Windows 10: Security Audit Event ID 4797 "An attempt was made to query the existence of a blank...

Discus and support Security Audit Event ID 4797 "An attempt was made to query the existence of a blank... in AntiVirus, Firewalls and System Security to solve the problem; I'm currently parsing through event viewer on our devices and I've noticed a few cases of Event ID 4797, which states: An attempt was made to query... Discussion in 'AntiVirus, Firewalls and System Security' started by DaxTheBadger, Jan 20, 2020.

  1. Security Audit Event ID 4797 "An attempt was made to query the existence of a blank...


    I'm currently parsing through event viewer on our devices and I've noticed a few cases of Event ID 4797, which states:

    An attempt was made to query the existence of a blank password for an account

    Could I get a little guidance on what this exactly means and a good course of action to take? What are the chances that some of these could be false positives?

    :)
     
    DaxTheBadger, Jan 20, 2020
    #1
  2. PDC
    PdC Win User

    Windows Security Event Log - Periodic 4672 events with Account Name: SYSTEM

    I'm seeing periodic 4672 events (Special Logon) in my Windows Home 10 workstation.

    What triggered my interest is that the events triggered by Security ID / Account name "SYSTEM", is that they occur at regular intervals over the last 12 hours.

    This occurs almost on the hour, overnight.

    Then this morning I see an event 4797 (User account management) "An attempt was made to query the existence of a blank password for an account."

    An attempt was made to query the existence of a blank password for an account.

    This event is only seen once.

    So my question is two-fold, what are the regular SYSTEM 4672 events and are they somehow related to the 4796 (User Account Management) event?

    Thanks.
     
  3. windows 10 event id 10 - An attempt was made to query the existence of a blank password for an account.

    Hello Steve,

    Security auditing is a powerful tool to help maintain the security of an enterprise. Auditing can be used for a variety of purposes, including forensic analysis, regulatory compliance, monitoring user activity, and troubleshooting. Industry regulations in
    various countries or regions require enterprises to implement a strict set of rules related to data security and privacy. Security audits can help implement such policies and prove that these policies have been implemented. Also, security auditing can be used
    for forensic analysis, to help administrators detect anomalous behavior, to identify and mitigate gaps in security policies, and to deter irresponsible behavior by tracking critical user activities. You can check this
    article for more information.

    Furthermore, you received this even when the Audit User Account Management
    is enabled, it generates audit events when specific user account management tasks are performed. The level of auditing is informational and not a warning or error. The said event is normal and can be safely ignored. The purpose is to check if by any chance
    a user is set for a Blank password so that users doesn't see a password box before they sign in when they have no password.

    Let me know if you have other concerns.

    Regards.
     
    Melchizedek Qui, Jan 20, 2020
    #3
  4. Techie_DD Win User

    Security Audit Event ID 4797 "An attempt was made to query the existence of a blank...

    Windows 10 workstation Security log filling with Event ID 4703

    My Windows 10 workstation's Security Event Log is filled with informational Event ID 4703 (like 20/second).

    It's an Audit Success on Authorization Policy Change category.

    Pretty much all are about the javaw.exe process & SeSecurityPrivilege. But also a few of them list svchost.exe as the process & a whole list of privileges.

    I can't find anything on the Net about event 4703.

    Sometimes it lists the privilege as Disabled (as below), and some are Enabled. Back & forth, multiple events per second.

    Does anyone have any idea what/why this is, or anyone else experiencing it?

    Here are the details of the event (edited for privacy)...

    Task Category: Authorization Policy Change

    Level: Information

    Keywords: Audit Success

    User: N/A

    Computer: xxxxx.yyyy.com

    Description:

    A user right was adjusted.

    Subject:

    Security ID: SYSTEM

    Account Name: XXXXXX

    Account Domain: YYYYYYYY

    Logon ID: 0x3E7

    Target Account:

    Security ID: SYSTEM

    Account Name: XXXXXXX

    Account Domain: YYYYYYYYY

    Logon ID: 0x3E7

    Process Information:

    Process ID: 0xb24

    Process Name: C:\Windows\SysWOW64\ContegoSPOP\jre1.7.0_65\bin\javaw.exe

    Enabled Privileges:

    -

    Disabled Privileges:

    SeSecurityPrivilege
     
    Techie_DD, Jan 20, 2020
    #4
Thema:

Security Audit Event ID 4797 "An attempt was made to query the existence of a blank...

Loading...
  1. Security Audit Event ID 4797 "An attempt was made to query the existence of a blank... - Similar Threads - Security Audit Event

  2. Event properties event 4672 microsoft windows security auditing

    in AntiVirus, Firewalls and System Security
    Event properties event 4672 microsoft windows security auditing: yesterday it looks as if an event occurred, It was for Special privileges assigned to new logon. Subject: Security ID system account name: system account domain: NT Authority logon ID: 0x3E7 Privileges:...
  3. Audit Success event id 4798 loging every minute

    in Windows 10 Support
    Audit Success event id 4798 loging every minute: Hello, what could be cause of this ? [img] Every minute I see this event and every minute my desktop icons blinks YouTube YouTube YouTube How can I fix this problem? 137657
  4. An attempt was made to reference a token that does not exist

    in Windows 10 News
    An attempt was made to reference a token that does not exist: [ATTACH] [ATTACH]If your Windows File Explorer has stopped working and you see an error while trying to open it – An attempt was made to reference a token that does not exist, then this post may be able to help you. [...] This post An attempt was made to reference a token...
  5. Event ID 10016 and RuntimeBroker Security Groups

    in Windows 10 BSOD Crashes and Debugging
    Event ID 10016 and RuntimeBroker Security Groups: So I've been dealing with whole system freezes that required a hard reset, after about 6 months of this i finally found the Event ID 10016 that occurs when the crash happens. This was a pretty well documented issue so i followed the guides all around the internet like this...
  6. Error: An attempt was made to reference a token that does not exist

    in Windows 10 Network and Sharing
    Error: An attempt was made to reference a token that does not exist: I AM USING WINDOWS 10, WHEN I AM TRYING TO OPEN ANY FOLDER Error: An attempt was made to reference a token that does not exist PLEASE HELP ME...
  7. Event ID 5061 Audit Failure after April Update.

    in Windows 10 Support
    Event ID 5061 Audit Failure after April Update.: Okay so this morning I began getting these messages in my event viewer after my PC decided to update to April update. They seem to happen after reboot and boot up. Also trying to updated Defender definitions is kinda not happening. I even tried through cmd line and it said...
  8. Event ID 3, 16 Security errors

    in AntiVirus, Firewalls and System Security
    Event ID 3, 16 Security errors: Reboot. No errors. Wake up from first sleep, the following four errors appear consistently. Error ID 3, The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus, AntiSpyware and Firewall. Error ID 16 (3 instances)...
  9. Event ID 5061 Audit Failure after April Update.

    in Windows 10 Support
    Event ID 5061 Audit Failure after April Update.: Not surprised. Let MS fix it. I wonder if people who did a clean install have the issue? Since the certutil command says " Private key is NOT exportable " it may be an issue for those who updated? I myself updated. Well like I said my PC decided to update to April update....
  10. Too Many 'Audit Success' Security-Auditing Events Happening

    in Windows 10 Performance & Maintenance
    Too Many 'Audit Success' Security-Auditing Events Happening: Hi! I've been using Windows 10 for a while now and except for one time where my start button and notification tray stopped working (solved that by migrating to a new user account), I haven't had any problems. Except maybe a week ago. Consistently during use (either for...