Microsoft-Windows-Crypto-DPAPI

28 events across 3 channels

Event	Title	Channel	Sample
1	DPAPI created Master key.	Operational	Y
2	DPAPI deleted Master key.	Operational	N
3	Master key access failed.	Operational	Y
4	Password Change triggered.	Operational	N
5	Synchronization of Master keys triggered.	Operational	Y
4097	DPAPI BackUp service started	BackUpKeySvc	Y
4098	DPAPI BackUp service stopped	BackUpKeySvc	N
4099	DPAPI BackUp service setup of preferred backup keys failed.	BackUpKeySvc	Y
8193	System credentials creation in LSASS failed.	Debug	N
8194	DPAPI Master key file open failed.	Debug	Y
8195	Master key encryption in memory failed	Debug	N
8196	Master key decryption in memory failed	Operational	Y
8197	DPAPI Protect failed.	Debug	Y
8198	DPAPI Unprotect failed.	Operational	Y
8199	Synchronization of Master keys failed.	Operational	N
8200	Master key's record successfully logged to Diagnostic file.	Operational	Y
8201	Master key's record failed to log to Diagnostic file.	Operational	N
8202	Master Key decryption failed but a record of this key can be found in the …	Operational	N
8203	Master Key decryption failed because no record of this key can be found in the …	Operational	N
8204	Master Key decryption failed because the encryption cred mismatches the …	Operational	N
8205	Master Key decryption failed but the encryption cred matches the decryption …	Operational	N
8206	CredHist file decryption failed	Operational	N
8207	Diagnostic File operation received a NULL credential key.	Operational	N
12289	DPAPI found credential key.	Operational	Y
12290	Credential key does not exist.	Operational	Y
16385	DPAPIDefInformationEvent	Debug	Y
16386	DPAPI tried to backup its master key.	Operational	N
16387	DPAPI tried to backup its master key.	Operational	Y

Event ID 1: DPAPI created Master key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: MasterKeyOperation

Description

DPAPI created Master key.

Message #

DPAPI created Master key.

 	GUID: %1
 	User Storage Area: %2

Fields #

Name	Description
`MasterKeyGUID` GUID	GUID.
`UserStorage` UnicodeString	User Storage Area.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "{89FE8F40-CDCE-464E-8217-15EF97D4C7C3}",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": -9223372036854775806,
    "time_created": "2026-06-13T13:36:48.4202398+00:00",
    "event_record_id": 74,
    "correlation": {
      "ActivityID": "{AA49AB17-FAF4-0001-7CAB-49AAF4FADC01}"
    },
    "execution": {
      "process_id": 736,
      "thread_id": 7832
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "MasterKeyGUID": "{097f72cf-d3d1-4e88-b670-11717d568e8a}",
    "UserStorage": "C:\\Windows\\ServiceProfiles\\MSSQL$MICROSOFT##WID\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534\\"
  },
  "message": "DPAPI created Master key.\r\n\r\n \tGUID:\t{097f72cf-d3d1-4e88-b670-11717d568e8a}\r\n \tUser Storage Area:\tC:\\Windows\\ServiceProfiles\\MSSQL$MICROSOFT##WID\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534\\\r\n"
}

Event ID 2: DPAPI deleted Master key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: MasterKeyOperation

Description

DPAPI deleted Master key.

Message #

DPAPI deleted Master key.

 	GUID: %1
 	User Storage Area: %2

Fields #

Name	Description
`MasterKeyGUID` UnicodeString
`UserStorage` UnicodeString

Event ID 3: Master key access failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: MasterKeyOperation

Description

Master key access failed.

Message #

Master key access failed.

 	GUID: %1
 	Success: %2
 	Last error: %3
 	Master key disposition: %3

Fields #

Name	Description
`MasterKeyGUID` GUID
`Success` Boolean
`LastError` HexInt32
`MasterKeyDisposition` HexInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "{89FE8F40-CDCE-464E-8217-15EF97D4C7C3}",
    "event_source_name": "",
    "event_id": 3,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": -9223372036854775806,
    "time_created": "2026-05-28T18:29:50.6476257+00:00",
    "event_record_id": 43,
    "correlation": {
      "ActivityID": "{AFDF3271-EE92-0002-8732-DFAF92EEDC01}"
    },
    "execution": {
      "process_id": 716,
      "thread_id": 1720
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "MasterKeyGUID": "{5c91a8ca-6778-4e10-bd5c-52d13d4ddb51}",
    "Success": "false",
    "LastError": "0x0",
    "MasterKeyDisposition": "0x3"
  },
  "message": "Master key access failed.\r\n\r\n \tGUID:\t\t\t{5c91a8ca-6778-4e10-bd5c-52d13d4ddb51}\r\n \tSuccess:\t\t\tfalse\r\n \tLast error:\t\t0x0\r\n \tMaster key disposition:\t0x0\r\n"
}

Event ID 4: Password Change triggered.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: MasterKeyOperation

Description

Password Change triggered.

Message #

Password Change triggered.

 	Status: %1

Fields #

Name	Description
`Status` HexInt32	NTSTATUS reference

Event ID 5: Synchronization of Master keys triggered.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: MasterKeyOperation

Description

Synchronization of Master keys triggered.

Message #

Synchronization of Master keys triggered.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "{89FE8F40-CDCE-464E-8217-15EF97D4C7C3}",
    "event_source_name": "",
    "event_id": 5,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": -9223372036854775806,
    "time_created": "2026-05-29T16:33:59.0826077+00:00",
    "event_record_id": 110,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 3340
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": "Synchronization of Master keys triggered."
}

Event ID 4097: DPAPI BackUp service started

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: BackUpKeySvc
Level: Informational
Task: BackUpServiceOperation

Description

DPAPI BackUp service started.

Message #

DPAPI BackUp service started

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "{89FE8F40-CDCE-464E-8217-15EF97D4C7C3}",
    "event_source_name": "",
    "event_id": 4097,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 4611686018427387905,
    "time_created": "2026-05-29T16:32:50.8059877+00:00",
    "event_record_id": 14,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 816
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "DPAPI BackUp service started"
}

Event ID 4098: DPAPI BackUp service stopped

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: BackUpKeySvc
Task: BackUpServiceOperation

Description

DPAPI BackUp service stopped.

Message #

DPAPI BackUp service stopped

Event ID 4099: DPAPI BackUp service setup of preferred backup keys failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: BackUpKeySvc
Level: Error
Task: BackUpServiceOperation

Description

DPAPI BackUp service setup of preferred backup keys failed.

Message #

DPAPI BackUp service setup of preferred backup keys failed.
 	%1
 	Error code: %2

Fields #

Name Description

Name	Description
`FailureReason` UnicodeString	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` HexInt32	Error code. NTSTATUS reference

FailureReason UnicodeString

Known values

%%2304: An Error occured during Logon.
%%2305: The specified user account has expired.
%%2306: The NetLogon component is not active.
%%2307: Account locked out.
%%2308: The user has not been granted the requested logon type at this machine.
%%2309: The specified account's password has expired.
%%2310: Account currently disabled.
%%2311: Account logon time restriction violation.
%%2312: User not allowed to logon at this computer.
%%2313: Unknown user name or bad password.
%%2314: Domain sid inconsistent.
%%2315: Smartcard logon is required and was not used.

Status HexInt32 Error code. NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "{89FE8F40-CDCE-464E-8217-15EF97D4C7C3}",
    "event_source_name": "",
    "event_id": 4099,
    "version": 0,
    "level": 2,
    "task": 1,
    "opcode": 0,
    "keywords": 4611686018427387905,
    "time_created": "2026-05-28T00:58:55.8186179+00:00",
    "event_record_id": 3,
    "correlation": {
      "ActivityID": "{601F25A9-EE3B-0001-1626-1F603BEEDC01}"
    },
    "execution": {
      "process_id": 680,
      "thread_id": 4288
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "FailureReason": "Getting preferred backup key GUID failed.",
    "Status": "0xc0000034"
  },
  "message": "DPAPI BackUp service setup of preferred backup keys failed.\r\n \tGetting preferred backup key GUID failed.\r\n \tError code: 0xC0000034\r\n"
}

Event ID 8193: System credentials creation in LSASS failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Debug
Task: MasterKeyOperation

Description

System credentials creation in LSASS failed.

Message #

System credentials creation in LSASS failed. 

 	Status: %1

Fields #

Name	Description
`Status` HexInt32	NTSTATUS reference

Event ID 8194: DPAPI Master key file open failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Debug
Level: Error
Task: MasterKeyOperation

Description

DPAPI Master key file open failed.

Message #

DPAPI Master key file open failed.

 	FileName: %1
 	Access: %2

Fields #

Name	Description
`FileName` UnicodeString
`Access` HexInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 8194,
    "version": 0,
    "level": 2,
    "task": 2,
    "opcode": 0,
    "keywords": 2305843009213693954,
    "time_created": "2026-03-13T22:00:14.597294+00:00",
    "event_record_id": 302,
    "correlation": {
      "ActivityID": "FEA40379-5168-4493-AA3C-6999C3C385A3"
    },
    "execution": {
      "process_id": 984,
      "thread_id": 4348
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Debug",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "FileName": "SYNCHIST",
    "Access": "0x80000000"
  },
  "message": ""
}

Event ID 8195: Master key encryption in memory failed

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Debug
Task: MasterKeyOperation

Description

Master key encryption in memory failed.

Message #

Master key encryption in memory failed

Event ID 8196: Master key decryption in memory failed

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Error
Task: MasterKeyOperation

Description

Master key decryption in memory failed.

Message #

Master key decryption in memory failed

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "{89FE8F40-CDCE-464E-8217-15EF97D4C7C3}",
    "event_source_name": "",
    "event_id": 8196,
    "version": 0,
    "level": 2,
    "task": 2,
    "opcode": 0,
    "keywords": -9223372036854775806,
    "time_created": "2026-05-28T03:43:48.0257120+00:00",
    "event_record_id": 31,
    "correlation": {
      "ActivityID": "{601F25A9-EE3B-0001-1626-1F603BEEDC01}"
    },
    "execution": {
      "process_id": 680,
      "thread_id": 5384
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "Master key decryption in memory failed"
}

Event ID 8197: DPAPI Protect failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Debug
Level: Error
Task: DataProtectionOperation

Description

DPAPI Protect failed .

Message #

DPAPI Protect failed .

 	Status: %1
 	ReasonForFailure: %2

Fields #

Name	Description
`Status` HexInt32	NTSTATUS reference
`ReasonForFailure` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 8197,
    "version": 0,
    "level": 2,
    "task": 4,
    "opcode": 0,
    "keywords": 2305843009213693956,
    "time_created": "2026-03-13T20:16:23.515882+00:00",
    "event_record_id": 38,
    "correlation": {
      "ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
    },
    "execution": {
      "process_id": 968,
      "thread_id": 8876
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Debug",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": "0x2",
    "ReasonForFailure": 6
  },
  "message": ""
}

Event ID 8198: DPAPI Unprotect failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Error
Task: DataProtectionOperation

Description

DPAPI Unprotect failed .

Message #

DPAPI Unprotect failed .

 	Status: %1
 	ReasonForFailure: %2

Fields #

Name	Description
`Status` HexInt32	NTSTATUS reference
`ReasonForFailure` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 8198,
    "version": 0,
    "level": 2,
    "task": 4,
    "opcode": 0,
    "keywords": 9223372036854775812,
    "time_created": "2026-03-13T20:16:26.151897+00:00",
    "event_record_id": 178,
    "correlation": {
      "ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
    },
    "execution": {
      "process_id": 968,
      "thread_id": 7192
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": "0x91012",
    "ReasonForFailure": 0
  },
  "message": ""
}

Event ID 8199: Synchronization of Master keys failed.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: MasterKeyOperation

Description

Synchronization of Master keys failed.

Message #

Synchronization of Master keys failed. 

 	Credential Key Identifier: %1
 	User Name: %2
 	User Sid: %3

Fields #

Name	Description
`CredKeyIdentifier` Binary
`UserName` UnicodeString
`UserSid` SID

Event ID 8200: Master key's record successfully logged to Diagnostic file.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: DiagnosticFileCheck

Description

Master key's record successfully logged to Diagnostic file.

Message #

Master key's record successfully logged to Diagnostic file.

 	GUID: %1
 	EncryptCredID: %2
 	EncryptCredKey: %3

Fields #

Name	Description
`MasterKeyGUID` GUID	GUID.
`EncryptCredID` GUID
`EncryptCredKey` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 8200,
    "version": 0,
    "level": 4,
    "task": 32,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2023-11-06T06:23:22.525334+00:00",
    "event_record_id": 52,
    "correlation": {
      "ActivityID": "626F7C94-1079-0002-5F7D-6F627910DA01"
    },
    "execution": {
      "process_id": 848,
      "thread_id": 888
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "MasterKeyGUID": "8E755BE6-88EB-4BF9-8FCE-4B1358A2DEAC",
    "EncryptCredID": "00000000-0000-0000-0000-000000000000",
    "EncryptCredKey": "0163A518CE6A252FD79B229C27BC6BEB9D05710A"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 8201: Master key's record failed to log to Diagnostic file.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Master key's record failed to log to Diagnostic file.

Message #

Master key's record failed to log to Diagnostic file.

 	GUID: %1

Fields #

Name	Description
`MasterKeyGUID` GUID

Event ID 8202: Master Key decryption failed but a record of this key can be found in the Diagnostic file.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Master Key decryption failed but a record of this key can be found in the Diagnostic file.

Message #

Master Key decryption failed but a record of this key can be found in the Diagnostic file.

 	GUID: %1

Fields #

Name	Description
`MasterKeyGUID` GUID

Event ID 8203: Master Key decryption failed because no record of this key can be found in the Diagnostic file.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Master Key decryption failed because no record of this key can be found in the Diagnostic file.

Message #

Master Key decryption failed because no record of this key can be found in the Diagnostic file.

 	GUID: %1

Fields #

Name	Description
`MasterKeyGUID` GUID

Event ID 8204: Master Key decryption failed because the encryption cred mismatches the decryption cred.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Master Key decryption failed because the encryption cred mismatches the decryption cred.

Message #

Master Key decryption failed because the encryption cred mismatches the decryption cred.

 	GUID: %1
 	EncryptCredID: %2
 	EncryptCredKey: %3
 	DecryptCredID: %4
 	DecryptCredKey: %5

Fields #

Name	Description
`MasterKeyGUID` GUID
`EncryptCredID` GUID
`EncryptCredKey` Binary
`DecryptCredID` GUID
`DecryptCredKey` Binary

Event ID 8205: Master Key decryption failed but the encryption cred matches the decryption cred.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Master Key decryption failed but the encryption cred matches the decryption cred.

Message #

Master Key decryption failed but the encryption cred matches the decryption cred.

 	GUID: %1
 	EncryptCredID: %2
 	EncryptCredKey: %3
 	DecryptCredID: %4
 	DecryptCredKey: %5

Fields #

Name	Description
`MasterKeyGUID` GUID
`EncryptCredID` GUID
`EncryptCredKey` Binary
`DecryptCredID` GUID
`DecryptCredKey` Binary

Event ID 8206: CredHist file decryption failed

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: CredentialHistoryFileOperation

Description

CredHist file decryption failed.

Message #

CredHist file decryption failed

Event ID 8207: Diagnostic File operation received a NULL credential key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DiagnosticFileCheck

Description

Diagnostic File operation received a NULL credential key.

Message #

Diagnostic File operation received a NULL credential key.

Event ID 12289: DPAPI found credential key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: CredentialKeyOperation

Description

DPAPI found credential key.

Message #

DPAPI found credential key.

 	Credential Key Identifier: %1
 	User Name: %2
 	User Sid: %3

Fields #

Name	Description
`CredKeyIdentifier` Binary	Credential Key Identifier.
`UserName` UnicodeString
`UserSid` SID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "{89FE8F40-CDCE-464E-8217-15EF97D4C7C3}",
    "event_source_name": "",
    "event_id": 12289,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 0,
    "keywords": -9223372036854775800,
    "time_created": "2026-05-29T16:33:48.1518335+00:00",
    "event_record_id": 109,
    "correlation": {},
    "execution": {
      "process_id": 812,
      "thread_id": 3340
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CredKeyIdentifier": "D144A85A3E7C1B5F923F0A3553749C082ED573FDEFAC49E97C7BB0BFF4D8BA17",
    "UserName": "cell-a\\domainadmin",
    "UserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105"
  },
  "message": "DPAPI found credential key.\r\n\r\n \tCredential Key Identifier:\t0xD144A85A3E7C1B5F923F0A3553749C082ED573FDEFAC49E97C7BB0BFF4D8BA17\r\n \tUser Name:\tcell-a\\domainadmin\r\n \tUser Sid:\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n"
}

Event ID 12290: Credential key does not exist.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: CredentialKeyOperation

Description

Credential key does not exist.

Message #

Credential key does not exist.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 12290,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 0,
    "keywords": 9223372036854775816,
    "time_created": "2026-02-10T04:20:55.655423+00:00",
    "event_record_id": 47,
    "correlation": {
      "ActivityID": "43A6D212-9A2A-0001-97D2-A6432A9ADC01"
    },
    "execution": {
      "process_id": 240,
      "thread_id": 880
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 16385: DPAPIDefInformationEvent

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Debug
Also via: realtime ETW trace
Level: Informational
Task: DPAPIDefInformationTaskMessage

Description

DPAPIDefInformationEvent.

Message #

DPAPIDefInformationEvent

Fields #

Name	Description
`OperationType` UnicodeString	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`DataDescription` UnicodeString
`MasterKeyGUID` GUID
`Flags` UInt32
`ProtectionFlags` UInt32
`ReturnValue` UInt32
`CallerProcessStartKey` UInt64
`CallerProcessID` UInt32
`CallerProcessCreationTime` UInt64
`PlainTextDataSize` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "89FE8F40-CDCE-464E-8217-15EF97D4C7C3",
    "event_source_name": "",
    "event_id": 16385,
    "version": 0,
    "level": 4,
    "task": 64,
    "opcode": 0,
    "keywords": 2305843009213694016,
    "time_created": "2026-03-13T20:00:14.091877+00:00",
    "event_record_id": 1,
    "correlation": {
      "ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
    },
    "execution": {
      "process_id": 968,
      "thread_id": 2796
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Debug",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "OperationType": "SPCryptProtect",
    "DataDescription": "CryptoAPI Private Key",
    "MasterKeyGUID": "136A714A-6B76-4E4F-A4DB-98C60F841100",
    "Flags": 4,
    "ProtectionFlags": 4,
    "ReturnValue": 0,
    "CallerProcessStartKey": 3377699720528945,
    "CallerProcessID": 9080,
    "CallerProcessCreationTime": 134179056135234796,
    "PlainTextDataSize": 388
  },
  "message": ""
}

Community Notes #

Exposes the DPAPI operations (protect/unprotect) and the calling process. Disabled by default. See this Google Security blog post: Detecting browser data theft using Windows Event Logs.

Event ID 16386: DPAPI tried to backup its master key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Task: DPAPIMasterKeyBackup

Description

DPAPI tried to backup its master key.

Message #

DPAPI tried to backup its master key.
Fallback backup is enabled.

Fields #

Name	Description
`fLegacy` Boolean
`fWeakCrypt` Boolean
`dwFallbackLastError` UInt32
`dwEncryptLastError` UInt32
`dwRestoreLastError` UInt32

Event ID 16387: DPAPI tried to backup its master key.

Provider: Microsoft-Windows-Crypto-DPAPI
Channel: Operational
Level: Informational
Task: DPAPIMasterKeyBackup_256

Description

DPAPI tried to backup its master key.

Message #

DPAPI tried to backup its master key.
Fallback backup is disabled.

Fields #

Name	Description
`fLegacy` Boolean
`fWeakCrypt` Boolean
`dwLastError` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Crypto-DPAPI",
    "guid": "{89FE8F40-CDCE-464E-8217-15EF97D4C7C3}",
    "event_source_name": "",
    "event_id": 16387,
    "version": 0,
    "level": 4,
    "task": 256,
    "opcode": 0,
    "keywords": -9223372036854775552,
    "time_created": "2026-04-17T20:04:41.3564432+00:00",
    "event_record_id": 774,
    "correlation": {
      "ActivityID": "{5D13569F-CEA5-0001-1F57-135DA5CEDC01}"
    },
    "execution": {
      "process_id": 1096,
      "thread_id": 1496
    },
    "channel": "Microsoft-Windows-Crypto-DPAPI/Operational",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "fLegacy": "false",
    "fWeakCrypt": "false",
    "dwLastError": "58"
  },
  "message": "DPAPI tried to backup its master key.\r\nFallback backup is disabled."
}

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {89FE8F40-CDCE-464E-8217-15EF97D4C7C3}

Defined in dpapisrv.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.2849, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)