Event ID 16385 — DPAPIDefInformationEvent
Description
DPAPIDefInformationEvent.
Message #
Fields #
| Name | Description |
|---|---|
OperationType UnicodeString | — Known values
|
DataDescription UnicodeString | — |
MasterKeyGUID GUID | — |
Flags UInt32 | — |
ProtectionFlags UInt32 | — |
ReturnValue UInt32 | — |
CallerProcessStartKey UInt64 | — |
CallerProcessID UInt32 | — |
CallerProcessCreationTime UInt64 | — |
PlainTextDataSize UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-DPAPI",
"guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
"event_source_name": "",
"event_id": 16385,
"version": 0,
"level": 4,
"task": 64,
"opcode": 0,
"keywords": 2305843009213694016,
"time_created": "2026-03-13T20:00:14.091877+00:00",
"event_record_id": 1,
"correlation": {
"ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
},
"execution": {
"process_id": 968,
"thread_id": 2796
},
"channel": "Microsoft-Windows-Crypto-DPAPI/Debug",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"OperationType": "SPCryptProtect",
"DataDescription": "CryptoAPI Private Key",
"MasterKeyGUID": "136A714A-6B76-4E4F-A4DB-98C60F841100",
"Flags": 4,
"ProtectionFlags": 4,
"ReturnValue": 0,
"CallerProcessStartKey": 3377699720528945,
"CallerProcessID": 9080,
"CallerProcessCreationTime": 134179056135234796,
"PlainTextDataSize": 388
},
"message": ""
}
Community Notes #
Exposes the DPAPI operations (protect/unprotect) and the calling process. Disabled by default. See this Google Security blog post: Detecting browser data theft using Windows Event Logs.