I am seeing frequent log entries in the Windows 8 Security Log for:

Event ID 4797

An attempt was made to query the existence of a blank password for an account.

Any ideas on what might be the cause of this message?

Is there a good source to use for deciphering Windows Log Event IDs? In the Event Log window I clicked on the "Event Log Online Help" link and it brought me to a Technet web page that said "The page I requested could not be found."

This has appeared in prerelease version

http://social.technet.microsoft.com/Forums/en-US/W8ITProPreRel/thread/531afe9f-8ba1-480b-be17-7e1ed200be5f/

Regards

Milos

Hi,

That means that an application or service makes an attempt to query the accounts which have blank password. I think some security software may make such request.

I have this happening on a release version of windows 8 and cant seem to make it go away

There are more people appearing with this problem.

And now also Windows 8 x64 Enterprise..

see this forum discussion...about the 4797 going crazy in the security event log

http://www.eightforums.com/system-security/18843-event-id-4797-a.html

Kaspersky has been told and will be looking into the issue...

The malwarebytes root kit scanner found nothing.

Thanks Though.

Event ID 4797 goes on...

my registry key looked fine

• Edited by DrHaze Saturday, February 02, 2013 1:01 AM

(1) check at malwarebytes.org and download a rootkitdetector kit  mbr-1.01.0.0107.

Run the mbar.exe from the kit.

(2) On my machine it showed that the registry line

HKEY_LOCAL_MACHINE\software\Microsoft\windowsNT\current version\Windows

had a entry AppInit_Dlls  with value rg_sz c:\PROGRA~2\NVIDIA~1\3DIVISI~1\NVSTIN~1.DLL

Normally this AppInit_Dlls  entry loads before the operating system and reloads with every application.

PROGRA~2 is a shortened DOS path. You can inspect your path using command prompt  "dir /x"

My command prompt reports that the file NVSTIN~1.DLL does not exist,  "dir /ah" reported nothing.

 but it could be  hidden in some new way, or just a jump to another address.

(3) I deleted the path above and so far the system boots just fine and no more 4797  security entries.

(4) Be careful in deleting registry entries. The fact it worked on my machine it may not work on yours.

(5) Microsoft's latest Defender file and the Malicious software removal tool (KB890830-x64-V4.16)  did not detect AppInit_Dlls.

(6) We have 4 machines running Windows 8. The only one posting 4797 errors is the one with the AppInit_Dll registry entry.

4797 entries started about three weeks after install,  11Jan 2013.

(7) Please check your systems and post back if you find the same AppInit_Dlls.   If you find the same 4797 and AppInit_Dlls registry

then maybe the two are related.  If it goes away after you remove the registry entry, then maybe that will solve it.  Never know for

sure anymore.

Thanks. 

The malwarebytes root kit scanner found nothing.

Thanks Though.

Event ID 4797 goes on...

my registry key looked fine

• Edited by DrHaze Saturday, February 02, 2013 1:01 AM

The malwarebytes root kit scanner found nothing.

Thanks Though.

Event ID 4797 goes on...

my registry key looked fine

i have noticed this same problem. just having a quick look, i did 2 things left the homegroup didnothing obviously. secondly i went into airplane mode and out again. It stoped

so... not sure but that stoped it on my computer

for now

edit: stoped for 10 mins go t2 more almost 10mins exactly

so sounds like a task schedualed

• Edited by way2dumb Monday, December 16, 2013 8:25 PM

The malwarebytes root kit scanner found nothing.

Thanks Though.

Event ID 4797 goes on...

my registry key looked fine

i have noticed this same problem. just having a quick look, i did 2 things left the homegroup didnothing obviously. secondly i went into airplane mode and out again. It stoped

so... not sure but that stoped it on my computer

for now

edit: stoped for 10 mins go t2 more almost 10mins exactly

so sounds like a task schedualed

• Edited by way2dumb Monday, December 16, 2013 8:25 PM

I have the same problem and had the same experience when clicking the help link - page not found.

Searched event 4797 on technet to get here.

This seems to have started on my HP envy dv6 laptop after the latest Nvidia update done yesterday as I've never noticed the icon in my system tray that warned me of its occurrence before.

I have not checked beyond that, but am sensitized to hacking attempts big time since I have a particular domain they love to target that I constantly have to restore backups to in order to keep it up.

In the Event Log window I clicked on the "Event Log Online Help" link and it brought me to a Technet web page that said "The page I requested could not be found."

This, to me, represents a blatant failure by Microsoft to support their product properly or sufficiently.

I have been complaining about this complete failure to document the product for a long time.  It does no good.

One time Microsoft folks actually suggested I search online for anecdotal information on particular events.  Seems funny they've left the links in there.

 

This is due to a process in the win os itself... Seemingly, the code pounds user accounts with a pw query. It checks local guest and admin whether they are disabled or not and any locally created accounts including your primary MS login credentials (Win8). Eventvwr.msc reports it is a query for blank pw. For all intent and purpose I would say disregard this security information however, I do find it strange TechNet has no official explanations.

Rest assured - there is no extended compromise beyond what there is when using a PC or the Internet in general. Not a "virus".

This same message has occurred for me on several attempts to get explanations for log entries.  It is very frustrating at best. 

For all intent and purpose I would say disregard this security information however, I do find it strange TechNet has no official explanations.

I would like to disregard except it's starting to fill up my production Win Server 2012 R2 / SQL Server 2014 logs that host our flagship product.  Microsoft is in radio silence on this issue.  The only suggested solution that I can find so far is to temporarily disable auditing and reboot to see if auditing is the culprit:

Event ID:4797 An attempt was made to query the existence of a blank password for an
account.

I don't think that's a best practice for a production database server running a cloud-based product.

An actual solution would be greatly appreciated (Microsoft...???  Hello....).

Jeff

• Edited by CyberGuild 12 hours 19 minutes ago

For all intent and purpose I would say disregard this security information however, I do find it strange TechNet has no official explanations.

I would like to disregard except it's starting to fill up my production Win Server 2012 R2 / SQL Server 2014 logs that host our flagship product.  Microsoft is in radio silence on this issue.  The only suggested solution that I can find so far is to temporarily disable auditing and reboot to see if auditing is the culprit:

Event ID:4797 An attempt was made to query the existence of a blank password for an
account.

I don't think that's a best practice for a production database server running a cloud-based product.

An actual solution would be greatly appreciated (Microsoft...???  Hello....).

Jeff

• Edited by CyberGuild Friday, August 07, 2015 7:05 PM