Windows Event ID 5376: Credential Manager credentials were backed up
Windows Security Event ID 5376 records successful backup of the user Credential Manager database.
- Applicable version
- Windows Server 2008 R2 and later
- Last reviewed
- 2026-07-13
Trigger Scenarios
This event is generated when the Subject successfully backs up the Credential Manager database, typically through the Credential Manager control-panel workflow.
Key Fields
SubjectUserName / SubjectDomainName
Identifies the account that performed the backup operation. Microsoft documents that this is the Subject account.
SubjectLogonId
Hexadecimal logon ID that correlates the backup to the user logon session and nearby process creation.
Computer
Identifies whether the backup occurred on a domain controller, member server, or workstation; Microsoft documents that the event can occur on all three.
Common False Positives
- Legitimate user-initiated credential backup through Credential Manager is possible but rare.
- Help-desk migration workflows can intentionally back up user credentials during device replacement.
Related Events
MITRE ATT&CK Mapping
- T1555.004Credentials from Password Stores: Windows Credential Manager
Detection Notes
Use threshold=1 occurrence because Microsoft states every 5376 should be recorded and that Credential Manager backup is very rarely used and can indicate malicious activity. MITRE T1555.004 explicitly notes credential backups via rundll32.exe keymgr.dll KRShowKeyMgr and Windows Credential Manager vault material under %Systemdrive%\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\. Correlate SubjectLogonId to 4688 for rundll32.exe, vaultcmd.exe, or unusual interactive activity before closing.
SecurityEvent
| where EventID == 5376
| project TimeGenerated, Computer, Accountindex=wineventlog EventCode=5376 | table _time, hostEventID: 5376
SubjectUserName: j.smith
SubjectDomainName: CORP
SubjectLogonId: 0x30d7c
Computer: WS-042