Microsoft-Windows-Crypto-NCrypt
26 events across 3 channels
Event ID 1 — Cryptographic Operation failed.
Message
Fields
| Name | Description |
|---|---|
OperationType | [Cryptographic Parameters] OperationType. |
Provider_Name | [Cryptographic Parameters] Provider Name. |
Key_Name | [Cryptographic Parameters] Key Name. |
Key_Type | [Cryptographic Parameters] Key Type. |
Algorithm_Name | [Cryptographic Parameters] Algorithm Name. |
Return_Code | [Failure Information] Return Code. |
ProviderName | — |
KeyName | — |
KeyType | — |
AlgorithmName | — |
Status | — |
ProcessName | — |
Event ID 2 — Open Provider operation failed.
Message
Fields
| Name | Description |
|---|---|
ProviderName | [Cryptographic Parameters] Provider Name. |
Status | — |
ProcessName | [Failure Information] Return Code. |
Example Event
system:
provider: Microsoft-Windows-Crypto-NCrypt
guid: E8ED09DC-100C-45E2-9FC8-B53399EC1F70
event_source_name: ''
event_id: 2
version: 0
level: 2
task: 2
opcode: 0
keywords: 9223372036854775809
time_created: '2023-11-06T06:25:39.826665+00:00'
event_record_id: 24
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 856
channel: Microsoft-Windows-Crypto-NCrypt/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
ProviderName: Microsoft Platform Crypto Provider
Status: '0x80090030'
ProcessName: lsass.exe
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3 — Open Key operation failed.
Message
Fields
| Name | Description |
|---|---|
ProviderName | [Cryptographic Parameters] Provider Name. |
KeyName | [Cryptographic Parameters] Key Name. |
Status | [Failure Information] Return Code. |
ProcessName | — |
Example Event
system:
provider: Microsoft-Windows-Crypto-NCrypt
guid: E8ED09DC-100C-45E2-9FC8-B53399EC1F70
event_source_name: ''
event_id: 3
version: 0
level: 2
task: 3
opcode: 0
keywords: 9223372036854775809
time_created: '2023-11-05T22:28:56.226219+00:00'
event_record_id: 30
correlation: {}
execution:
process_id: 5416
thread_id: 5476
channel: Microsoft-Windows-Crypto-NCrypt/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-19
event_data:
ProviderName: Microsoft Software Key Storage Provider
KeyName: Microsoft Connected Devices Platform device certificate
Status: '0x80090016'
ProcessName: svchost.exe
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4 — Create Key operation failed.
Message
Fields
| Name | Description |
|---|---|
ProviderName | [Cryptographic Parameters] Provider Name. |
KeyName | [Cryptographic Parameters] Key Name. |
AlgorithmName | [Cryptographic Parameters] Algorithm Name. |
Flags | [Cryptographic Parameters] Flags. |
Status | [Failure Information] Return Code. |
ProcessName | — |
Example Event
system:
provider: Microsoft-Windows-Crypto-NCrypt
guid: E8ED09DC-100C-45E2-9FC8-B53399EC1F70
event_source_name: ''
event_id: 4
version: 0
level: 2
task: 4
opcode: 0
keywords: 9223372036854775809
time_created: '2023-11-06T01:47:51.933305+00:00'
event_record_id: 47
correlation: {}
execution:
process_id: 13296
thread_id: 8852
channel: Microsoft-Windows-Crypto-NCrypt/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
ProviderName: Microsoft Software Key Storage Provider
KeyName: ChromeMetricsTestKey
AlgorithmName: ECDSA_P256
Flags: '0x20000'
Status: '0x80090029'
ProcessName: chrome.exe
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5 — Protect Key operation failed.
Message
Fields
| Name | Description |
|---|---|
Protector_Name | [Cryptographic Parameters] Protector Name. |
Protector_Attributes | — |
Flags | [Protector Attributes] Flags. |
Return_Code | [Failure Information] Return Code. |
ProtectorName | — |
ProtectorAttributes | — |
Status | — |
ProcessName | — |
Event ID 6 — Unprotect Key operation failed.
Message
Fields
| Name | Description |
|---|---|
Protector_Name | [Cryptographic Parameters] Protector Name. |
Recipient_Type | [Cryptographic Parameters] Recipient Type. |
Flags | [Cryptographic Parameters] Flags. |
Return_Code | [Failure Information] Return Code. |
ProtectorName | — |
RecipientType | — |
Status | — |
ProcessName | — |
KeyIdLength | — |
KeyId | — |
Event ID 7 — Protect Secret operation failed.
Message
Fields
| Name | Description |
|---|---|
Flags | [Cryptographic Parameters] Flags. |
Return_Code | [Failure Information] Return Code. |
Status | — |
ProcessName | — |
Event ID 8 — Unprotect Secret operation failed.
Message
Fields
| Name | Description |
|---|---|
Flags | [Cryptographic Parameters] Flags. |
Return_Code | [Failure Information] Return Code. |
Status | — |
ProcessName | — |
Event ID 9 — Key write succeeded.
Message
Fields
| Name | Description |
|---|---|
ProviderName | — |
KeyModificationType | ModificationType. |
Flags | — |
KeyName | — |
KeyFileName | — |
ProcessName | — |
ProcessId | — |
ThreadId | ServerThreadId. |
UserId | — |
ServiceTag | — |
Status | Return Code. |
Example Event
system:
provider: Microsoft-Windows-Crypto-NCrypt
guid: E8ED09DC-100C-45E2-9FC8-B53399EC1F70
event_source_name: ''
event_id: 9
version: 0
level: 5
task: 9
opcode: 0
keywords: 9223372036854775809
time_created: '2023-11-05T22:28:56.259521+00:00'
event_record_id: 31
correlation: {}
execution:
process_id: 808
thread_id: 856
channel: Microsoft-Windows-Crypto-NCrypt/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-19
event_data:
ProviderName: Microsoft Software Key Storage Provider
KeyModificationType: '0x1'
Flags: '0x0'
KeyName: Microsoft Connected Devices Platform device certificate
KeyFileName: de7cf8a7901d2ad13e5c67c29e5d1662_e56ada26-b69d-4d96-86fb-2b434b08d2d0
ProcessName: C:\Windows\System32\svchost.exe
ProcessId: '0x1528'
ThreadId: '0x358'
UserId: S-1-5-19
ServiceTag: CDPSvc
Status: '0x0'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10 — Key write failed.
Message
Fields
| Name | Description |
|---|---|
Provider_Name | — |
ModificationType | — |
Flags | — |
Key_Name | — |
Key_File_Name | — |
ProcessName | — |
ProcessId | — |
ServerThreadId | — |
UserId | — |
ServiceTag | — |
Return_Code | — |
ProviderName | — |
KeyModificationType | — |
KeyName | — |
KeyFileName | — |
ThreadId | — |
Status | — |
Event ID 11 — Delete key succeeded.
Message
Fields
| Name | Description |
|---|---|
ProviderName | — |
Flags | — |
DeletionType | — |
KeyName | — |
KeyFileName | — |
ProcessName | — |
ProcessId | — |
ThreadId | ServerThreadId. |
UserId | — |
ServiceTag | — |
Status | Return Code. |
Example Event
system:
provider: Microsoft-Windows-Crypto-NCrypt
guid: E8ED09DC-100C-45E2-9FC8-B53399EC1F70
event_source_name: ''
event_id: 11
version: 0
level: 5
task: 11
opcode: 0
keywords: 9223372036854775809
time_created: '2023-11-05T22:28:56.224021+00:00'
event_record_id: 29
correlation: {}
execution:
process_id: 808
thread_id: 856
channel: Microsoft-Windows-Crypto-NCrypt/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-19
event_data:
ProviderName: Microsoft Software Key Storage Provider
Flags: '0x40'
DeletionType: '0x0'
KeyName: Microsoft Connected Devices Platform device certificate
KeyFileName: de7cf8a7901d2ad13e5c67c29e5d1662_31383106-803d-411b-9763-a28cdc0f0c3f
ProcessName: C:\Windows\System32\svchost.exe
ProcessId: '0x1528'
ThreadId: '0x358'
UserId: S-1-5-19
ServiceTag: CDPSvc
Status: '0x0'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 12 — Delete key failed.
Message
Fields
| Name | Description |
|---|---|
Provider_Name | — |
Flags | — |
DeletionType | — |
Key_Name | — |
Key_File_Name | — |
ProcessName | — |
ProcessId | — |
ServerThreadId | — |
UserId | — |
ServiceTag | — |
Return_Code | — |
ProviderName | — |
KeyName | — |
KeyFileName | — |
ThreadId | — |
Status | — |
Event ID 13 — VBS Key Isolation operation failed Function: %1 Info: %2 Status: %3 (%4).
Message
Fields
| Name | Description |
|---|---|
Function | — |
Info | — |
Status | — |
StatusCode | — |
StatusString | — |
Event ID 14 — VBS Key Isolation operation failed Function: %1 Info: %2 Status: %3 (%4) Client: %5 Client %1 failures: %6 Global %1 failures: %7 Global %1 success...
Message
Fields
| Name | Description |
|---|---|
Function | — |
Info | — |
Status | — |
Client | — |
StatusCode | — |
StatusString | — |
FailuresCount | — |
FailuresCountGlobal | — |
SuccessCountGlobal | — |
Event ID 15 — New client uses VBS Key Isolation Name: %1 Binding status: %2 (%3) Client instance binding attempts: %4.
Message
Fields
| Name | Description |
|---|---|
Client | Name. |
BindingStatusCode | Binding status. |
BindingStatusString | — |
InstanceBindingAttempts | Client instance binding attempts. |
ImageBindingAttempts | Client overall binding attempts. |
ActiveInstances | — |
ActiveInstancesMax | — |
InstancesLifetime | Instances across lifetime. |
Example Event
system:
provider: Microsoft-Windows-Crypto-NCrypt
guid: E8ED09DC-100C-45E2-9FC8-B53399EC1F70
event_source_name: ''
event_id: 15
version: 0
level: 4
task: 13
opcode: 0
keywords: 9223372036854775816
time_created: '2023-11-06T01:47:51.932692+00:00'
event_record_id: 46
correlation:
ActivityID: E4DB489E-1037-0001-0C49-DBE43710DA01
execution:
process_id: 808
thread_id: 15768
channel: Microsoft-Windows-Crypto-NCrypt/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
Client: chrome.exe
BindingStatusCode: '0x80090029'
BindingStatusString: -2146893783
InstanceBindingAttempts: 1
ImageBindingAttempts: 2
ActiveInstances: 1
ActiveInstancesMax: 1
InstancesLifetime: 2
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 16 — Cert-In-Use Message.
Message
Fields
| Name | Description |
|---|---|
Message | — |
Event ID 17 — Cert-In-Use Failed.
Message
Fields
| Name | Description |
|---|---|
ErrorMessage | — |
Message | — |
Event ID 18 — Key Guard attestation operation failed Function: %1 Info: %2 Status: %3 (%4) Global %1 failures: %5 Global %1 successes: %6.
Message
Fields
| Name | Description |
|---|---|
Function | — |
Info | — |
StatusCode | — |
StatusString | — |
FailuresCountGlobal | — |
SuccessCountGlobal | — |
Event ID 19 — Key Guard attestation operation failed Function: %1 Info: %2 Status: %3 (%4).
Message
Fields
| Name | Description |
|---|---|
Function | — |
Info | — |
StatusCode | — |
StatusString | — |
Event ID 20 — VBS Key Isolation is not available Error: %1 Failed to signal: %2 Signaled: %3.
Message
Fields
| Name | Description |
|---|---|
ErrorCode | — |
SignaledFailure | — |
SignaledSuccess | — |
Event ID 21 — Key write succeeded.
Message
Fields
| Name | Description |
|---|---|
ProviderName | — |
KeyModificationType | — |
Flags | — |
KeyName | — |
KeyFileName | — |
ProcessName | — |
ProcessId | — |
ThreadId | — |
UserId | — |
ServiceTag | — |
Status | — |
Event ID 22 — Delete key succeeded.
Message
Fields
| Name | Description |
|---|---|
ProviderName | — |
Flags | — |
DeletionType | — |
KeyName | — |
KeyFileName | — |
ProcessName | — |
ProcessId | — |
ThreadId | — |
UserId | — |
ServiceTag | — |
Status | — |
Event ID 23 — Capi1 Container write succeeded.
Message
Fields
| Name | Description |
|---|---|
KeyName | — |
KeyFileName | — |
ProcessName | — |
Event ID 24 — Capi1 Container Delete succeeded.
Message
Fields
| Name | Description |
|---|---|
KeyName | — |
KeyFileName | — |
ProcessName | — |
Event ID 25 — VBS Key Isolation status.
Message
Fields
| Name | Description |
|---|---|
Status | — |
Event ID 26 — VBS Key Protection restart attempted LsaIsoLaunchAttempted: %1 Status: %2 TotalAttemptedRestarts: %3 TotalSuccessfulRestarts: %4 CanBeEnabled: %5.
Message
Fields
| Name | Description |
|---|---|
LsaIsoLaunchAttempted | — |
Status | — |
TotalAttemptedRestarts | — |
TotalSuccessfulRestarts | — |
CanBeEnabled | — |