Unprotection of auditable protected data was attempted
On this page
This event has to do with the Data Protection API.
Per Microsoft: "The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. "
Apparently a program running under the account documented in Subject: tried to decrypt a blob with the CryptUnprotectData function and failed. Status code 0x8009000b is pretty general. Most often it means
- The user password has changed and the automatic reprocessing of keys based on user password failed
- The blob was encrypted by a different user than the one now trying to decrypt it.
So it's possible that that this event could indicate malicious behavior but I've seen it logged during the course of normal operation on a clean, isolated test system too.
For more information on DPAPI see http://support.microsoft.com/kb/309408
- Security ID: %1
- Account Name: %2
- Account Domain: %3
- Logon ID: %4
- Data Description: %6
- Key Identifier: %5
- Protected Data Flags: %7
- Protection Algorithms: %8
Top 10 Windows Security Events to Monitor
Unprotection of auditable protected data was attempted.
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x192a4
Data Description: AntiPhishing filter DAT file verification
Key Identifier: ec9796fd-fa87-460d-8bf2-25e0a01ddf82
Protected Data Flags: 0x0
Protection Algorithms: 3DES-168 , SHA1-160
Status Code: 0x8009000b
Keep me up-to-date on the Windows Security Log.
*We will NOT share this