Windows Security Log Event ID 4695

4695: Unprotection of auditable protected data was attempted

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

This event has to do with the Data Protection API. 

Per Microsoft: "The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. "

Apparently a program running under the account documented in Subject: tried to decrypt a blob with the CryptUnprotectData function and failed.  Status code 0x8009000b is pretty general.  Most often it means 

• The user password has changed and the automatic reprocessing of keys based on user password failed
• The blob was encrypted by a different user than the one now trying to decrypt it.

So it's possible that that this event could indicate malicious behavior but I've seen it logged during the course of normal operation on a clean, isolated test system too.
For more information on DPAPI see http://support.microsoft.com/kb/309408

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 4695

Subject:

•  Security ID:  %1
•  Account Name:  %2
•  Account Domain:  %3
•  Logon ID:  %4

Protected Data:

•  Data Description: %6
•  Key Identifier: %5
•  Protected Data Flags: %7
•  Protection Algorithms: %8

Status Information:

•  Status Code: %9

Supercharger Enterprise

Load Balancing for Windows Event Collection

 

 

Upcoming Webinars Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy