Event ID 9 — Key write succeeded.

Provider: Microsoft-Windows-Crypto-NCrypt
Channel: Operational
Level: Verbose
Task: Keywritesucceeded

Description

Key write succeeded.

Message #

Key write succeeded.

 Provider Name: %1
 ModificationType: %2
 Flags: %3
 Key Name: %4
 Key File Name: %5
 ProcessName: %6
 ProcessId: %7
 ServerThreadId: %8
 UserId: %9
 ServiceTag: %10
 Return Code: %11

Fields #

Name	Description
`ProviderName` UnicodeString	—
`KeyModificationType` HexInt32	ModificationType.
`Flags` HexInt32	—
`KeyName` UnicodeString	—
`KeyFileName` UnicodeString	—
`ProcessName` UnicodeString	—
`ProcessId` HexInt32	—
`ThreadId` HexInt32	ServerThreadId.
`UserId` UnicodeString	—
`ServiceTag` UnicodeString	—
`Status` HexInt32	Return Code. NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-NCrypt",
    "guid": "E8ED09DC-100C-45E2-9FC8-B53399EC1F70",
    "event_source_name": "",
    "event_id": 9,
    "version": 0,
    "level": 5,
    "task": 9,
    "opcode": 0,
    "keywords": 9223372036854775809,
    "time_created": "2023-11-05T22:28:56.259521+00:00",
    "event_record_id": 31,
    "correlation": {},
    "execution": {
      "process_id": 808,
      "thread_id": 856
    },
    "channel": "Microsoft-Windows-Crypto-NCrypt/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ProviderName": "Microsoft Software Key Storage Provider",
    "KeyModificationType": "0x1",
    "Flags": "0x0",
    "KeyName": "Microsoft Connected Devices Platform device certificate",
    "KeyFileName": "de7cf8a7901d2ad13e5c67c29e5d1662_e56ada26-b69d-4d96-86fb-2b434b08d2d0",
    "ProcessName": "C:\\Windows\\System32\\svchost.exe",
    "ProcessId": "0x1528",
    "ThreadId": "0x358",
    "UserId": "S-1-5-19",
    "ServiceTag": "CDPSvc",
    "Status": "0x0"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline