This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 90%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
Hi
First timer here - I've got questions, and you might have answers.
Windows 10.
I've been chasing an elusive event for months that have been disrupting (ie, cmd window appearing and disappearing, forcing games to minimize - probably also a concern some of you may have come across being asked).
Now I've successfully pinpointed my issue regarding the appearing/disappearing cmd window, and it relates partially to the 4624 Logon event, and 4672 Special Logon event (not concerned much about those, I spent a little time figuring out the how and what when it came to them).
My concern is the sheer amount of event 5379 User Account Management events that follows.
180 events of "counting credentials", or "read credentials" within 2 seconds flat.
Is there some way for me to keep that in the background, without it interrupting me on a daily basis?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 23%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
I don't find any issue with other event ids 4624 and 4672 here.
Event 5379 should be monitored to ensure that stored credentials are not being accessed inappropriately, which could indicate a potential security breach or insider threat.
It's normal to see this event occasionally, but frequent occurrences might indicate a problem.
Run a malware scan to rule out security threats
I used Malwarebytes for the malware scan.
1 old map mod for American Truck Simulator (zip file in the trashbin) was flagged as malware (Generic.Malware.AI.DDS).
1 dotsetupsdk.dll flagged as potentially unwanted (PUP.Optional.DotSetupIo).
17 items of PUP.Optional.Linkury related to Chrome user data/default/web data.
The first 2 is set for deletion upon reboot, the other 17 is replaced.
In the middle of this, Malwarebytes have actively notified me of consistent "RTP detection" malvertising events, and blocking said website.
It is outbound (from Chrome) on port 443, to 3 nearly identical IP's (only last digit changes), but I've yet to figure out anything related to that.
As far as event 5379 goes, I can't confirm whether it has been affected yet, but it would be nice if this is all it takes
I haven't seen the cmd window pop up yet, but according to the log, I still have a staggering amount of events occuring - 300+ within the last hour, 3400 within the last 24 hours, and ~18.600 the last 7 days.
Source: Microsoft Windows security.
Task category: User Account Management.
The details mainly pertain to one target, although there is multiple.
In Details, practical view, the TargetName:
WindowsLive:(token):name=(my email);serviceuri=*
WindowsLive:(cert):name=(my email);serviceuri=*
MicrosoftAccount:user=(my email)
WindowsLive:target=virtualapp/didlogical
The 2 below repeats as well, with some variations in the "name".
WindowsLive:(token):name=02hqibfgncbuvdem;serviceuri=*
WindowsLive:(cert):name=02hqibfgncbuvdem;serviceuri=*
