Microsoft-Windows-CAPI2
74 events across 3 channels
Event ID 10: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 10,
"version": 0,
"level": 4,
"task": 11,
"opcode": 1,
"keywords": 4611686018427387907,
"time_created": "2026-03-13T20:00:05.355110+00:00",
"event_record_id": 3575,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertGetCertificateChainStart": {
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{CF0BD453-CD94-4F51-B22E-F268FB8E1C35}",
"SeqNumber": "2"
}
}
},
"message": ""
}
Event ID 11: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 2,
"task": 11,
"opcode": 2,
"keywords": 4611686018427387907,
"time_created": "2026-03-13T20:00:05.356343+00:00",
"event_record_id": 3576,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertGetCertificateChain": {
"Certificate": {
"fileRef": "34A2F214EBABF43CA29A70786CAE64B34426AFD5.cer",
"subjectName": "Microsoft Time-Stamp Service"
},
"AdditionalStore": {
"Certificate": {
"fileRef": "580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D.cer",
"subjectName": "Microsoft Windows Production PCA 2011"
},
"Certificate_1": {
"fileRef": "BBD2C438000344F439BFDFE5ABAC3223357CD67F.cer",
"subjectName": "Microsoft Windows"
},
"Certificate_2": {
"fileRef": "36056A5662DCADECF82CC14C8B80EC5E0BCC59A6.cer",
"subjectName": "Microsoft Time-Stamp PCA 2010"
},
"Certificate_3": {
"fileRef": "34A2F214EBABF43CA29A70786CAE64B34426AFD5.cer",
"subjectName": "Microsoft Time-Stamp Service"
}
},
"ExtendedKeyUsage": null,
"Flags": {
"value": "4",
"CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL": "true"
},
"ChainEngineInfo": {
"context": "user"
},
"CertificateChain": {
"chainRef": "{CF25F10C-0EAF-4A4D-9077-D259B9BFF745}",
"TrustStatus": {
"ErrorStatus": {
"value": "1",
"CERT_TRUST_IS_NOT_TIME_VALID": "true"
},
"InfoStatus": {
"value": "100",
"CERT_TRUST_HAS_PREFERRED_ISSUER": "true"
}
},
"ChainElement": {
"Certificate": {
"fileRef": "34A2F214EBABF43CA29A70786CAE64B34426AFD5.cer",
"subjectName": "Microsoft Time-Stamp Service"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"TrustStatus": {
"ErrorStatus": {
"value": "1",
"CERT_TRUST_IS_NOT_TIME_VALID": "true"
},
"InfoStatus": {
"value": "102",
"CERT_TRUST_HAS_KEY_MATCH_ISSUER": "true",
"CERT_TRUST_HAS_PREFERRED_ISSUER": "true"
}
},
"ApplicationUsage": {
"Usage": {
"oid": "1.3.6.1.5.5.7.3.8",
"name": "Time Stamping"
}
},
"IssuanceUsage": null
},
"ChainElement_1": {
"Certificate": {
"fileRef": "36056A5662DCADECF82CC14C8B80EC5E0BCC59A6.cer",
"subjectName": "Microsoft Time-Stamp PCA 2010"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"TrustStatus": {
"ErrorStatus": {
"value": "0"
},
"InfoStatus": {
"value": "102",
"CERT_TRUST_HAS_KEY_MATCH_ISSUER": "true",
"CERT_TRUST_HAS_PREFERRED_ISSUER": "true"
}
},
"ApplicationUsage": {
"Usage": {
"oid": "1.3.6.1.5.5.7.3.8",
"name": "Time Stamping"
}
},
"IssuanceUsage": {
"Usage": {
"oid": "1.3.6.1.4.1.311.76.509.1.1"
}
}
},
"ChainElement_2": {
"Certificate": {
"fileRef": "3B1EFD3A66EA28B16697394703A72CA340A05BD5.cer",
"subjectName": "Microsoft Root Certificate Authority 2010"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"TrustStatus": {
"ErrorStatus": {
"value": "0"
},
"InfoStatus": {
"value": "13C",
"CERT_TRUST_HAS_NAME_MATCH_ISSUER": "true",
"CERT_TRUST_IS_SELF_SIGNED": "true",
"CERT_TRUST_AUTO_UPDATE_CA_REVOCATION": "true",
"CERT_TRUST_AUTO_UPDATE_END_REVOCATION": "true",
"CERT_TRUST_HAS_PREFERRED_ISSUER": "true"
}
},
"ApplicationUsage": {
"any": "true"
},
"IssuanceUsage": {
"any": "true"
}
}
},
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{CF0BD453-CD94-4F51-B22E-F268FB8E1C35}",
"SeqNumber": "3"
},
"Result": {
"value": "800B0101",
"Value": "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."
}
}
},
"message": ""
}
References #
Event ID 12: For more details for this event, please refer to the "Details" section
#Event ID 13: For more details for this event, please refer to the "Details" section
#Event ID 14: For more details for this event, please refer to the "Details" section
#Event ID 15: For more details for this event, please refer to the "Details" section
#Event ID 16: For more details for this event, please refer to the "Details" section
#Event ID 17: For more details for this event, please refer to the "Details" section
#Event ID 18: For more details for this event, please refer to the "Details" section
#Event ID 19: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"event_id": 19,
"level": 4,
"task": 20,
"opcode": 1,
"time_created": "2026-05-27T16:13:54.1409772+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-CAPI2"
},
"event_data": {
"CorrelationAuxInfo": "",
"EventAuxInfo": ""
}
}
Event ID 20: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"event_id": 20,
"level": 4,
"task": 20,
"opcode": 2,
"time_created": "2026-05-27T16:13:54.1411336+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-CAPI2"
},
"event_data": {
"EventAuxInfo": "",
"URL": "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab",
"CorrelationAuxInfo": "",
"Result": "",
"SubjectCertificate": ""
}
}
Event ID 21: For more details for this event, please refer to the "Details" section
#Event ID 22: For more details for this event, please refer to the "Details" section
#Event ID 23: For more details for this event, please refer to the "Details" section
#Event ID 24: For more details for this event, please refer to the "Details" section
#Event ID 30: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 30,
"version": 0,
"level": 4,
"task": 30,
"opcode": 0,
"keywords": 4611686018427387905,
"time_created": "2026-03-13T20:00:05.311044+00:00",
"event_record_id": 3571,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertVerifyCertificateChainPolicy": {
"Policy": {
"type": "CERT_CHAIN_POLICY_MICROSOFT_ROOT",
"constant": "7"
},
"Certificate": {
"fileRef": "FE51E838A087BB561BBB2DD9BA20143384A03B3F.cer",
"subjectName": "Microsoft Windows"
},
"CertificateChain": {
"chainRef": "{422C2A8A-2D14-43B7-8F70-6DD1C807BC48}"
},
"Flags": {
"value": "0"
},
"Status": {
"chainIndex": "0",
"elementIndex": "0"
},
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{2FB27E5B-20C4-4277-99EF-3ADDA4EF8CBB}",
"SeqNumber": "1"
},
"Result": {
"value": "0"
}
}
},
"message": ""
}
Event ID 40: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 40,
"version": 0,
"level": 4,
"task": 41,
"opcode": 1,
"keywords": 4611686018427387909,
"time_created": "2026-03-13T21:05:59.181502+00:00",
"event_record_id": 113702,
"correlation": {},
"execution": {
"process_id": 9432,
"thread_id": 7728
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertVerifyRevocationStart": {
"EventAuxInfo": {
"ProcessName": "certsrv.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{9B67B555-351F-4EE4-92A7-DEFFE0227D19}",
"SeqNumber": "2"
}
}
},
"message": ""
}
Event ID 41: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 41,
"version": 0,
"level": 4,
"task": 41,
"opcode": 2,
"keywords": 4611686018427387909,
"time_created": "2026-03-13T21:05:59.181662+00:00",
"event_record_id": 113703,
"correlation": {},
"execution": {
"process_id": 9432,
"thread_id": 7728
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertVerifyRevocation": {
"Certificate": {
"fileRef": "F56EABB3328B76F923BFCB6D35C23BDE16D14A00.cer",
"subjectName": "WebServer2"
},
"IssuerCertificate": {
"fileRef": "8EAE36D131A05BF026C6A588F9496A8A617AF247.cer",
"subjectName": "EvtGen-Root-CA"
},
"Flags": {
"value": "0"
},
"AdditionalParameters": {
"timeToUse": "2026-03-13T21:05:59Z",
"currentTime": "2026-03-13T21:05:59.175Z",
"urlRetrievalTimeout": "PT15S"
},
"RevocationStatus": {
"index": "0",
"error": "0",
"reason": "0",
"actualFreshnessTime": "PT30M47S",
"thirdPartyProviderUsed": "C:\\Windows\\System32\\cryptnet.dll"
},
"CertificateRevocationList": {
"location": "Store",
"fileRef": "4AAC12FAC7DC7A42102EB458352AC2AA33C1901F.crl",
"issuerName": "EvtGen-Root-CA"
},
"CertificateRevocationList_1": {
"deltaCRL": "true",
"location": "Store",
"fileRef": "93FDE3883D5439220A2E9D0DB3BBBA6F655FED38.crl",
"issuerName": "EvtGen-Root-CA"
},
"EventAuxInfo": {
"ProcessName": "certsrv.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{9B67B555-351F-4EE4-92A7-DEFFE0227D19}",
"SeqNumber": "3"
},
"Result": {
"value": "0"
}
}
},
"message": ""
}
Event ID 42: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"event_id": 42,
"level": 2,
"task": 42,
"opcode": 0,
"time_created": "2026-05-27T18:28:08.2679830+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-CAPI2"
},
"event_data": {
"EarliestOnlineTime": "2026-05-27T18:58:08.254Z",
"Action": "",
"SubjectCertificate": "",
"CertificateRevocationList": "",
"IssuerCertificate": "",
"EventAuxInfo": "",
"CorrelationAuxInfo": ""
}
}
Event ID 50: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 50,
"version": 0,
"level": 4,
"task": 51,
"opcode": 1,
"keywords": 4611686018427387950,
"time_created": "2026-03-13T21:19:03.663813+00:00",
"event_record_id": 218641,
"correlation": {},
"execution": {
"process_id": 8448,
"thread_id": 4164
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"CryptRetrieveObjectByUrlCacheStart": {
"EventAuxInfo": {
"ProcessName": "appidcertstorecheck.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{F4EEE8BD-2D02-4D08-A1E6-8C28B86BBBC6}",
"SeqNumber": "3"
}
}
},
"message": ""
}
Event ID 51: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 51,
"version": 0,
"level": 4,
"task": 51,
"opcode": 2,
"keywords": 4611686018427387950,
"time_created": "2026-03-13T21:19:03.663904+00:00",
"event_record_id": 218642,
"correlation": {},
"execution": {
"process_id": 8448,
"thread_id": 4164
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"CryptRetrieveObjectByUrlCache": {
"URL": {
"scheme": "http",
"Value": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D"
},
"Object": {
"type": "CONTEXT_OID_OCSP_RESP",
"constant": "6"
},
"Flags": {
"value": "2002",
"CRYPT_CACHE_ONLY_RETRIEVAL": "true",
"CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true"
},
"AuxInfo": {
"maxUrlRetrievalByteCount": "104857600",
"cacheFileNamePrefix": "698460A0B6E60F2F602361424D832905_"
},
"CacheInfo": {
"lastSyncTime": "2026-03-08T23:13:43.967Z",
"URLCachePrefetchInfo": {
"objectType": "CRYPTNET_URL_CACHE_PRE_FETCH_OCSP",
"thisUpdateTime": "2026-03-08T20:34:50Z",
"nextUpdateTime": "2026-03-15T20:34:50Z"
},
"URLCacheFlushInfo": {
"expireTime": "2026-03-15T20:34:50Z"
},
"URLCacheResponseInfo": {
"responseType": "CRYPTNET_URL_CACHE_RESPONSE_HTTP",
"responseValidated": "true",
"maxAge": "4235"
}
},
"RetrievedObjects": {
"OCSPResponse": {
"fileRef": "DA84BCCE985586609B0DC52E3817E6FAC937D736.bin"
}
},
"EventAuxInfo": {
"ProcessName": "appidcertstorecheck.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{F4EEE8BD-2D02-4D08-A1E6-8C28B86BBBC6}",
"SeqNumber": "4"
},
"Result": {
"value": "0"
}
}
},
"message": ""
}
Event ID 52: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 52,
"version": 0,
"level": 4,
"task": 53,
"opcode": 1,
"keywords": 4611686018427387958,
"time_created": "2026-03-13T23:21:02.811164+00:00",
"event_record_id": 460529,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 12528
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CryptRetrieveObjectByUrlWireStart": {
"EventAuxInfo": {
"ProcessName": "lsass.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{8F0E8D7E-9D5A-47E8-B5B4-A696EA3386DA}",
"SeqNumber": "2"
}
}
},
"message": ""
}
Event ID 53: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 53,
"version": 0,
"level": 2,
"task": 53,
"opcode": 2,
"keywords": 4611686018427387958,
"time_created": "2026-03-13T23:21:02.811256+00:00",
"event_record_id": 460530,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 12528
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CryptRetrieveObjectByUrlWire": {
"URL": {
"scheme": "http",
"Value": "http://aia.ludus.domain/aia/EvtGen-Root-CA.crt/MFQwUjBQME4wTDAJBgUrDgMCGgUABBR5CkEQ6HJKjbgGJDMbu8kNl53AdAQUEP1C85qzyuKWqEZYr0KRnRTFDycCE0oAAAAlDt%2BriiA7UroAAAAAACU%3D"
},
"Object": {
"type": "CONTEXT_OID_OCSP_RESP",
"constant": "6"
},
"Timeout": "PT15S",
"Flags": {
"value": "200C",
"CRYPT_WIRE_ONLY_RETRIEVAL": "true",
"CRYPT_DONT_CACHE_RESULT": "true",
"CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true"
},
"AuxInfo": {
"cacheFileNamePrefix": "58D87B4C947D6EF61B681B320176D308_"
},
"AdditionalInfo": {
"NetworkConnectivityStatus": {
"value": "1",
"_SENSAPI_NETWORK_ALIVE_LAN": "true"
},
"Action": {
"name": "Call_WinHttpSendRequest",
"Error": {
"value": "2EE7",
"Value": "The server name or address could not be resolved"
}
}
},
"EventAuxInfo": {
"ProcessName": "lsass.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{8F0E8D7E-9D5A-47E8-B5B4-A696EA3386DA}",
"SeqNumber": "3"
},
"Result": {
"value": "2EE7"
}
}
},
"message": ""
}
Event ID 60: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"event_id": 60,
"level": 2,
"task": 60,
"opcode": 0,
"time_created": "2026-05-27T16:14:33.7448793+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-CAPI2"
},
"event_data": {
"EventAuxInfo": "",
"Flags": "",
"Result": "The handle is invalid.",
"CorrelationAuxInfo": "",
"Store": ""
}
}
Event ID 70: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
CryptAcquireCertificatePrivateKey.Certificate | |
CryptAcquireCertificatePrivateKey.Flags | |
CryptAcquireCertificatePrivateKey.EventAuxInfo | |
CryptAcquireCertificatePrivateKey.CorrelationAuxInfo | |
CryptAcquireCertificatePrivateKey.Result | |
EventWriteData |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}",
"event_source_name": "",
"event_id": 70,
"version": 0,
"level": 4,
"task": 70,
"opcode": 0,
"keywords": 4611686018427388032,
"time_created": "2026-06-13T05:39:30.8809134+00:00",
"event_record_id": 247895,
"correlation": {},
"execution": {
"process_id": 2492,
"thread_id": 3088
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CryptAcquireCertificatePrivateKey": {
"Certificate": "",
"Flags": "",
"EventAuxInfo": "",
"CorrelationAuxInfo": "",
"Result": ""
}
},
"message": "For more details for this event, please refer to the \"Details\" section"
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Splunk # view in coverage
Event ID 71: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 71,
"version": 0,
"level": 4,
"task": 71,
"opcode": 0,
"keywords": 4611686018427388032,
"time_created": "2026-03-13T21:05:59.101778+00:00",
"event_record_id": 113698,
"correlation": {},
"execution": {
"process_id": 3132,
"thread_id": 12024
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"CryptSignCertificate": {
"Certificate": {
"fileRef": "530FF03004DB9A2DE6A659CCFA9233C1C808D765.cer",
"subjectName": "WebServer2"
},
"EventAuxInfo": {
"ProcessName": "certreq.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{90B3BCCA-6FA5-4FEF-AAAD-955C9F311974}",
"SeqNumber": "2"
}
}
},
"message": ""
}
Event ID 80: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 80,
"version": 0,
"level": 4,
"task": 80,
"opcode": 1,
"keywords": 4611686018427387968,
"time_created": "2026-03-13T20:00:05.355104+00:00",
"event_record_id": 3574,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"WinVerifyTrustStart": {
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{CF0BD453-CD94-4F51-B22E-F268FB8E1C35}",
"SeqNumber": "1"
}
}
},
"message": ""
}
Event ID 81: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 81,
"version": 0,
"level": 4,
"task": 80,
"opcode": 2,
"keywords": 4611686018427387968,
"time_created": "2026-03-13T20:00:05.310932+00:00",
"event_record_id": 3570,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"WinVerifyTrust": {
"ActionID": "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"UIChoice": {
"value": "2",
"Value": "WTD_UI_NONE"
},
"RevocationCheck": {
"value": "1",
"WTD_REVOKE_WHOLECHAIN": "true"
},
"StateAction": {
"value": "1",
"Value": "WTD_STATEACTION_VERIFY"
},
"Flags": {
"value": "80001440",
"WTD_REVOCATION_CHECK_CHAIN": "true",
"WTD_USE_DEFAULT_OSVER_CHECK": "true",
"WTD_CACHE_ONLY_URL_RETRIEVAL": "true",
"CPD_USE_NT5_CHAIN_FLAG": "true"
},
"CatalogInfo": {
"filePath": "C:\\Windows\\system32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\HyperV-UX-UI-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.cat",
"Member": {
"tag": "50663E8AAB49E7F04F52B4364ACE3B775A0696EF",
"filePath": "C:\\Windows\\WinSxS\\msil_microsoft.virtualiz..on.client.resources_31bf3856ad364e35_10.0.22621.1_en-us_916cee91268b6c0a\\Microsoft.Virtualization.client.resources.dll",
"hasFileHandle": "true",
"hash": "50663E8AAB49E7F04F52B4364ACE3B775A0696EF",
"hashFilePath": "\\Windows\\WinSxS\\msil_microsoft.virtualiz..on.client.resources_31bf3856ad364e35_10.0.22621.1_en-us_916cee91268b6c0a\\Microsoft.Virtualization.client.resources.dll"
}
},
"DigestInfo": {
"digestAlgorithm": "SHA1",
"digest": "50663E8AAB49E7F04F52B4364ACE3B775A0696EF"
},
"RegPolicySetting": {
"value": "23C00",
"WTPF_OFFLINEOK_IND": "true",
"WTPF_OFFLINEOK_COM": "true",
"WTPF_OFFLINEOKNBU_IND": "true",
"WTPF_OFFLINEOKNBU_COM": "true",
"WTPF_IGNOREREVOCATIONONTS": "true"
},
"SignatureSettingsFlags": {
"value": "20000000",
"WSS_OUT_FILE_SUPPORTS_SEAL": "true"
},
"SignerInfo": {
"DigestAlgorithm": {
"oid": "2.16.840.1.101.3.4.2.1",
"hashName": "SHA256"
}
},
"CertificateChain": {
"chainRef": "{422C2A8A-2D14-43B7-8F70-6DD1C807BC48}"
},
"TimestampInfo": {
"format": "RFC 3161",
"DigestAlgorithm": {
"oid": "2.16.840.1.101.3.4.2.1",
"hashName": "SHA256"
},
"SignTime": "2022-05-07T04:33:12.256Z"
},
"TimestampChain": {
"chainRef": "{EB187775-EA45-4715-9648-CA7864F79031}"
},
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{116ED906-7813-42DD-902B-79FD5BF3FB24}",
"SeqNumber": "11"
},
"Result": {
"value": "0"
}
}
},
"message": ""
}
Detection Rules #
View all rules referencing this event →Splunk # view in coverage
Event ID 82: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 82,
"version": 0,
"level": 2,
"task": 82,
"opcode": 0,
"keywords": 4611686018427388928,
"time_created": "2026-03-13T20:00:05.312348+00:00",
"event_record_id": 3572,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CryptCATAdminEnumCatalogFromHash": {
"CATQueryInfo": {
"nextEnum": "true",
"hash": "50663E8AAB49E7F04F52B4364ACE3B775A0696EF",
"targetFilePath": "\\Windows\\WinSxS\\msil_microsoft.virtualiz..on.client.resources_31bf3856ad364e35_10.0.22621.1_en-us_916cee91268b6c0a\\Microsoft.Virtualization.client.resources.dll"
},
"AdditionalInfo": {
"Action": {
"name": "Call_CryptSvcCatDBEnumCatalogs_NotFound",
"parameter1": "{127D0A1D-4EF2-11D1-8608-00C04FC295EE}"
},
"CryptSvcCatalogs": {
"Catalog": {
"inCache": "true",
"Value": "C:\\Windows\\system32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\HyperV-UX-UI-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.cat"
}
}
},
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{D7D77015-48B1-487B-BFDE-B417A15BF88E}",
"SeqNumber": "1"
},
"Result": {
"value": "490",
"Value": "Element not found."
}
}
},
"message": ""
}
Event ID 90: For more details for this event, please refer to the "Details" section
#Description
For more details for this event, please refer to the "Details" section.
Message #
Fields #
| Name | Description |
|---|---|
EventWriteData UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": 90,
"version": 0,
"level": 4,
"task": 90,
"opcode": 0,
"keywords": 4611686018427388416,
"time_created": "2026-03-13T20:00:05.310893+00:00",
"event_record_id": 3569,
"correlation": {},
"execution": {
"process_id": 3384,
"thread_id": 2456
},
"channel": "Microsoft-Windows-CAPI2/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"X509Objects": {
"Certificate": {
"fileRef": "3B1EFD3A66EA28B16697394703A72CA340A05BD5.cer",
"subjectName": "Microsoft Root Certificate Authority 2010",
"Subject": {
"CN": "Microsoft Root Certificate Authority 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SubjectKeyID": {
"computed": "false",
"hash": "D5F656CB8FE8A25C6268D13D94905BD7CE9A18C4"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"Issuer": {
"CN": "Microsoft Root Certificate Authority 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SerialNumber": "28CC3A25BFBA44AC449A9B586B4339AA",
"NotBefore": "2010-06-23T21:57:24Z",
"NotAfter": "2035-06-23T22:04:01Z",
"Extensions": {
"KeyUsage": {
"value": "86",
"CERT_DIGITAL_SIGNATURE_KEY_USAGE": "true",
"CERT_KEY_CERT_SIGN_KEY_USAGE": "true",
"CERT_CRL_SIGN_KEY_USAGE": "true"
},
"BasicConstraints": {
"critical": "true",
"cA": "true"
}
},
"Properties": {
"FriendlyName": "Microsoft Root Certificate Authority 2010"
}
},
"Certificate_1": {
"fileRef": "580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D.cer",
"subjectName": "Microsoft Windows Production PCA 2011",
"Subject": {
"CN": "Microsoft Windows Production PCA 2011",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SubjectKeyID": {
"computed": "false",
"hash": "A92902398E16C49778CD90F99E4F9AE17C55AF53"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "2048"
},
"Issuer": {
"CN": "Microsoft Root Certificate Authority 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SerialNumber": "61077656000000000008",
"NotBefore": "2011-10-19T18:41:42Z",
"NotAfter": "2026-10-19T18:51:42Z",
"Extensions": {
"KeyUsage": {
"value": "86",
"CERT_DIGITAL_SIGNATURE_KEY_USAGE": "true",
"CERT_KEY_CERT_SIGN_KEY_USAGE": "true",
"CERT_CRL_SIGN_KEY_USAGE": "true"
},
"BasicConstraints": {
"critical": "true",
"cA": "true"
},
"AuthorityKeyIdentifier": {
"KeyID": {
"hash": "D5F656CB8FE8A25C6268D13D94905BD7CE9A18C4"
}
}
}
},
"Certificate_2": {
"fileRef": "FE51E838A087BB561BBB2DD9BA20143384A03B3F.cer",
"subjectName": "Microsoft Windows",
"Subject": {
"CN": "Microsoft Windows",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SubjectKeyID": {
"computed": "false",
"hash": "48853A4312E340D4AB798F78D2D289F81D327938"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "2048"
},
"Issuer": {
"CN": "Microsoft Windows Production PCA 2011",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SerialNumber": "330000033C89C66A7B45BB1FBD00000000033C",
"NotBefore": "2021-09-02T18:23:41Z",
"NotAfter": "2022-09-01T18:23:41Z",
"Extensions": {
"ExtendedKeyUsage": {
"Usage": {
"oid": "1.3.6.1.4.1.311.10.3.6",
"name": "Windows System Component Verification"
},
"Usage_1": {
"oid": "1.3.6.1.5.5.7.3.3",
"name": "Code Signing"
}
},
"SubjectAltName": {
"DirectoryName": {
"SERIALNUMBER": "229879+467580",
"OU": "Microsoft Ireland Operations Limited"
}
},
"AuthorityKeyIdentifier": {
"KeyID": {
"hash": "A92902398E16C49778CD90F99E4F9AE17C55AF53"
}
},
"BasicConstraints": {
"critical": "true",
"cA": "false"
}
}
},
"Certificate_3": {
"fileRef": "36056A5662DCADECF82CC14C8B80EC5E0BCC59A6.cer",
"subjectName": "Microsoft Time-Stamp PCA 2010",
"Subject": {
"CN": "Microsoft Time-Stamp PCA 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SubjectKeyID": {
"computed": "false",
"hash": "9FA7155D005E625D83F4E5D265A71B533519E972"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"Issuer": {
"CN": "Microsoft Root Certificate Authority 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SerialNumber": "3300000015C5E76B9E029B4999000000000015",
"NotBefore": "2021-09-30T18:22:25Z",
"NotAfter": "2030-09-30T18:32:25Z",
"Extensions": {
"CertificatePolicies": {
"Policy": {
"oid": "1.3.6.1.4.1.311.76.509.1.1"
}
},
"ExtendedKeyUsage": {
"Usage": {
"oid": "1.3.6.1.5.5.7.3.8",
"name": "Time Stamping"
}
},
"KeyUsage": {
"value": "86",
"CERT_DIGITAL_SIGNATURE_KEY_USAGE": "true",
"CERT_KEY_CERT_SIGN_KEY_USAGE": "true",
"CERT_CRL_SIGN_KEY_USAGE": "true"
},
"BasicConstraints": {
"critical": "true",
"cA": "true"
},
"AuthorityKeyIdentifier": {
"KeyID": {
"hash": "D5F656CB8FE8A25C6268D13D94905BD7CE9A18C4"
}
}
}
},
"Certificate_4": {
"fileRef": "1306B88D68DA71B39853EFBDE72749EE14828B98.cer",
"subjectName": "Microsoft Time-Stamp Service",
"Subject": {
"CN": "Microsoft Time-Stamp Service",
"OU": "Thales TSS ESN:3E7A-E359-A25D",
"OU_1": "Microsoft America Operations",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SubjectKeyID": {
"computed": "false",
"hash": "72B92E50D8294E91B8916C142F44CF0B618CD0E8"
},
"SignatureAlgorithm": {
"oid": "1.2.840.113549.1.1.11",
"hashName": "SHA256",
"publicKeyName": "RSA"
},
"PublicKeyAlgorithm": {
"oid": "1.2.840.113549.1.1.1",
"publicKeyName": "RSA",
"publicKeyLength": "4096"
},
"Issuer": {
"CN": "Microsoft Time-Stamp PCA 2010",
"O": "Microsoft Corporation",
"L": "Redmond",
"S": "Washington",
"C": "US"
},
"SerialNumber": "33000001A0E9BB8CBB0EA2D17A0001000001A0",
"NotBefore": "2021-12-02T19:05:23Z",
"NotAfter": "2023-02-28T19:05:23Z",
"Extensions": {
"AuthorityKeyIdentifier": {
"KeyID": {
"hash": "9FA7155D005E625D83F4E5D265A71B533519E972"
}
},
"BasicConstraints": {
"critical": "true",
"cA": "false"
},
"ExtendedKeyUsage": {
"Usage": {
"oid": "1.3.6.1.5.5.7.3.8",
"name": "Time Stamping"
}
}
}
},
"EventAuxInfo": {
"ProcessName": "MsSense.exe"
},
"CorrelationAuxInfo": {
"TaskId": "{116ED906-7813-42DD-902B-79FD5BF3FB24}",
"SeqNumber": "10"
}
}
},
"message": ""
}
Event ID 256: The Cryptographic Services service failed to initialize the Catalog Database.
#Event ID 257: The Cryptographic Services service failed to initialize the Catalog Database.
#Event ID 512: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.
#Event ID 513: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
#Event ID 4097: Successful auto update of third-party root certificate:: Subject: <OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.
#Description
Successful auto update of third-party root certificate:: Subject: <> Sha1 thumbprint: <>.
Message #
Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
1 | |
2 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}",
"event_source_name": "",
"event_id": 4097,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-28T02:32:27.7621286+00:00",
"event_record_id": 223,
"correlation": {},
"execution": {
"process_id": 3128,
"thread_id": 3412
},
"channel": "Application",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB",
"Data_1": "D1EB23A46D17D68FD92564C2F1F1601764D8E349"
},
"message": "Successful auto update of third-party root certificate:: Subject: <CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB> Sha1 thumbprint: <D1EB23A46D17D68FD92564C2F1F1601764D8E349>."
}
Event ID 4098: Successful auto update retrieval of third-party root list cab from: <1>.
#Event ID 4099: Failed auto update retrieval of third-party root list cab from: <1> with error: 2.
#Event ID 4100: Successful auto update retrieval of third-party root certificate from: <URL>.
#Description
Successful auto update retrieval of third-party root certificate from: <URL>.
Message #
Fields #
| Name | Description |
|---|---|
1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "Microsoft-Windows-CAPI2",
"event_id": 4100,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2016-08-24T21:26:02.343750Z",
"event_record_id": 1650,
"correlation": {},
"execution": {
"process_id": 1124,
"thread_id": 1712
},
"channel": "Application",
"computer": "IE10Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4101: Failed auto update retrieval of third-party root certificate from: <1> with error: 2.
#Event ID 4102: Reached crypt32 threshold of 1 events and will suspend logging for 2 minutes.
#Event ID 4103: Successful auto update retrieval of third-party root list sequence number from: <1>.
#Event ID 4104: Failed auto update retrieval of third-party root list sequence number from: <1> with error: 2.
#Event ID 4105: Untrusted root certificate:: Subject: <1> Sha1 thumbprint: <2>.
#Event ID 4106: Partial Chain:: Issuer: <1> Subject Sha1 thumbprint: <2>.
#Event ID 4107: Failed extract of third-party root list from auto update cab at: <1> with error: 2.
#Event ID 4108: Successful auto delete of third-party root certificate:: Subject: <OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.
#Description
Successful auto delete of third-party root certificate:: Subject: <> Sha1 thumbprint: <>.
Message #
Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
1 | |
2 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}",
"event_source_name": "",
"event_id": 4108,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-04-18T00:29:12.1583400+00:00",
"event_record_id": 34,
"correlation": {},
"execution": {
"process_id": 2044,
"thread_id": 1512
},
"channel": "Application",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "OU=Class 3 Public Primary Certification Authority, O=\"VeriSign, Inc.\", C=US",
"Data_1": "4F65566336DB6598581D584A596C87934D5F2AB4"
},
"message": "Successful auto delete of third-party root certificate:: Subject: <OU=Class 3 Public Primary Certification Authority, O=\"VeriSign, Inc.\", C=US> Sha1 thumbprint: <4F65566336DB6598581D584A596C87934D5F2AB4>."
}
Event ID 4109: Successful auto property update of third-party root certificate:: Subject: <OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.
#Description
Successful auto property update of third-party root certificate:: Subject: <> Sha1 thumbprint: <>.
Message #
Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
1 | |
2 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}",
"event_source_name": "",
"event_id": 4109,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-04-18T00:29:12.1583400+00:00",
"event_record_id": 33,
"correlation": {},
"execution": {
"process_id": 2044,
"thread_id": 1512
},
"channel": "Application",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "OU=Class 3 Public Primary Certification Authority, O=\"VeriSign, Inc.\", C=US",
"Data_1": "742C3192E607E424EB4549542BE1BBC53E6174E2"
},
"message": "Successful auto property update of third-party root certificate:: Subject: <OU=Class 3 Public Primary Certification Authority, O=\"VeriSign, Inc.\", C=US> Sha1 thumbprint: <742C3192E607E424EB4549542BE1BBC53E6174E2>."
}
Event ID 4110: Failed to add certificate to Third-Party Root Certification Authorities store with error: 2.
#Event ID 4111: Successful auto update of third-party root list with effective date: Tuesday, February 22, 2022 11:44:40 AM.
#Description
Successful auto update of third-party root list with effective date: .
Message #
Fields #
| Name | Description |
|---|---|
Data_0 | |
1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}",
"event_source_name": "",
"event_id": 4111,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-27T20:29:54.4544927+00:00",
"event_record_id": 304,
"correlation": {},
"execution": {
"process_id": 1272,
"thread_id": 1476
},
"channel": "Application",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Tuesday, April 21, 2026 8:33:28 PM"
},
"message": "Successful auto update of third-party root list with effective date: Tuesday, April 21, 2026 8:33:28 PM."
}
Event ID 4112: Successful auto update of disallowed certificate list with effective date: Tuesday, March 16, 2021 12:29:24 AM.
#Description
Successful auto update of disallowed certificate list with effective date: .
Message #
Fields #
| Name | Description |
|---|---|
Data_0 | |
1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}",
"event_source_name": "",
"event_id": 4112,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-04-18T00:25:08.3908412+00:00",
"event_record_id": 6,
"correlation": {},
"execution": {
"process_id": 1924,
"thread_id": 3400
},
"channel": "Application",
"computer": "USERUSE-I0E7KUG",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Thursday, September 4, 2025 8:20:48 PM"
},
"message": "Successful auto update of disallowed certificate list with effective date: Thursday, September 4, 2025 8:20:48 PM."
}
Event ID 4113: Successful auto update of pin rules with effective date: Wednesday, May 31, 2017 4:28:59 PM.
#Description
Successful auto update of pin rules with effective date: .
Message #
Fields #
| Name | Description |
|---|---|
Data_0 | |
1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}",
"event_source_name": "",
"event_id": 4113,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-04-18T00:29:05.3567785+00:00",
"event_record_id": 31,
"correlation": {},
"execution": {
"process_id": 2044,
"thread_id": 5880
},
"channel": "Application",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Wednesday, May 31, 2017 7:28:59 PM"
},
"message": "Successful auto update of pin rules with effective date: Wednesday, May 31, 2017 7:28:59 PM."
}
Event ID 4114: Server: Server has unexpected certificates under trusted authority: <2> with thumbprint: 3.
#Event ID 4115: Added public key pinning rule for domain: 1 with header thumbprint: 2.
#Event ID 4116: Server: Server has unexpected certificates under trusted authority: <2> with thumbprint: 3.
#Event ID 4117: Server: Server has unexpected certificates under trusted authority: <2> with thumbprint: 3.
#Event ID 4128: Successful pre-fetch of certificate revocation list from: <1>.
#Event ID 4129: Failed pre-fetch of certificate revocation list from: <1> with error: 2.
#Event ID 4130: Certificate signature verify failed.
#Event ID 4131: LDAP CryptRetrieveObjectByUrlW failed.
#Event ID 4176: PFX operation failed as AuthSafes count doesn't lie in expected range.
#Event ID 4177: PFX operation failed as Iteration count doesn't lie in expected range.
#Event ID 4178: PFX operation failed as SafeBags count doesn't lie in expected range.
#Event ID 8192: The catalog file FileName is being added to subsystem Subsystem.
#Event ID 8193: Addition of the catalog file completed.
#Description
Addition of the catalog file completed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 8194: The catalog file FileName is being removed from the subsystem Subsystem.
#Event ID 8195: Removal of the catalog file completed.
#Description
Removal of the catalog file completed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 8196: The catalog file FileName is being synced to the subsystem Subsystem.
#Event ID 8197: Sync of the catalog file completed.
#Description
Sync of the catalog file completed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 8198: The Catalog Database is being rebuilt for subsystem Subsystem.
#Event ID 8199: Rebuild of the Catalog Database for the chosen subsystem has completed.
#Description
Rebuild of the Catalog Database for the chosen subsystem has completed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 8200: A hash of type Algorithm, length Length and value Value is being searched for in subsystem Subsystem.
#Description
A hash of type Algorithm, length Length and value Value is being searched for in subsystem Subsystem.
Message #
Fields #
| Name | Description |
|---|---|
Subsystem UnicodeString | |
Algorithm UnicodeString | |
Length UInt16 | |
Value Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": "8200",
"version": "0",
"level": "4",
"task": "504",
"opcode": "1",
"keywords": 2305843009213694976,
"time_created": "2026-03-15T04:33:35.927555800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{41e24003-66ef-4c4c-bc94-d04eacefbd05}"
},
"execution": {
"process_id": "3884",
"thread_id": "11064"
},
"channel": "Microsoft-Windows-CAPI2/Catalog Database Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Subsystem": "{127D0A1D-4EF2-11D1-8608-00C04FC295EE}",
"Algorithm": "SHA256",
"Length": "32",
"Value": "0xCDFFB01C853487D9DE0CC720C74021BDE443DD9CC0C399017C194290332B43C1"
},
"message": ""
}
Event ID 8201: The hash search completed and was found in Count catalogs.
#Description
The hash search completed and was found in Count catalogs. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Count UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CAPI2",
"guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
"event_source_name": "",
"event_id": "8201",
"version": "0",
"level": "4",
"task": "504",
"opcode": "2",
"keywords": 2305843009213694976,
"time_created": "2026-03-15T04:33:35.927601800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{41e24003-66ef-4c4c-bc94-d04eacefbd05}"
},
"execution": {
"process_id": "3884",
"thread_id": "11064"
},
"channel": "Microsoft-Windows-CAPI2/Catalog Database Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": "0x0",
"Count": " 0"
},
"message": ""
}
Event ID 8202: Sync of subsystem Subsystem has started.
#Event ID 8203: Sync of the subsystem completed.
#Description
Sync of the subsystem completed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}
Defined in crypt32.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02