4693 Recovery of data protection master key was attempted
Written when recovery of a DPAPI master key is attempted. It indicates recovering the key from the domain backup key when the user’s password cannot open it.
Overview
The subcategory is Audit DPAPI Activity. When unprotecting data, if the master key protected by the user’s password cannot be used, the backup master key is sent to a domain controller over a protected RPC call; the DC decrypts it with its private key and returns it. It is generated on each such recovery. It occurs on domain controllers, member servers, and workstations.
How it is triggered
- When the password-derived key cannot open the master key and recovery is done using the domain backup key (for example, after a password reset).
Security review points
- DPAPI master-key recovery by an unexpected subject or at an unexpected time can relate to an attempt to access protected data (such as stored credentials). Track the flow together with the backup side 4692.
- If an attacker obtains the domain DPAPI backup key (the domain-wide recovery key), they can decrypt the DPAPI-protected data of any user in the domain. Anomalies in recovery activity are important from this angle too.
Notes for log review
- It also occurs during legitimate password-reset operations. Compare subject, target, and frequency against the norm.
- It is recorded only where DPAPI Activity auditing is enabled.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The subject that requested the recovery |
Master Key ID | The identifier of the target master key |
Recovery Server | The server used for recovery (a domain controller) |