ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying credential access events and audit logs
Event ID 5615InformationMicrosoft-Windows-Security-AuditingWindows Security

Windows Event ID 5615 – Security: Credential Manager Vault Access

Event ID 5615 logs when a user or process accesses the Windows Credential Manager vault to retrieve stored credentials, passwords, or certificates for authentication purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5615Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 5615 is generated by the Windows Security subsystem whenever a process successfully accesses the Credential Manager vault to retrieve stored authentication data. The Credential Manager serves as Windows' centralized credential storage system, maintaining encrypted copies of passwords, certificates, and authentication tokens used by applications and services.

When this event fires, Windows records comprehensive details including the requesting process, the target credential name, the user context under which the access occurred, and the type of credential retrieved. This information proves invaluable for security auditing, compliance reporting, and incident investigation.

The event typically occurs during legitimate authentication scenarios such as automatic domain logons, saved browser password usage, or application-specific credential retrieval. However, security professionals monitor this event closely because credential harvesting malware often targets the Credential Manager vault as a source of valuable authentication data.

In enterprise environments, Event ID 5615 helps administrators understand credential usage patterns, identify applications that frequently access stored credentials, and detect anomalous access attempts that might indicate compromised systems or insider threats. The event's detailed logging makes it particularly useful for forensic analysis when investigating security incidents involving credential theft or unauthorized access.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User logging into a domain-joined computer using cached credentials
  • Web browser retrieving saved website passwords for automatic form filling
  • Email client accessing stored Exchange or IMAP server credentials
  • Network applications using stored service account credentials for authentication
  • VPN clients retrieving saved connection credentials
  • Remote Desktop connections using stored server credentials
  • Third-party applications accessing Windows-stored API keys or certificates
  • Malware attempting to harvest stored credentials from the vault
  • PowerShell scripts or administrative tools querying credential information
  • Windows services accessing stored service account passwords during startup
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 5615 to understand what credential was accessed and by which process.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 5615 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 5615 in the Event IDs field and click OK
  5. Double-click on a recent Event ID 5615 entry to view detailed information
  6. Review the following key fields in the event details:
    • Subject: Shows the user account that accessed the credential
    • Process Information: Identifies the executable that requested the credential
    • Credential Information: Displays the target name and type of credential accessed
    • Additional Information: Contains the credential's target server or resource

Use this information to determine if the credential access was legitimate or potentially suspicious based on the requesting process and user context.

02

Query Events with PowerShell for Pattern Analysis

Use PowerShell to analyze Event ID 5615 patterns and identify frequent credential access activities across your environment.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 5615 entries with detailed information:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5615} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='Process';Expression={$_.Properties[9].Value}}, @{Name='CredentialName';Expression={$_.Properties[2].Value}} | Format-Table -AutoSize
  3. Analyze credential access frequency by process:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5615} -MaxEvents 200 | ForEach-Object { $_.Properties[9].Value } | Group-Object | Sort-Object Count -Descending | Select-Object Name, Count
  4. Check for credential access outside business hours:
    $StartTime = (Get-Date).Date.AddHours(18)
$EndTime = (Get-Date).Date.AddDays(1).AddHours(8)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5615; StartTime=$StartTime; EndTime=$EndTime} | Select-Object TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='Process';Expression={$_.Properties[9].Value}}
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5615} -MaxEvents 500 | Select-Object TimeCreated, Id, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='Process';Expression={$_.Properties[9].Value}} | Export-Csv -Path "C:\Temp\Event5615_Analysis.csv" -NoTypeInformation
Pro tip: Look for unusual processes accessing credentials or high-frequency access patterns that might indicate automated credential harvesting attempts.
03

Monitor Credential Manager Vault Contents

Examine the current contents of the Credential Manager vault to understand what credentials are stored and potentially being accessed.

  1. Open Credential Manager by typing credential manager in the Start menu search
  2. Review both Web Credentials and Windows Credentials sections
  3. Note any suspicious or unexpected stored credentials
  4. Use PowerShell to enumerate stored credentials programmatically:
    cmdkey /list
  5. For more detailed credential information, use the Windows Credential Management API through PowerShell:
    Add-Type -AssemblyName System.Security
$creds = [System.Security.Cryptography.ProtectedData]::Unprotect
# Note: Direct credential enumeration requires elevated privileges
  6. Check for recently modified credential entries by examining file timestamps in the credential store location:
    Get-ChildItem "$env:LOCALAPPDATA\Microsoft\Credentials" -Force | Sort-Object LastWriteTime -Descending | Select-Object Name, LastWriteTime, Length
  7. Review vault policy settings in Group Policy:
    • Navigate to Computer ConfigurationAdministrative TemplatesSystemCredentials Delegation
    • Check policies like "Allow delegating default credentials" and "Allow delegating default credentials with NTLM-only server authentication"
Warning: Be cautious when examining credential stores as this may trigger additional security events and could expose sensitive information.
04

Configure Advanced Auditing for Credential Access

Enhance credential access monitoring by configuring detailed audit policies and implementing additional security measures.

  1. Enable advanced credential auditing through Group Policy:
    • Open Group Policy Management Console (gpmc.msc)
    • Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Expand Object Access and configure Audit Credential Validation for both Success and Failure
  2. Configure local audit policy via command line:
    auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
  3. Set up Windows Event Forwarding to centralize Event ID 5615 collection:
    wecutil cs subscription.xml
  4. Create a custom XML subscription file for credential events:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>CredentialAccess</SubscriptionId>
  <Query>
    <![CDATA[
      <QueryList>
        <Query Id="0">
          <Select Path="Security">*[System[EventID=5615]]</Select>
        </Query>
      </QueryList>
    ]]>
  </Query>
</Subscription>
  5. Implement credential guard on supported systems:
    Enable-WindowsOptionalFeature -Online -FeatureName IsolatedUserMode
Enable-WindowsOptionalFeature -Online -FeatureName HypervisorPlatform
  6. Configure registry settings to enhance credential protection:
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 1 -Type DWord
Pro tip: Combine Event ID 5615 monitoring with Event ID 4648 (explicit credential use) for comprehensive credential access tracking.
05

Implement Security Monitoring and Response Automation

Deploy automated monitoring and response capabilities to detect and respond to suspicious credential access patterns.

  1. Create a PowerShell script for real-time Event ID 5615 monitoring:
    Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=5615" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    $ProcessName = $Event.InsertionStrings[9]
    $User = $Event.InsertionStrings[1]
    
    # Check for suspicious processes
    $SuspiciousProcesses = @('mimikatz.exe', 'procdump.exe', 'pwdump.exe')
    if ($SuspiciousProcesses -contains $ProcessName) {
        Write-EventLog -LogName Application -Source "Security Monitor" -EventId 1001 -EntryType Warning -Message "Suspicious credential access detected: $ProcessName by $User"
    }
}
  2. Set up Windows Performance Toolkit (WPT) for advanced credential access tracing:
    wpr -start GeneralProfile -filemode
# Reproduce credential access scenario
wpr -stop C:\Temp\credential_trace.etl
  3. Configure Sysmon for enhanced process monitoring related to credential access:
    <Sysmon schemaversion="4.82">
  <EventFiltering>
    <ProcessCreate onmatch="include">
      <Image condition="contains">lsass.exe</Image>
      <Image condition="contains">winlogon.exe</Image>
    </ProcessCreate>
  </EventFiltering>
</Sysmon>
  4. Implement threat hunting queries using KQL for Microsoft Sentinel:
    SecurityEvent
| where EventID == 5615
| extend ProcessName = tostring(EventData.ProcessName)
| extend TargetUserName = tostring(EventData.TargetUserName)
| summarize count() by ProcessName, TargetUserName, bin(TimeGenerated, 1h)
| where count_ > 10
  5. Create custom Windows Event Log channels for credential monitoring:
    wevtutil im credential-monitoring.xml
  6. Deploy Microsoft Defender for Identity to correlate credential access with other security events
  7. Configure alerting rules in your SIEM solution to trigger on:
    • High-frequency credential access from single processes
    • Credential access from unusual processes or locations
    • After-hours credential access patterns
    • Credential access following other suspicious activities
Warning: Automated response actions should be thoroughly tested in a lab environment before deployment to prevent disruption of legitimate business processes.

Overview

Event ID 5615 fires whenever the Windows Credential Manager vault is accessed to retrieve stored credentials. This security audit event tracks when applications, services, or users request access to saved passwords, certificates, or authentication tokens stored in the Windows vault. The event appears in the Security log and provides detailed information about which credential was accessed, by whom, and from which process.

This event is particularly valuable for security monitoring as it reveals when stored credentials are being used for authentication. Modern Windows environments heavily rely on Credential Manager for storing domain passwords, web credentials, and certificate-based authentication data. Understanding when these credentials are accessed helps administrators track authentication patterns and detect potential credential theft or misuse.

The event fires during normal operations when applications like browsers, email clients, or network services retrieve stored credentials for automatic authentication. However, it also triggers when malicious software attempts to harvest stored credentials, making it a critical event for security incident response and forensic analysis.

Frequently Asked Questions

What does Event ID 5615 indicate and should I be concerned about it?+
Event ID 5615 indicates that a process has accessed the Windows Credential Manager vault to retrieve stored credentials. This is often normal behavior when applications use saved passwords or certificates for authentication. However, you should investigate if you see unusual processes accessing credentials, high-frequency access patterns, or access occurring outside normal business hours, as these could indicate credential harvesting attempts by malware.
How can I tell if Event ID 5615 represents legitimate or malicious activity?+
Examine the process name, user context, and timing of the credential access. Legitimate access typically comes from known applications like browsers (chrome.exe, msedge.exe), email clients (outlook.exe), or Windows services during normal business hours. Suspicious indicators include unknown executables, access from system accounts when users aren't logged in, high-frequency automated access patterns, or processes with names similar to credential theft tools like mimikatz or similar variants.
Can I prevent Event ID 5615 from being generated while maintaining security?+
You shouldn't completely disable Event ID 5615 logging as it provides valuable security monitoring capabilities. However, you can reduce the volume by implementing Credential Guard on supported systems, using Windows Hello for Business to reduce password-based authentication, and configuring audit policies to focus on specific credential types. Consider filtering out known legitimate processes in your monitoring tools rather than disabling the event entirely.
What information does Event ID 5615 provide for forensic analysis?+
Event ID 5615 provides comprehensive forensic data including the exact timestamp of credential access, the requesting process name and path, the user account context, the target credential name and type, and the credential's intended use. This information helps investigators reconstruct attack timelines, identify compromised credentials, determine the scope of potential data exposure, and correlate credential access with other suspicious activities during incident response.
How frequently should I expect to see Event ID 5615 in a normal Windows environment?+
The frequency varies significantly based on your environment's configuration and user behavior. In typical corporate environments, you might see dozens to hundreds of these events daily per workstation, primarily from browsers accessing saved passwords, email clients retrieving server credentials, and domain authentication processes. Servers may generate fewer events unless they're running applications that frequently access stored service account credentials. Establish a baseline for your environment to identify anomalous patterns.
Documentation

References (2)

1
Microsoft Security Auditing DocumentationComprehensive guide to Windows security auditing including credential access eventshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Windows Credential Manager OverviewOfficial documentation on Windows credential storage and protection mechanismshttps://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5615#credential-manager#security-auditing

Related Windows Events

Windows domain controller monitoring dashboard showing Active Directory authentication events and security logs
Event 4776
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4776 – Microsoft-Windows-Security-Auditing: Computer Account Authentication

Event ID 4776 logs computer account authentication attempts in Active Directory environments, tracking domain controller validation of computer credentials during logon processes.

March 189 min
Windows Security Event Viewer displaying Event ID 4625 authentication failure logs on a security monitoring dashboard
Event 4625
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. Critical for detecting unauthorized access attempts, brute force attacks, and troubleshooting authentication issues across domain and local accounts.

March 1812 min
Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed
Event 4771
Microsoft-Windows-Security-Auditing
Windows EventWarning

Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed

Event ID 4771 indicates a Kerberos pre-authentication failure, typically caused by incorrect passwords, expired accounts, or time synchronization issues between client and domain controller.

March 1812 min
Windows Security Event Viewer displaying authentication events on a SOC monitoring dashboard
Event 4648
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4648 – Microsoft-Windows-Security-Auditing: Logon Attempted Using Explicit Credentials

Event ID 4648 fires when a user or process attempts authentication using explicit credentials different from their current logon session, commonly seen with RunAs, network authentication, or service account operations.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...