Share via


Audit DPAPI Activity

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI), which is used to protect secret information such as stored passwords and key information.

For more information about DPAPI, see Windows Data Protection (https://go.microsoft.com/fwlink/?LinkID=121720).

Event volume: Low

Default: Not configured

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

Event ID Event message

4692

Backup of data protection master key was attempted.

4693

Recovery of data protection master key was attempted.

4694

Protection of auditable protected data was attempted.

4695

Unprotection of auditable protected data was attempted.