4694 Protection of auditable protected data was attempted
Written when DPAPI protection of data is attempted with the audit flag set. It captures data protection that an application deliberately marked for auditing.
Overview
The subcategory is Audit DPAPI Activity. It is generated when the CryptProtectData() function is called with the CRYPTPROTECT_AUDIT flag enabled. In other words, it appears only when an application explicitly states “audit this protection operation.” The original docs give no example.
How it is triggered
- When an application calls
CryptProtectData()with theCRYPTPROTECT_AUDITflag to protect data.
Security review points
- Since few applications use this flag, its presence itself means “a protection operation designated for auditing.” Together with the matching decryption 4695, track which data was protected and unprotected.
- It is for tracking a specific application’s DPAPI use rather than general credential-protection monitoring.
Notes for log review
- Limited to flagged protection, so the volume is low. Confirm that the application and context producing it are as expected.
- It is recorded only where DPAPI Activity auditing is enabled.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The subject that performed the protection |
Data Description | A description of the protected data (set by the application) |