Event ID 5377

Credential Manager credentials were restored from a backup. 

Credential Manager credentials were restored from a backup.

Subject:
    Security ID:          %1
    Account Name:         %2
    Account Domain:       %3
    Logon ID:             %4

This event occurs when a user restores his Credential Manager credentials from a backup. A user (even an Administrator) cannot restore the credentials of an account other than his own.


This event generates every time the user (Subject) successfully restores the credential manager database. Typically this can be done by clicking “Restore Credentials” in Credential Manager in the Control Panel.

This event generates on domain controllers, member servers, and workstations.

Auditing:     Always

This event should be recorded for all local and domain accounts, because this action (restore Credential Manager credentials from a backup) is very rarely used by users, and can indicate a virus, or other harmful or malicious activity.


Volume:     Low

This event has a Low expected volume.


Microsoft Documentation

Event ID - 5377



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-21
Account Name SubjectUserName %2 Any dadmin
Account Domain SubjectDomainName %3 Any CONTOSO
Logon ID SubjectLogonId %4 Any 0x30d7c

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022 Windows 2025

Tags:
Audit Success
Audit Category:
Account Management

Audit Subcategory:
User Account Management

LEFT/RIGHT arrow keys for navigation

Back to List