Created
September 19, 2022 11:42
-
-
Save exoosh/e4b744b9424ab4b841c6b2c68db020bf to your computer and use it in GitHub Desktop.
DPAPI tracelogging details
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "FilePath": "C:\\Windows\\System32\\dpapisrv.dll", | |
| "Providers": [ | |
| { | |
| "ProviderGUID": "9d2a53b2-1411-5c1c-d88c-f2bf057645bb", | |
| "ProviderName": "Microsoft.Windows.Security.Dpapi", | |
| "ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba" | |
| }, | |
| { | |
| "ProviderGUID": "703fcc13-b66f-5868-ddd9-e2db7f381ffb", | |
| "ProviderName": "Microsoft.Windows.TlgAggregateInternal", | |
| "ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba" | |
| } | |
| ], | |
| "Events": [ | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 2, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "LocalUserPwdChangeActivityStop", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "result", | |
| "InType": "HEXINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 1, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "LocalUserPwdChangeActivityStart", | |
| "FieldInfo": [] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "RetrieveCurrentDerivedCredential", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "fDPOWF", | |
| "InType": "INT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 2, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "ActivityStoppedAutomatically", | |
| "FieldInfo": [] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "SpCryptUnprotect", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "dwRet", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "guidMK", | |
| "InType": "GUID", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "dwFlags", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "dwProtectionFlags", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "szDataDescr", | |
| "InType": "UNICODESTRING", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "SpCryptProtect", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "dwRet", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "guidMK", | |
| "InType": "GUID", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "dwFlags", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "dwProtectionFlags", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "szDataDescr", | |
| "InType": "UNICODESTRING", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 1, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "DomainUserPwdChangeActivityStart", | |
| "FieldInfo": [] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "LocalUserRecoveryPath", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "result", | |
| "InType": "HEXINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "PhaseOneRecovery", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "result", | |
| "InType": "HEXINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "GetSpecifiedMasterKeyAggregated", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "Count", | |
| "InType": "INT64", | |
| "OutType": "NULL", | |
| "Extension": [ | |
| 128, | |
| 128, | |
| 128, | |
| 113 | |
| ], | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "KeyGUID", | |
| "InType": "GUID", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "fSuccess", | |
| "InType": "INT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "dwLastError", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "dwMasterKeyDisposition", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "userAccountType", | |
| "InType": "UNICODESTRING", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "DomainUserRecoveryPath", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "result", | |
| "InType": "HEXINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 2, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "DomainUserPwdChangeActivityStop", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "result", | |
| "InType": "HEXINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 2, | |
| "Keyword": "0x0000200000000000", | |
| "KeywordName": "MS.TELEMETRY", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "InitSyncMasterKeysActivityStop", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "result", | |
| "InType": "HEXINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "DecryptDPAPIMasterKey", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "status", | |
| "InType": "HEXINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "keyType", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "GetMasterKeyUserEncryptionKey", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "useNtowf", | |
| "InType": "UINT8", | |
| "OutType": "BOOLEAN", | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000800000000000", | |
| "KeywordName": "MS.CRITICALDATA", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "RC4EncryptionFallback", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "Count", | |
| "InType": "INT64", | |
| "OutType": "NULL", | |
| "Extension": [ | |
| 128, | |
| 128, | |
| 128, | |
| 113 | |
| ], | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "PartA_PrivTags", | |
| "InType": "UINT64", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "fLegacy", | |
| "InType": "INT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "fWeakCrypt", | |
| "InType": "INT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "dwFallbackLastError", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "dwEncryptLastError", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "dwRestoreLastError", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "CreateMasterKey", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "fRequireBackup", | |
| "InType": "INT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "fOverrideToLocalSystem", | |
| "InType": "INT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "fUserCredentialValid", | |
| "InType": "INT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "CreateMasterKeyWithNoBackup", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "fSuccess", | |
| "InType": "INT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "dwMasterKeyDisposition", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "IsDomainBackupRequired", | |
| "InType": "INT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 1, | |
| "Keyword": "0x0000200000000000", | |
| "KeywordName": "MS.TELEMETRY", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "InitSyncMasterKeysActivityStart", | |
| "FieldInfo": [] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 2, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "RestoreMasterKeyStop", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "result", | |
| "InType": "HEXINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 1, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "RestoreMasterKeyStart", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "domainUser", | |
| "InType": "UINT8", | |
| "OutType": "BOOLEAN", | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "localUser", | |
| "InType": "UINT8", | |
| "OutType": "BOOLEAN", | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 2, | |
| "Keyword": "0x0000200000000000", | |
| "KeywordName": "MS.TELEMETRY", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "ActivityStoppedAutomatically", | |
| "FieldInfo": [] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "MasterKeyDecryptionFailureTrigger", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "PartA_PrivTags", | |
| "InType": "UINT64", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "error", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| }, | |
| { | |
| "EventId": 0, | |
| "Channel": 11, | |
| "Level": 5, | |
| "Opcode": 0, | |
| "Keyword": "0x0000400000000000", | |
| "KeywordName": "MS.MEASURES", | |
| "Extension": [ | |
| 0 | |
| ], | |
| "EventName": "TlgAggregateSummary", | |
| "FieldInfo": [ | |
| { | |
| "FieldName": "Provider", | |
| "InType": "GUID", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "NumFlushes", | |
| "InType": "UINT64", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "MaxEntriesStored", | |
| "InType": "UINT64", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "TotalEntriesFlushed", | |
| "InType": "UINT64", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "MaxEntriesFlushed", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "MinEntriesFlushed", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "NumBucketLimitReached", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "NumAllocationFailures", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| }, | |
| { | |
| "FieldName": "NumLargeEventFailures", | |
| "InType": "UINT32", | |
| "OutType": null, | |
| "Extension": null, | |
| "ValueCount": 0, | |
| "TypeInfo": null | |
| } | |
| ] | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment