Windows 10: Security Audit Event ID 4797 "An attempt was made to query the existence of a blank...

I'm currently parsing through event viewer on our devices and I've noticed a few cases of Event ID 4797, which states:

An attempt was made to query the existence of a blank password for an account

Could I get a little guidance on what this exactly means and a good course of action to take? What are the chances that some of these could be false positives?

:)

 

Windows Security Event Log - Periodic 4672 events with Account Name: SYSTEM

I'm seeing periodic 4672 events (Special Logon) in my Windows Home 10 workstation.

What triggered my interest is that the events triggered by Security ID / Account name "SYSTEM", is that they occur at regular intervals over the last 12 hours.

This occurs almost on the hour, overnight.

Then this morning I see an event 4797 (User account management) "An attempt was made to query the existence of a blank password for an account."

An attempt was made to query the existence of a blank password for an account.

This event is only seen once.

So my question is two-fold, what are the regular SYSTEM 4672 events and are they somehow related to the 4796 (User Account Management) event?

Thanks.

 

windows 10 event id 10 - An attempt was made to query the existence of a blank password for an account.

Hello Steve,

Security auditing is a powerful tool to help maintain the security of an enterprise. Auditing can be used for a variety of purposes, including forensic analysis, regulatory compliance, monitoring user activity, and troubleshooting. Industry regulations in
various countries or regions require enterprises to implement a strict set of rules related to data security and privacy. Security audits can help implement such policies and prove that these policies have been implemented. Also, security auditing can be used
for forensic analysis, to help administrators detect anomalous behavior, to identify and mitigate gaps in security policies, and to deter irresponsible behavior by tracking critical user activities. You can check this
article for more information.

Furthermore, you received this even when the Audit User Account Management
is enabled, it generates audit events when specific user account management tasks are performed. The level of auditing is informational and not a warning or error. The said event is normal and can be safely ignored. The purpose is to check if by any chance
a user is set for a Blank password so that users doesn't see a password box before they sign in when they have no password.

Let me know if you have other concerns.

Regards.

 

Windows 10 workstation Security log filling with Event ID 4703

My Windows 10 workstation's Security Event Log is filled with informational Event ID 4703 (like 20/second).

It's an Audit Success on Authorization Policy Change category.

Pretty much all are about the javaw.exe process & SeSecurityPrivilege. But also a few of them list svchost.exe as the process & a whole list of privileges.

I can't find anything on the Net about event 4703.

Sometimes it lists the privilege as Disabled (as below), and some are Enabled. Back & forth, multiple events per second.

Does anyone have any idea what/why this is, or anyone else experiencing it?

Here are the details of the event (edited for privacy)...

Task Category: Authorization Policy Change

Level: Information

Keywords: Audit Success

User: N/A

Computer: xxxxx.yyyy.com

Description:

A user right was adjusted.

Subject:

Security ID: SYSTEM

Account Name: XXXXXX

Account Domain: YYYYYYYY

Logon ID: 0x3E7

Target Account:

Security ID: SYSTEM

Account Name: XXXXXXX

Account Domain: YYYYYYYYY

Logon ID: 0x3E7

Process Information:

Process ID: 0xb24

Process Name: C:\Windows\SysWOW64\ContegoSPOP\jre1.7.0_65\bin\javaw.exe

Enabled Privileges:

-

Disabled Privileges:

SeSecurityPrivilege