- Remove From My Forums
-
Question
-
I’m consistently getting four Audit Failure events, Event ID 5061, indicated in the Windows Logs — Security immediately after start. Task Category: System Integrity. Screen shot are indicated below. Is this a serious indication of a problem? How do
I troubleshoot and repair?This is a clean install and I moved the Users Folder and ProgramData Folder to D: with the AIK.
SFC reports no integrity violations.
I’ve searched the registry for the key, but it doesn’t appear.
-
Edited by
Monday, December 14, 2015 3:48 AM
-
Edited by
Answers
-
SID: S-1-5-20
Name: NT Authority
Description: Network ServiceEvent : 5061
Probably Network Service is trying to start or access shares, Links etc
Similar thread : http://answers.microsoft.com/en-us/windows/forum/windows8_1-performance/event-log-security-audit-failure/dde5c76f-1bb0-46cb-bc33-90a958b13de2?db=5
Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
the thread.-
Marked as answer by
tjg79
Monday, December 14, 2015 4:58 AM
-
Marked as answer by
| title | description | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.localizationpriority | author | ms.date | ms.reviewer | manager | ms.author | ms.technology | ms.topic |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
5061(S, F) Cryptographic operation. (Windows 10) |
Describes security event 5061(S, F) Cryptographic operation. This event is generated when a cryptographic operation is performed using a Key Storage Provider. |
security |
windows-client |
deploy |
library |
none |
vinaypamnani-msft |
09/08/2021 |
aaroncz |
vinpa |
itpro-security |
reference |
5061(S, F): Cryptographic operation.
Subcategory: Audit System Integrity
Event Description:
This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a Key Storage Provider (KSP). This event generates only if one of the following KSPs was used:
-
Microsoft Software Key Storage Provider
-
Microsoft Smart Card Key Storage Provider
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5061</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-14T19:42:08.104008000Z" />
<EventRecordID>1048444</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="3496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38e2d</Data>
<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
<Data Name="AlgorithmName">ECDH_P521</Data>
<Data Name="KeyName">le-SuperAdmin-795fd6c1-2fae-4bef-a6bc-4f4d464bc083</Data>
<Data Name="KeyType">%%2500</Data>
<Data Name="Operation">%%2480</Data>
<Data Name="ReturnCode">0x0</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
- Security ID [Type = SID]: SID of account that requested specific cryptographic operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can’t be resolved, you’ll see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.
-
Account Name [Type = UnicodeString]: the name of the account that requested specific cryptographic operation.
-
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include the following ones:
-
Domain NETBIOS name example: CONTOSO
-
Lowercase full domain name: contoso.local
-
Uppercase full domain name: CONTOSO.LOCAL
-
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
-
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Cryptographic Parameters:
-
Provider Name [Type = UnicodeString]: the name of KSP through which the operation was performed. Can have one of the following values:
-
Microsoft Software Key Storage Provider
-
Microsoft Smart Card Key Storage Provider
-
-
Algorithm Name [Type = UnicodeString]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this algorithm has “UNKNOWN” value. Can also have one of the following values:
-
RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman.
-
DSA – Digital Signature Algorithm.
-
DH – Diffie-Hellman.
-
ECDH_P521 – Elliptic Curve Diffie-Hellman algorithm with 512-bit key length.
-
ECDH_P384 – Elliptic Curve Diffie-Hellman algorithm with 384-bit key length.
-
ECDH_P256 – Elliptic Curve Diffie-Hellman algorithm with 256-bit key length.
-
ECDSA_P256 – Elliptic Curve Digital Signature Algorithm with 256-bit key length.
-
ECDSA_P384 – Elliptic Curve Digital Signature Algorithm with 384-bit key length.
-
ECDSA_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length.
-
-
Key Name [Type = UnicodeString]: the name of the key (key container) with which operation was performed. For example, to get the list of Key Names for certificates for logged in user you can use “certutil -store -user my” command and check Key Container parameter in the output. Here’s an output example:
-
Key Type [Type = UnicodeString]: can have one of the following values:
-
“User key.” – user’s cryptographic key.
-
“Machine key.” – machine’s cryptographic key.
-
Cryptographic Operation:
-
Operation [Type = UnicodeString]: performed operation. Possible values:
-
Open Key. – open existing cryptographic key.
-
Create Key. – create new cryptographic key.
-
Delete Key. – delete existing cryptographic key.
-
Sign hash. – cryptographic signing operation.
-
Secret agreement.
-
Key Derivation. – key derivation operation.
-
Encrypt. – encryption operation.
-
Decrypt. – decryption operation.
-
-
Return Code [Type = HexInt32]: has “0x0” value for Success events. For failure events, provides a hexadecimal error code number.
Security Monitoring Recommendations
For 5061(S, F): Cryptographic operation.
- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (“Key Name”) or a specific “Operation”, such as “Delete Key”, create monitoring rules and use this event as an information source.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Logging in to Windows 10 Build 10547 I see for a split second a message box pop up.
There’s no time to read it as the login succeeds.
In the event log I see:
Audit failure 5061 with a task category of System Integrity
The event directly previous is fetching a key from C:ProgramDataMicrosoftCryptoSystemKeys
It says the key type is a user key.
Inside the 5061 Audit failure is the following information:
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: WIN-SOA3U4S9MJA$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 454822bd-d329-d1b0-4211-07ccee6df7b8
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016
The details tab contains
System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 5061
Version 0
Level 0
Task 12290
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2015-09-27T21:28:17.888978900Z
EventRecordID 6545
- Correlation
[ ActivityID] {2E32FFFF-F96B-0003-D003-332E6BF9D001}
- Execution
[ ProcessID] 936
[ ThreadID] 408
Channel Security
Computer WIN-SOA3U4S9MJA
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName WIN-SOA3U4S9MJA$
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
ProviderName Microsoft Software Key Storage Provider
AlgorithmName RSA
KeyName 454822bd-d329-d1b0-4211-07ccee6df7b8
KeyType %%2500
Operation %%2480
ReturnCode 0x80090016
What is going on, and how do I fix it?
Windows 10: Event ID 5061 Audit Failure after April Update.
Discus and support Event ID 5061 Audit Failure after April Update. in Windows 10 Support to solve the problem; Not surprised. Let MS fix it. I wonder if people who did a clean install have the issue?
Since the certutil command says » Private key is NOT…
Discussion in ‘Windows 10 Support’ started by Redbatman, Apr 4, 2018.
-
Event ID 5061 Audit Failure after April Update.
Well like I said my PC decided to update to April update. *cry
It’s funny last year with creators update Netflix and Hulu were giving me Audit Failure errors. It took Fall Creators to fix it. *Banghead
-
Okay so this morning I began getting these messages in my event viewer after my PC decided to update to April update.
They seem to happen after reboot and boot up.
Also trying to updated Defender definitions is kinda not happening. I even tried through cmd line and it said no updates were necessary, even though the definitions did update according to Microsoft.com
-
event 5061, microsoft windows security auditing failure
event 5061, microsoft windows security auditing failure
Have no idea how to fix, but its provided by Microsoft and an unknown alogorithm name?
-
Event ID 5061 Audit Failure after April Update.
Security Audit Failure Event 5061 In Windows 10
I’m seeing these in my event log too. The failures happen four seconds before my video driver crashes (and restarts) while playing World of Warcraft. Could these two issues be related? I’m using onboard Intel HD 4600.
Audit Failure | Microsoft Windows security auditing.
| 5061 | System IntegrityCryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: XXXXXX$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 51a92691-66f1-280f-d0db-59fad4f73491
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016
-
Also yes I do have an Nvidia GTX 970
-
I have the same Event ID 5061 in the Windows Logs/Security section of Event Viewer. It’s an XBox Live certificate.
XBL Client Ipsec Issuing CAFor some reason this Event ID was moved to the Security section. Previously it would show as an Event ID 64 in the Application section of the Event Viewer.
You can verify this by running: certutil –store my
from the command prompt. -
This is what I got by doing it
Serial Number: d49c11c6a8d97643a55b5eddd9a4e94a
Issuer: CN=XBL Client IPsec Issuing CA
NotBefore: 1/2/2018 10:20 AM
NotAfter: 1/3/2018 10:20 AM
Subject: CN=F9007479FC031D7A
Non-root Certificate
Cert Hash(sha1): cb1e5291b2e04c32b8651684f5f9fd4de010c775
Key Container = 11F88326-2132-4D64-9956-EB77B5003DC6
Unique container name: 2b1270ead2983daf54828e3f6773802a_bfd23135-ab1a-4702-9757-7ea9f71be682
Provider = Microsoft Software Key Storage Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -store command completed successfully.Should I reset the app then?
-
Event ID 5061 Audit Failure after April Update.
Exact same as mine.
Nothing really to do. If you use an XBox live game (or update it in any way) it will update the cert. If not, it’s nothing to really worry about and won’t cause any issues. -
Funny enough I did try the uninstall and reinstall my Nvidia Drivers and still shows up so that can be ruled out then.
Edit- Decided to restore to my custom restore point I made a few hours ago before I tried «fixing this»
-
I am also getting this auditing error after upgrading to 1803, one after rebooting. I think I got one or two also a while after rebooting yesterday but today I only seen the one after rebooting or starting the laptop.
Searching the internet yesterday, I saw old posts from people mentioning Nvidia Driver but I dont think I have anything Nvidia in this laptop. Doing a search for Nvidia brings nothing. My error message is identical to the one posted by Redbatman, same number, mentions the certificate, etc.
Yesterday when I searched Google for the error and W10 1803, I found nothing. I am glad and thank you guys who reported getting 5061, now I know I am not alone. I was gonna report it in a few days if I didnt hear nothing about it. I dont use Xbox or play games and the error doesn’t seem to affect the computer in anyway. I reckon this is one of those events we can safely ignore.
Bo
-
I guess you could try downloading a game off Windows store like fallout shelter for Xbox then launch it and after uninstall it and see if that fixes it.
-
If I remeber correctly … You should be able to delete the expired certificate … XBL Client IPsec Issuing CA … and that should get rid of that error.
Right Click Start > Run > Type in mmc and hit enter
When the Console opens Click File > Add/Remove Snap In
On the left choose Certificates > Click Add
Select Computer Account > Click Next
Local Computer should already be selected > Click Finish > Click Ok
On the left > Certificates > Trusted Root Certification Authorities > Certificates
On the right > Look for the expired XBL Client IPsec Issuing CA by the date in Event Viewer> Right Click > Delete
Close mmc without saving when askedNote: You may have more than one XBL Client IPsec Issuing CA (I currently have 2 that expire 9-20-2028) … so make sure you deleted the right one.
-
Event ID 5061 Audit Failure after April Update.
Hmm sounds like it’s best to wait and have Microsoft update the app?
-
I had same error its nvidia I have older 8800 card & all I did was download driver off nvidia site & reinstall the video driver & that error went away.
-
Like I said I tried that too and it didn’t work for me. I had even uninstalled the driver and reinstalled it, and it still happened.
Event ID 5061 Audit Failure after April Update.
-
Event ID 5061 Audit Failure after April Update. — Similar Threads — Event 5061 Audit
-
Excessive «Audit Success» log events for event ID 5061 and 5058
in Windows 10 Gaming
Excessive «Audit Success» log events for event ID 5061 and 5058: I’m getting these 2 event IDs logged every 5 seconds in my Security log on Windows 11 Pro.This seems excessive. Also unsure why this is happening like clockwork, regardless what I’m doing on my laptop.Anyone else seeing this? Wondering whether I can/need to update my Audit… -
Excessive «Audit Success» log events for event ID 5061 and 5058
in Windows 10 Software and Apps
Excessive «Audit Success» log events for event ID 5061 and 5058: I’m getting these 2 event IDs logged every 5 seconds in my Security log on Windows 11 Pro.This seems excessive. Also unsure why this is happening like clockwork, regardless what I’m doing on my laptop.Anyone else seeing this? Wondering whether I can/need to update my Audit… -
Security Audit Failure Event 5061 In Win10 after every browser history deletion
in AntiVirus, Firewalls and System Security
Security Audit Failure Event 5061 In Win10 after every browser history deletion: Security Audit Failure Event 5061 In Win10 after every browser history deletionThis event is ONLY occurring after clearing the IE11 and Edge browser history i.e cookies, data files, etc.,
Is any one else by any chance having this issue ?
This event appears to be…
-
Audit failures every reboot — Event 5061 — Cryptographic operation.
in Windows 10 Support
Audit failures every reboot — Event 5061 — Cryptographic operation.: Audit failures every reboot — Event 5061 — Cryptographic operation. Win 10 Pro 64-bit version 1803. 4/28/2019Immediately after every reboot of Win 10 Pro 64-bit version 1803, in Event Viewer, there are between two and four Audit Failures for something related to…
-
Audit Failure reports in Event Viewer
in Windows 10 Performance & Maintenance
Audit Failure reports in Event Viewer: Since the PC upgraded to Windows 10 version 1803 build 17134.191, the event log on start up repeatedly gives the three different audit failures below. I have managed to clear all the other problems the event log has displayed but with these three I am at a lost as to the… -
Event ID 5061 Audit Failure after April Update.
in Windows 10 Support
Event ID 5061 Audit Failure after April Update.: Okay so this morning I began getting these messages in my event viewer after my PC decided to update to April update.They seem to happen after reboot and boot up.
Also trying to updated Defender definitions is kinda not happening. I even tried through cmd line and it said…
-
Audit Failure 5061
in Windows 10 Support
Audit Failure 5061: I keep getting this Audit failure 5061.Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: DOCOMO$
Account Domain: WORKGROUP
Logon ID: 0x3E7Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name:… -
Event Viewer — Audit Failure 5061
in Windows 10 Performance & Maintenance
Event Viewer — Audit Failure 5061: I continue to get this event in the Event Log under Audit Failure. I never had in Windows 8.1 and it started after upgrading to 10.Does anyone have a clue about it?
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: xxxx
Account Domain: xxxx… -
Event ID 5061
in Windows 10 Support
Event ID 5061: Alright so both today and on June 23 I had gotten these audit failures that go like this.Cryptographic operation.Subject: Security ID: DESKTOP-7V82FOCOwner Account Name: Owner Account Domain: DESKTOP-7V82FOC Logon ID: 0x3DB3FCryptographic Parameters: Provider Name:…
Users found this page by searching for:
-
event 5061 audit failure
,
-
event id 5061 audit failure
,
-
windows 10 audit failure 5061
,
- windows 10 event id 5061 audit failure,
- system integrity audit failure,
- event id 5061 cryptographic operation,
- audit failure 5061 system integrity,
- Windows 10 audit failure cryptographic operation,
- event 5061 algorithmName unknown,
- Audit Failure Microsoft Windows Security auditing Event ID 5061 System Integrity,
- windows 10 event id 5061,
- windows 10 error 5061,
- eventid 5061 failure,
- audit failure 5061,
- audit failure event 5061
вход в Windows 10 построить 10547 я вижу в течение доли секунды всплывающее окно сообщения.
там нет времени, чтобы прочитать его, как логин успешно.
в журнале событий я вижу:
Audit failure 5061 with a task category of System Integrity
The event directly previous is fetching a key from C:ProgramDataMicrosoftCryptoSystemKeys
Он говорит, что тип ключа является ключом пользователя.
внутри ошибки аудита 5061 следующая информация:
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: WIN-SOA3U4S9MJA$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 454822bd-d329-d1b0-4211-07ccee6df7b8
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016
вкладка подробности содержит
System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 5061
Version 0
Level 0
Task 12290
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2015-09-27T21:28:17.888978900Z
EventRecordID 6545
- Correlation
[ ActivityID] {2E32FFFF-F96B-0003-D003-332E6BF9D001}
- Execution
[ ProcessID] 936
[ ThreadID] 408
Channel Security
Computer WIN-SOA3U4S9MJA
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName WIN-SOA3U4S9MJA$
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
ProviderName Microsoft Software Key Storage Provider
AlgorithmName RSA
KeyName 454822bd-d329-d1b0-4211-07ccee6df7b8
KeyType %%2500
Operation %%2480
ReturnCode 0x80090016
что происходит, и как это исправить?
источник
Содержание
- Microsoft windows security auditing 5061
- Asked by:
- Question
- 5061(S, F): Cryptographic operation.
- Security Monitoring Recommendations
- Microsoft windows security auditing 5061
- Ответы
- Stop and restart the application pool
- Verify
- 5061 (S, F): криптографическая операция.
- Рекомендации по контролю безопасности
- Аудит активности DPAPI
Microsoft windows security auditing 5061
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Asked by:
Question
I am running both a laptop and a desktop with windows 7 pro SP1. I set both these systems up using no password and only the original user admin account as I was the only one who had or needed access to the systems. Now my situation has changed and I find the need to add a password to the my user account. Doing so causes a system integrity audit failure that I just can’t seem to figure out. The error occurs on both machines. Removing the password from the account on either machine fixes the audit failure. Without the password added to the admin account (my user account) there are no errors or in any of the windows log files listed in event viewer. Posted below will be the actual error from the log for the security audit failure. Any help on this issue would be greatly appreciated.
Date: 9/3/2011 6:37:37 PM
Task Category: System Integrity
Keywords: Audit Failure
Security ID: Antec900-2Dad
Account Domain: Antec900-2
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d166d50b-2983-40db-8f1e-2b60d429258d
Источник
5061(S, F): Cryptographic operation.
Event Description:
This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a Key Storage Provider (KSP). This event generates only if one of the following KSPs were used:
Microsoft Software Key Storage Provider
Microsoft Smart Card Key Storage Provider
NoteВ В For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
NoteВ В A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested specific cryptographic operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Cryptographic Parameters:
Provider Name [Type = UnicodeString]: the name of KSP through which the operation was performed. Can have one of the following values:
Microsoft Software Key Storage Provider
Microsoft Smart Card Key Storage Provider
Algorithm Name [Type = UnicodeString]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this typically has “UNKNOWN” value. Can also have one of the following values:
RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman.
DSA – Digital Signature Algorithm.
DH – Diffie-Hellman.
ECDH_P521 – Elliptic Curve Diffie-Hellman algorithm with 512-bit key length.
ECDH_P384 – Elliptic Curve Diffie-Hellman algorithm with 384-bit key length.
ECDH_P256 – Elliptic Curve Diffie-Hellman algorithm with 256-bit key length.
ECDSA_P256 – Elliptic Curve Digital Signature Algorithm with 256-bit key length.
ECDSA_P384 – Elliptic Curve Digital Signature Algorithm with 384-bit key length.
ECDSA_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length.
Key Type [Type = UnicodeString]: can have one of the following values:
“User key.” – user’s cryptographic key.
“Machine key.” – machine’s cryptographic key.
Cryptographic Operation:
Operation [Type = UnicodeString]: performed operation. Possible values:
Open Key. – open existing cryptographic key.
Create Key. – create new cryptographic key.
Delete Key. – delete existing cryptographic key.
Sign hash. – cryptographic signing operation.
Key Derivation. – key derivation operation.
Encrypt. – encryption operation.
Decrypt. – decryption operation.
Return Code [Type = HexInt32]: has “0x0” value for Success events. For failure events, provides a hexadecimal error code number.
Security Monitoring Recommendations
For 5061(S, F): Cryptographic operation.
Источник
Microsoft windows security auditing 5061
установленная ос windows 8.1 x64
Журнал безопасности виндовс фиксирует:
Предмет:
Идентификатор безопасности: ALIENWARExxxxxx
Имя учетной записи: xxxxxx
Домен учетной записи: ALIENWARE
Идентификатор входа в систему: 0x35426
Криптографические параметры:
Имя поставщика: Microsoft Software Key Storage Provider
Имя алгоритма: UNKNOWN
Имя ключа: CD1CC265-0DA0-4230-8419-CB6F808FE688
Тип ключа: Ключ пользователя.
Операция шифрования:
Операция: Открыть ключ.
Код возврата: 0x80090016
| [ Name] | Microsoft-Windows-Security-Auditing |
| Keywords | 0x8010000000000000 |
| SubjectUserSid | S-1-5-21-1922952922-4088675602-1580546449-1001 |
| SubjectDomainName | ALIENWARE |
| ProviderName | Microsoft Software Key Storage Provider |
| KeyName | CD1CC265-0DA0-4230-8419-CB6F808FE688 |
| ReturnCode |
Данный аудит фиксируется при закрытии браузера IE v.11.0.9600.16518 при условии «Удаления журнала браузера при выходе». как устранить появление данных ошибок. Ответы
Stop and restart the application poolApplication pools occasionally have to be restarted in order to return to normal operation. Because application pools depend on the Windows Process Activation Service (WAS), you may have to restart WAS. If you restart WAS, you may also have to restart the World Wide Web Publishing Service (W3SVC), which depends on WAS. To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority. To stop and start the application pool: To stop or restart WAS: To start the W3SVC: VerifyAn application pool that is correctly configured will start without incident. To verify that the application pool has started, use the following procedure. To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority. To verify that an application pool has started: Источник 5061 (S, F): криптографическая операция.Описание события: Это событие создается при выполнении криптографической операции (откройте ключ, создайте ключ, создайте ключ и так далее) с помощью поставщика ключей служба хранилища (KSP). Это событие создается только в том случае, если был использован один из следующих KSP: Поставщик ключа служба хранилища программного обеспечения Microsoft Smart Card Key служба хранилища поставщик
XML события: Необходимые роли сервера: нет. Минимальная версия ОС: Windows Server 2008, Windows Vista. Версии события: 0. Описания полей: Тема: Имя учетной записи [Type = UnicodeString]: имя учетной записи, запрашиваемой для конкретной криптографической операции. Account Domain [Type = UnicodeString]: домен субъекта или имя компьютера. Форматы различаются и включают в себя следующее: Пример имени домена NETBIOS: CONTOSO Полное имя домена в нижнем регистре: contoso.local Полное имя домена в верхнем регистре: CONTOSO.LOCAL Для некоторых известных субъектов безопасности, таких как LOCAL SERVICE или ANONYMOUS LOGON, значение этого поля равно «NT AUTHORITY». Для учетных записей локальных пользователей это поле будет содержать имя компьютера или устройства, к которым принадлежит эта учетная запись, например: «Win81». Logon ID [Type = HexInt64]: шестнадцатеричное значение, которое может помочь сопоставить это событие с недавними событиями содержащими тот же идентификатор входа, например: “4624: Учетная запись успешно вошла в систему.” Криптографические параметры: Имя поставщика [Type = UnicodeString]: имя KSP, с помощью которого была выполнена операция. Может иметь одно из указанных ниже значений. Поставщик ключа служба хранилища программного обеспечения Microsoft Smart Card Key служба хранилища поставщик Имя алгоритма [Type = UnicodeString]: имя криптографического алгоритма, с помощью которого использовался или был доступ к ключу. Для операции «Чтение сохраняемого ключа из файла» это обычно имеет значение «UNKNOWN». Может также иметь одно из следующих значений: RSA — алгоритм, созданный Роном Ривестом, Ади Шамиром и Леонардом Адлеманом. DSA — алгоритм цифровой подписи. ECDH_P521 — Diffie-Hellman с длиной ключа 512-битных клавиш. ECDH_P384 — Diffie-Hellman эллиптической кривой с длиной ключа 384 бита. ECDH_P256 — Diffie-Hellman эллиптического Diffie-Hellman с длиной ключа 256-битного ключа. ECDSA_P256 — алгоритм цифровой подписи эллиптической кривой с длиной ключа в 256 бит. ECDSA_P384 — алгоритм цифровой подписи эллиптической кривой с 384-битной длиной ключа. ECDSA_P521 — алгоритм цифровой подписи эллиптической кривой с 521-битной длиной ключа. Имя ключа [Type = UnicodeString]: имя ключа (контейнер ключа), с которым выполнена операция. Например, чтобы получить список **** имен ключей для сертификатов для входа в пользователя, можно использовать «certutil-store-user my» command and check Key Container parameter in the output. Вот пример вывода:
Тип ключа [Type = UnicodeString]: может иметь одно из следующих значений: «Ключ пользователя». — криптографический ключ пользователя. «Ключ машины». — криптографический ключ машины. Криптографическая операция: Операция [Type = UnicodeString]: выполненная операция. Возможные значения: Откройте ключ. — откройте существующий криптографический ключ. Создание ключа. — создание нового криптографического ключа. Удаление ключа. — удалите существующий криптографический ключ. Подпишите хаш. — операция криптографической подписи. Вывод ключей. — операция по выводу ключей. Шифруй. — операция шифрования. Расшифровка. — операция расшифровки. Код return [Type = HexInt32]: имеетзначение 0x0для событий успеха. Для событий сбоя предоставляется код кода гексадецимальной ошибки. Рекомендации по контролю безопасностиДля 5061 (S, F): криптографическая операция. Источник Аудит активности DPAPIАктивность DPAPI аудита определяет, генерирует ли операционная система события аудита при вызове шифрования или расшифровки в интерфейс приложения защиты данных(DPAPI). Объем событий: низкий.
Список событий: 4692(S, F): Была предпринята попытка резервного копирования ключа защиты данных. 4693(S, F): была предпринята попытка восстановления ключа защиты данных. 4694(S, F): была предпринята попытка защиты проверяемых защищенных данных. 4695(S, F): была предпринята попытка непротезации проверяемых защищенных данных. Источник Читайте также: nexus vst mac os Adblock |
