Share via

windows server 2012 Event id 4797 - An attempt was made to query the existence of a blank password for an account.

Peter Fong 1 Reputation point
2020-11-12T04:00:51.99+00:00

When I log in to the window server 2012. the account may trigger the server to query the existence of a blank password for all of the local account in the server (Event ID 4797)

In the security event log, there will be a list of action logged to indicate that my account queried the existence of a blank password for all of the local account in the server.

What are the causes to lead this abnormal action?

As the query actions are not triggered every time when I log in the server. There is only some chances to trigger the action.

What condition will trigger the account to query the existence of a blank password for all of the local account in the server ?

Are there any security issues for the query action?

Thanks.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-11-12T04:08:35.883+00:00

    Sounds like some auditing was enabled.
    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode

    --please don't forget to Accept as answer if the reply is helpful--

  2. Anonymous
    2020-11-12T05:53:39.883+00:00

    Hello,

    Thank you so much for posting here.

    According to my research, it is EventID 4797 - An attempt was made to query the existence of a blank password for an account. But it is Event ID 4979 according to our description. We could kindly have a recheck about the event ID.

    As Dave mentioned, it looks like a security audit. The condition would be security auditing.

    Open a command prompt as administrator, type the following command. Then we could check the output.
    auditpol /get /category:*

    The User Account Management category is probably the culprit. We could kindly check about this.

    Reference: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4797

    For any question, please feel free to contact us.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Peter Fong 1 Reputation point
    2020-11-16T08:54:46.403+00:00

    @Anonymous

    From the above reference website ,
    Someone said that
    One of these events is logged for each local account when one of these two things happens:

    1. The user tile on the Start screen is pressed to get the dropdown of account-related options: the user tile
      In this case, the Subject is the currently logged-in user (me, in the above screenshot). The events are logged even on domain-joined machines where no local accounts appear in the resulting menu.
    2. The logon UI appears to show the list of local users that can be signed into. Windows does that so that it doesn't need to prompt users for passwords they don't have; it would be confusing for some people to see a password box before they sign in when they have no password.

    Windows shouldn't need to do that check until the user clicks on one of the other users on the logon screen or in the switch list, but it does.

    I tried to simulate issues again with the above condition. However, there is not any 4797 actions logged in the event log.
    I am doubt that is there any other condition can trigger the 4797 action.
    I have another server that also enabled User account management, but it rare / not ever trigger 4797 action. Are there any Microsoft information page that explain how can trigger this event - 4797?

    Another guys said that
    The Level of Auditing is Informational and not a Warning or Error. This event can be safely ignored as it is only for informational purpose and to check if by any chance user is set for Blank password. You only see this event if only auditing is enabled and this event does not imply any breach in the system

    Will this event /action reveal any security issues of the server or we can safely ignore it ?
    Thanks.

    0 comments
  4. Anonymous
    2020-11-16T09:39:25.473+00:00

    Hello @Peter Fong ,

    Thank you so much for your feedback.

    I have done lots of research about this action, but so sorry that there is no Microsoft information page that explain how can trigger this event. Below is the Microsoft information page about this event.

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774338(v=ws.10)?redirectedfrom=MSDN

    As per my research, It may be an effect of automated default password matching software making queries. Reference:
    https://social.technet.microsoft.com/Forums/ie/en-US/925fbef3-db0c-4b97-8174-b54c6a551f3c/windows-81-an-attempt-was-made-to-query-the-existence-of-a-blank-password-for-an-account?forum=w8itprosecurity

    According to the below article, "
    There is a lot of confusion about this event and no good explanation. If you see this event for many different target account names I would investigate. Or if you see this event on many different systems where caller workstation name is the same. Otherwise ignore.

    More: This event is worthless. I just set up a new Windows 10 VM, installed one very safe piece of software on it, and logged on as a non-admin user. After logon, that user, according to the security log, queried the existence of a blank password for every local account on the system. I'm certain the system is clean of malware. If this event at least included the process that made the request we'd have a chance of tracking down what is causing it but all you get is the target account and who did it."

    Reference: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4797

    So sorry that more useful information could not be provided. Thank you so much for your understanding and support.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  5. Peter Fong 1 Reputation point
    2021-01-14T07:37:42.363+00:00

    @Anonymous
    After multiple scanning, there do not have any spyware in the server.

    Any other suggestion?

    Also, anyone can explain more about how this event will be triggered?

    Thank you very much!!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.