5064 A cryptographic context operation was attempted
Written when an operation on a cryptographic context is attempted. It is one of a family of events capturing CNG (next-generation cryptography API) configuration operations.
Overview
The subcategory is Audit Other Policy Change Events. It is generated when an operation on a CNG (Cryptography Next Generation: the Windows crypto API) cryptographic context is attempted. It is a crypto-configuration audit event of the same family as crypto provider operation 5063.
How it is triggered
- Operations such as creating or referencing a cryptographic context.
Security review points
- It is a configuration-operation event with low individual security value. Confirm, together with other crypto events (5063, 5065-5070), whether crypto-configuration operations by an unexpected process are part of tampering with the cryptographic module.
Notes for log review
- It normally appears in legitimate cryptographic processing. Monitor crypto-configuration events as a group rather than alone, and note unfamiliar operations.
Key fields
| Field | Meaning |
|---|---|
Operation | The operation type |
Subject / Process Name | The origin |