4692 Backup of data protection master key was attempted
Written when a backup of the DPAPI (Windows data protection mechanism) master key is attempted. It relates to the key for a user’s protected data, such as credentials.
Overview
The subcategory is Audit DPAPI Activity. It is generated when a backup of the DPAPI (Data Protection API: a mechanism that encrypts passwords, certificates, and the like, tied to a user’s credentials) master key is attempted. On domain-joined machines, the user’s master key is backed up encrypted with the domain controller’s public key, so protected data can be recovered even after a password reset.
How it is triggered
- When, at master-key generation or periodically, a domain-joined machine sends a backup request to a DC over RPC.
- It is done over a mutually authenticated, privacy-protected RPC call using the backup key pair with the DC.
Security review points
- DPAPI protects things like browser-stored passwords and Credential Manager entries. Attackers sometimes target the DPAPI master key or the domain backup key, so anomalies in DPAPI activity are notable in the context of credential theft.
- Together with the recovery side 4693, track whose master key was backed up or recovered and when.
Notes for log review
- It occurs as legitimate routine activity. Learn the normal patterns of subject, target user, and frequency, and watch for unexpected subjects or bursts.
- It does not appear where DPAPI Activity is not enabled. Enable it when you want to monitor credential protection.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The subject that requested the backup |
Master Key ID | The identifier of the target master key |
Recovery Server | The backup destination (a domain controller) |
Glossary
- DPAPI — a Windows mechanism that encrypts data tied to a user’s credentials. It is used for things like browser password storage.