Possible malware attempt? I have never had this appear in my event log?

Hi DarrianCone, 

Welcome to Microsoft Community.

*Please pay attention to protecting your privacy information. Account name and computer name are part of your privacy information.*

Thank you for posting your inquiry regarding the results of your security scan.

Discovering unusual events in your Event Viewer can feel a bit like noticing an unfamiliar shadow in your home—it's natural to be concerned and want to understand what's going on.

The event stating that "an attempt was made to query the existence of a blank password for an account" is essentially your system checking whether the **Guest** account lacks a password. This might seem alarming, but it's often a routine security measure. Windows periodically performs checks to ensure that all accounts are secured, particularly ones like the Guest account, which can pose a security risk if left with a blank password.

The subsequent failed logon attempt for the Guest account, with the failure reason "Account currently disabled," is actually reassuring. It means that while there was an attempt to log in using the Guest account, the system effectively blocked it because the account is disabled. By default, Windows disables the Guest account to prevent unauthorized access, so this failure indicates that your system is protecting itself as intended.

The process involved in these events is C:\Windows\System32\PickerHost.exe. This executable is associated with Windows' file picker interface—the dialog that appears when you open or save files in various applications. It's common for this process to interact with user accounts and permissions to ensure that you have the appropriate access to files and directories. In essence, it's checking which doors you're allowed to open within your system.

Following these events, the entry noting that "a user's local group membership was enumerated" suggests that the system was verifying the groups and permissions associated with your user account. This is standard behavior, helping the system ensure that you have the correct access rights and that everything is running smoothly.

Considering that these events occurred shortly after you completed a full system scan, it's plausible that your antivirus software initiated these checks as part of its post-scan activities. Security software often performs additional verification steps to ensure there are no vulnerabilities—like unsecured accounts or incorrect permissions—that could be exploited by malware.

The following is additional information about this event ID.

4625(F) An account failed to log on. - Windows 10 | Microsoft Learn

While the notion of malware attempting to access your system is understandably concerning, the events you've described align with normal system operations focused on security. There's no immediate indication of malicious activity based solely on this information. However, staying vigilant is always wise.

To help dispel any lingering doubts, you might consider taking a few additional steps:

Verify the Status of the Guest Account: Double-check that the Guest account remains disabled.

• Press Win + R to open Run.
• Type the following keywords:

  	lusrmgr.msc

• Check or adjust "Guest" account.

For extra reassurance, you could run a secondary malware scan using any other antivirus software you trusted. A fresh scan can confirm that your system is free from threats and that your security software is functioning effectively.

We cannot recommend specific third-party products to you directly.

If you wish, you can try using widely available AI services to consult the introduction of stress-testing tools and further verify.

Thanks for your patience and understanding.Best Regards,Kyo.Y - MSFT | Microsoft Community Technical Support

All of these happened just a few seconds before the failed attempt????

***Personal information deleted by the moderator. Please see the*Microsoft Community Frequently Asked Questions*for more information on how you can protect your privacy.***