Event ID: 5377

Credential Manager credentials were restored from a backup. 

Credential Manager credentials were restored from a backup.

Subject:
    Security ID:          %1
    Account Name:         %2
    Account Domain:       %3
    Logon ID:             %4

This event occurs when a user restores his Credential Manager credentials from a backup. A user (even an Administrator) cannot restore the credentials of an account other than his own.


Auditing:     Always


Microsoft Documentation

Event ID - 5377


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
Audit Success
Audit Category:
Account Management

Audit Subcategory:
User Account Management

LEFT/RIGHT arrow keys for navigation

Back to List