Windows Security Log Event ID 5377
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Account Management • User Account Management |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
|
5377: Credential Manager credentials were restored from a backup
On this page
Credential Manager is the stored passwords feature in Windows that allows Windows to remember passwords for websites, shared folders, VPNs, etc. From Control Panel\User Accounts\Manage your network passwords you can backup these stored credentials and/or restore them. This event is logged when you restore them.
Windows 2019 introduces version 1 of this event which includes a new field, "BackupFileName".
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
- BackupFileName: (New in Server 2019)
Setup PowerShell Audit Log Forwarding in 4 Minutes
Server 2019
Credential Manager credentials were restored from a backup.
Subject:
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x1ba0e
BackupFileName: xyz
This event occurs when a user restores his Credential Manager credentials from a backup. A user (even an Administrator) cannot restore the credentials of an account other than his own.
Server 2016 and earlier
Credential Manager credentials were restored from a backup.
Subject:
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x1ba0e
This event occurs when a user restores his Credential Manager credentials from a backup. A user (even an Administrator) cannot restore the credentials of an account other than his own.
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection