Event 4624, 4672, 5379, and what follows in the wake

Daniel Jonsen 0 Reputation points
2024-08-14T13:02:27.5633333+00:00

Hi

First timer here - I've got questions, and you might have answers.

Windows 10.

I've been chasing an elusive event for months that have been disrupting (ie, cmd window appearing and disappearing, forcing games to minimize - probably also a concern some of you may have come across being asked).

Now I've successfully pinpointed my issue regarding the appearing/disappearing cmd window, and it relates partially to the 4624 Logon event, and 4672 Special Logon event (not concerned much about those, I spent a little time figuring out the how and what when it came to them).

My concern is the sheer amount of event 5379 User Account Management events that follows.

180 events of "counting credentials", or "read credentials" within 2 seconds flat.

Is there some way for me to keep that in the background, without it interrupting me on a daily basis?

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. S.Sengupta 24,871 Reputation points MVP
    2024-08-15T00:10:10.8566667+00:00

    I don't find any issue with other event ids 4624 and 4672 here.

    Event 5379 should be monitored to ensure that stored credentials are not being accessed inappropriately, which could indicate a potential security breach or insider threat.

    It's normal to see this event occasionally, but frequent occurrences might indicate a problem.

    Run a malware scan to rule out security threats


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.