Windows Security Log Event ID 4695

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Process Tracking
 • DPAPI Activity
Type Failure
Corresponding events
in Windows 2003
and before
 
Discussions on Event ID 4695
Ask a question about this event

4695: Unprotection of auditable protected data was attempted

On this page

This event has to do with the Data Protection API. 

Per Microsoft: "The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. "

Apparently a program running under the account documented in Subject: tried to decrypt a blob with the CryptUnprotectData function and failed.  Status code 0x8009000b is pretty general.  Most often it means 

  • The user password has changed and the automatic reprocessing of keys based on user password failed
  • The blob was encrypted by a different user than the one now trying to decrypt it.

So it's possible that that this event could indicate malicious behavior but I've seen it logged during the course of normal operation on a clean, isolated test system too.
For more information on DPAPI see http://support.microsoft.com/kb/309408

Free Security Log Resources by Randy

Description Fields in 4695

Subject:

  •  Security ID:  %1
  •  Account Name:  %2
  •  Account Domain:  %3
  •  Logon ID:  %4

Protected Data:

  •  Data Description: %6
  •  Key Identifier: %5
  •  Protected Data Flags: %7
  •  Protection Algorithms: %8

Status Information:

  •  Status Code: %9

Supercharger Enterprise


 

Examples of 4695

Unprotection of auditable protected data was attempted.

Subject:

Security ID:  WIN-R9H529RIO4Y\Administrator
Account Name:  Administrator
Account Domain:  WIN-R9H529RIO4Y
Logon ID:  0x192a4

Protected Data:

Data Description: AntiPhishing filter DAT file verification
Key Identifier: ec9796fd-fa87-460d-8bf2-25e0a01ddf82
Protected Data Flags: 0x0
Protection Algorithms: 3DES-168 , SHA1-160

Status Information:

Status Code: 0x8009000b

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources