Perhaps you recently installed a program on your Windows Server system and are connecting it to the internet. That is the common cause behind the “Credential manager credentials were read” issue.

Generally, the problem can stay ignored unless and until it occurs due to malware spread in the system. And in most cases, disabling the Credential Manager puts a halt to the issue. But if that fails, the log is most likely resembling the detection of an attack or a false positive case.

Reasons Behinds the ‘5379 Credential Manager Credentials Were Read’ Message

The message generally appears under the General tab in User Account Management.  It should look like this:

Subject: Credential Manager credentials were read.

Security ID: SYSTEM

Account Name: DESKTOP-JNCGSP4$

Account Domain: WORKGROUP

Logon ID: 0x3E7

Read Operation: Enumerate Credentials

And there can be two cases when such a read operation is performed on the credentials.

1. Attack Detection

The event gets triggered whenever a user tries to access the stored credentials in the Credential Manager. For example, if the user attempts to open a password-protected ZIP file named test (2).zip, there will be a credman event with ID 5379.

Here, the target is “Microsoft_Windows_Shell_ZipFolder:filename=zip_fil_path” that we can correlate with an attempt of malware execution. However, it holds when the event occurs with legit Windows processes and on particular paths.

Likewise, it can occur whenever a user tries to download cracked versions of applications or uses keygens to activate premium features. But as long as you don’t step upon system or network infections, it will not be that big of a deal. Otherwise, the message will represent the detection of a possible malware spread.

2. The False Positive Case

If you experience Event ID 5379 flooding, reviewing the programs or accounts associated with your credential manager is always a good idea.

For instance, you may still get the “credential manager credentials were read” message even after a user gets disabled by the Windows Admin. That is because disabling an account doesn’t necessarily prevent it from logging on to an endpoint.

That means the account may still exist on the machine and have associated tasks. And those scheduled tasks might be getting executed in the background. Hence, the Event ID 5379 error log.

How to Solve Credential Manager Credentials Were Read Issue

The message “Credential manager credentials were read” can represent possible malware spreads. Yet, disabling Credential Manager and mapping the drives might actually help solve the Event ID 5379 flooding issue.

Disable Credential Manager:

Step 1: Type ‘Services’ inside the Windows search panel. The Services application should pop up in the search results.

Step 2: Now, right-click on the application and choose Run as Administrator from the options.

Step 3: Once the Services window arrives, search for the Credential Manager, set it to Disabled, and click on the Stop button.

Step 4: Reboot your PC and set the Credential Manager Service to Automatic mode.

Step 5: Finally, restart your device once again for the changes to take effect.

Sometimes, you might get the same information even after disabling the Credential Manager. In that case, the event is generated if there is a login session on your computer. It is most likely due to a Server service or a local process.

You can, however, figure out the type of logon from the logon type field. Generally, it is of either type 2 or 3, resembling interactive and network types, respectively.

Frequently Asked Questions

How Do I Clear My Credential Manager?

To clear your credential manager, open the Credential Manager and go to the Windows Credentials and Generic Credentials section. There remove all the stored credentials by selecting them and clicking ‘Remove’.

What Happens if I Disable Credential Manager?

If you disable the Credential Manager on your Windows, then it won’t store any credentials in the registry anymore.

How Do I Restart Credential Manager in Windows 10?

To restart the Credential Manager, Press Win + R to open the Run box and enter “service”. From the list of services, locate the credential manager service and double-click it. Finally, set the Startup type to Automatic, click Apply, and OK to save the settings.

Bottom Line

Disabling the Credential Manager is by no means a permanent solution to Event ID 5379 flooding. Although it works, for the time being, we recommend enabling the application after mapping the drivers. That way, your PC won’t be vulnerable while you get rid of the “Credential manager credentials were read” message.