Event 4797: Attempt to Query Existence of Blank Password for Account

On my Windows 8.1 desktop, I see a lot of messages like this from lsass.exe in the Event Viewer's audit log:

An attempt was made to query the existence of a blank password for an account.

Subject:
    Security ID:        LOCAL SERVICE
    Account Name:       LOCAL SERVICE
    Account Domain:     NT AUTHORITY
    Logon ID:       0x3E5

Additional Information:
    Caller Workstation: PETTER
    Target Account Name:    Administrator
    Target Account Domain:  PETTER

It goes on once in a while for a few different Target Account Names, like Administrator, Guest, HomeGroupUser$, etc. This message shows up on certain intervals no matter if I am connected to the Internet or not.

To make sure that there was no malicious intent behind this, I ran a virus check with Malwarebytes, Trend Micro and AVG, which were all in agreement that the system in fact was clean.

I then reinstalled a clean system; the messages still re-appeared after a while.

It does not seem to matter whether system is connected to network or not; even with network cable unplugged, these messages appear. (Maybe not so strange considering that it's running as S-1-5-19 "Local Service".)

Strangely, on the Internet, there seems to be a lot of others who've faced this very issue, but the threads and questions there remain unanswered.

What is the origin of these messages, and why is there a constant scan for empty passwords?

Here is the output of auditpol:

C:\WINDOWS\system32>auditpol /get /user:Administrator /category:*
No audit policy is defined for the user account.

C:\WINDOWS\system32>auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        Success and Failure
  IPsec Driver                            No Auditing
  Other System Events                     Success and Failure
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   Success and Failure
  User / Device Claims                    No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
  Removable Storage                       No Auditing
  Central Policy Staging                  No Auditing
Privilege Use
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
  Sensitive Privilege Use                 No Auditing
Detailed Tracking
  Process Creation                        No Auditing
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
Policy Change
  Authentication Policy Change            Success
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
  Audit Policy Change                     Success
Account Management
  User Account Management                 Success
  Computer Account Management             No Auditing
  Security Group Management               Success
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      No Auditing
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         No Auditing
  Credential Validation                   No Auditing

Best Answer

This is normal, don't panic.

One of these events is logged for each local account when one of these two things happens:

The user tile on the Start screen is pressed to get the dropdown of account-related options:

In this case, the Subject is the currently logged-in user (me, in the above screenshot). The events are logged even on domain-joined machines where no local accounts appear in the resulting menu.
The logon UI appears to show the list of local users that can be signed into. In this case, the Subject is NT AUTHORITY\LOCAL SERVICE. The events are not logged on domain-joined machines where only a username and password are entered.

As for what the event means, it's what it says on the tin - an application running as the Subject tested for a blank password on the account specified by the Target Account Name. Windows does that so that it doesn't need to prompt users for passwords they don't have; it would be confusing for some people to see a password box before they sign in when they have no password.

Windows shouldn't need to do that check until the user clicks on one of the other users on the logon screen or in the switch list, but it does.

Best Answer

Related Solutions

Windows – Lost admin access to the computer due to corrupt user account (win7)

Related Question