Audit DPAPI Activity
Applies To: Windows 7, Windows Server 2008 R2
This security policy setting determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI), which is used to protect secret information such as stored passwords and key information.
For more information about DPAPI, see Windows Data Protection (https://go.microsoft.com/fwlink/?LinkID=121720).
Event volume: Low
Default: Not configured
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
| Event ID | Event message |
|---|---|
4692 |
Backup of data protection master key was attempted. |
4693 |
Recovery of data protection master key was attempted. |
4694 |
Protection of auditable protected data was attempted. |
4695 |
Unprotection of auditable protected data was attempted. |