UserSid` SID	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 12289,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 0,
    "keywords": 9223372036854775816,
    "time_created": "2023-11-05T22:32:20.183219+00:00",
    "event_record_id": 60,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 844
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CredKeyIdentifier": "1252116F853845A8FF2D58933C34AA9AF5F449F00879735FEE2F257A4036020E",
    "UserName": "User",
    "UserSid": "S-1-5-21-1992711665-1655669231-58201500-1000"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 12290 — Credential key does not exist.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: CredentialKeyOperation

Description

Credential key does not exist.

Message #

Credential key does not exist.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 12290,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 0,
    "keywords": 9223372036854775816,
    "time_created": "2026-02-10T04:20:55.655423+00:00",
    "event_record_id": 47,
    "correlation": {
      "ActivityID": "43A6D212-9A2A-0001-97D2-A6432A9ADC01"
    },
    "execution": {
      "process_id": 240,
      "thread_id": 880
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 16385 — DPAPIDefInformationEvent

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Debug
Level: Informational
Task: DPAPIDefInformationTaskMessage

Description

DPAPIDefInformationEvent.

Message #

DPAPIDefInformationEvent

Fields #

Name	Description
`OperationType` UnicodeString	— Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`DataDescription` UnicodeString	—
`MasterKeyGUID` GUID	—
`Flags` UInt32	—
`ProtectionFlags` UInt32	—
`ReturnValue` UInt32	—
`CallerProcessStartKey` UInt64	—
`CallerProcessID` UInt32	—
`CallerProcessCreationTime` UInt64	—
`PlainTextDataSize` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 16385,
    "version": 0,
    "level": 4,
    "task": 64,
    "opcode": 0,
    "keywords": 2305843009213694016,
    "time_created": "2026-03-13T20:00:14.091877+00:00",
    "event_record_id": 1,
    "correlation": {
      "ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
    },
    "execution": {
      "process_id": 968,
      "thread_id": 2796
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Debug",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "OperationType": "SPCryptProtect",
    "DataDescription": "CryptoAPI Private Key",
    "MasterKeyGUID": "136A714A-6B76-4E4F-A4DB-98C60F841100",
    "Flags": 4,
    "ProtectionFlags": 4,
    "ReturnValue": 0,
    "CallerProcessStartKey": 3377699720528945,
    "CallerProcessID": 9080,
    "CallerProcessCreationTime": 134179056135234796,
    "PlainTextDataSize": 388
  },
  "message": ""
}

Community Notes #

Exposes the DPAPI operations (protect/unprotect) and the calling process. Disabled by default. See this Google Security blog post: Detecting browser data theft using Windows Event Logs.

Event ID 16386 — DPAPI tried to backup its master key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DPAPIMasterKeyBackup

Description

DPAPI tried to backup its master key.

Message #

DPAPI tried to backup its master key.
Fallback backup is enabled.

Fields #

Name	Description
`fLegacy` Boolean	—
`fWeakCrypt` Boolean	—
`dwFallbackLastError` UInt32	—
`dwEncryptLastError` UInt32	—
`dwRestoreLastError` UInt32	—

Event ID 16387 — DPAPI tried to backup its master key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DPAPIMasterKeyBackup_256

Description

DPAPI tried to backup its master key.

Message #

DPAPI tried to backup its master key.
Fallback backup is disabled.

Fields #

Name	Description
`fLegacy` Boolean	—
`fWeakCrypt` Boolean	—
`dwLastError` UInt32	—