Event ID 5376

Credential Manager credentials were backed up. 

Credential Manager credentials were backed up.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:       %4

This event occurs when a user backs up their own Credential Manager credentials. A user (even an Administrator) cannot back up the credentials of an account other than his own.


This event generates every time the user (Subject) successfully backs up the credential manager database. Typically this can be done by clicking “Back up Credentials” in Credential Manager in the Control Panel.

This event generates on domain controllers, member servers, and workstations.

Auditing:    

This event should be recorded for all local and domain accounts, because this action (back up Credential Manager) is very rarely used by users and can indicate a virus, or other harmful or malicious activity.


Volume:     Low

In a standard corporate or home environment, the expected volume for this event is Very Low.


Microsoft Documentation

Event ID - 5376



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-21
Account Name SubjectUserName %2 Any dadmin
Account Domain SubjectDomainName %3 Any CONTOSO
Logon ID SubjectLogonId %4 Any 0x30d7c

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022 Windows 2025 Windows Vista

Tags:
Audit Success
Audit Category:
Account Management

Audit Subcategory:
User Account Management

LEFT/RIGHT arrow keys for navigation

Back to List