Windows Security Log Event ID 5377

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019
Category
 • Subcategory
Account Management
 • User Account Management
Type Success
Corresponding events
in Windows 2003
and before
 
Discussions on Event ID 5377
Ask a question about this event

5377: Credential Manager credentials were restored from a backup

On this page

Credential Manager is the stored passwords feature in Windows that allows Windows to remember passwords for websites, shared folders, VPNs, etc.  From Control Panel\User Accounts\Manage your network passwords you can backup these stored credentials and/or restore them.  This event is logged when you restore them.

Windows 2019 introduces version 1 of this event which includes a new field, "BackupFileName". 

Free Security Log Resources by Randy

Description Fields in 5377

Subject:

The user and logon session that performed the action.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
  • BackupFileName: (New in Server 2019)

Supercharger Enterprise


Load Balancing for Windows Event Collection

 

Examples of 5377

Server 2019

Credential Manager credentials were restored from a backup.

Subject:

   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1ba0e
   BackupFileName: xyz

This event occurs when a user restores his Credential Manager credentials from a backup. A user (even an Administrator) cannot restore the credentials of an account other than his own.

Server 2016 and earlier

Credential Manager credentials were restored from a backup.

Subject:

   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1ba0e

 

This event occurs when a user restores his Credential Manager credentials from a backup. A user (even an Administrator) cannot restore the credentials of an account other than his own.

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources