Event ID 5061 — Cryptographic operation.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Cryptographic operation.

Message #

Cryptographic operation.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Cryptographic Parameters:
	Provider Name: %5
	Algorithm Name: %6
	Key Name: %7
	Key Type: %8

Cryptographic Operation:
	Operation: %9
	Return Code: %10

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`ProviderName` UnicodeString	[Cryptographic Parameters] Provider Name
`AlgorithmName` UnicodeString	[Cryptographic Parameters] Algorithm Name
`KeyName` UnicodeString	[Cryptographic Parameters] Key Name
`KeyType` UnicodeString	[Cryptographic Parameters] Key Type Known values `%%2499` Machine key `%%2500` User key
`Operation` UnicodeString	[Cryptographic Operation] Operation Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`ReturnCode` HexInt32	[Cryptographic Operation] Return Code

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5061,
    "version": 0,
    "level": 0,
    "task": 12290,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:39.884031+00:00",
    "event_record_id": 2883,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 856
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "ProviderName": "Microsoft Software Key Storage Provider",
    "AlgorithmName": "RSA",
    "KeyName": "b87f845a-3278-6909-ee85-d3025f077fea",
    "KeyType": "%%2500",
    "Operation": "%%2480",
    "ReturnCode": "0x0"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5061
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5061
Example event sourced from https://github.com/NextronSystems/evtx-baseline