Event ID 5377 — Credential Manager credentials were restored from a backup.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

Credential Manager credentials were restored from a backup.

Message #

Credential Manager credentials were restored from a backup.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

This event occurs when a user restores his Credential Manager credentials from a backup. A user (even an Administrator) cannot restore the credentials of an account other than his own.

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`BackupFileName` UnicodeString	[Subject] BackupFileName
`ProcessCreationTime` FILETIME	—
`ClientProcessId` UInt32	—

Community Notes #

Credential Manager credentials were restored from a backup, may indicate import of stolen vaults from another host.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management