locked
Windows 8 Event ID 4797 in Security Log RRS feed

  • Question

  • I am seeing frequent log entries in the Windows 8 Security Log for:

    Event ID 4797

    An attempt was made to query the existence of a blank password for an account.

    Any ideas on what might be the cause of this message?

    Is there a good source to use for deciphering Windows Log Event IDs? In the Event Log window I clicked on the "Event Log Online Help" link and it brought me to a Technet web page that said "The page I requested could not be found."

    Monday, January 7, 2013 9:36 PM

All replies

  • Monday, January 7, 2013 10:28 PM
  • Hi,

    That means that an application or service makes an attempt to query the accounts which have blank password. I think some security software may make such request.


    Juke Chou
    TechNet Community Support

    • Proposed as answer by DrHaze Wednesday, January 30, 2013 3:53 AM
    • Unproposed as answer by DrHaze Wednesday, January 30, 2013 3:53 AM
    Wednesday, January 9, 2013 9:16 AM
  • I have this happening on a release version of windows 8 and cant seem to make it go away

    Tuesday, January 29, 2013 2:48 AM
  • There are more people appearing with this problem.

    And now also Windows 8 x64 Enterprise..

    see this forum discussion...about the 4797 going crazy in the security event log

    http://www.eightforums.com/system-security/18843-event-id-4797-a.html

    Kaspersky has been told and will be looking into the issue...

    Wednesday, January 30, 2013 3:55 AM
  • (1) check at malwarebytes.org and download a rootkitdetector kit  mbr-1.01.0.0107.

    Run the mbar.exe from the kit.

    (2) On my machine it showed that the registry line

    HKEY_LOCAL_MACHINE\software\Microsoft\windowsNT\current version\Windows

    had a entry AppInit_Dlls  with value rg_sz c:\PROGRA~2\NVIDIA~1\3DIVISI~1\NVSTIN~1.DLL

    Normally this AppInit_Dlls  entry loads before the operating system and reloads with every application.

    PROGRA~2 is a shortened DOS path. You can inspect your path using command prompt  "dir /x"

    My command prompt reports that the file NVSTIN~1.DLL does not exist,  "dir /ah" reported nothing.

     but it could be  hidden in some new way, or just a jump to another address.

    (3) I deleted the path above and so far the system boots just fine and no more 4797  security entries.

    (4) Be careful in deleting registry entries. The fact it worked on my machine it may not work on yours.

    (5) Microsoft's latest Defender file and the Malicious software removal tool (KB890830-x64-V4.16)  did not detect AppInit_Dlls.

    (6) We have 4 machines running Windows 8. The only one posting 4797 errors is the one with the AppInit_Dll registry entry.

    4797 entries started about three weeks after install,  11Jan 2013.

    (7) Please check your systems and post back if you find the same AppInit_Dlls.   If you find the same 4797 and AppInit_Dlls registry

    then maybe the two are related.  If it goes away after you remove the registry entry, then maybe that will solve it.  Never know for

    sure anymore.

    Thanks. 

    Friday, February 1, 2013 11:00 PM
  • The malwarebytes root kit scanner found nothing.

    Thanks Though.

    Event ID 4797 goes on...

    my registry key looked fine

    • Edited by DrHaze Saturday, February 2, 2013 1:01 AM
    Friday, February 1, 2013 11:46 PM
  • The malwarebytes root kit scanner found nothing.

    Thanks Though.

    Event ID 4797 goes on...

    my registry key looked fine

    i have noticed this same problem. just having a quick look, i did 2 things left the homegroup didnothing obviously. secondly i went into airplane mode and out again. It stoped

    so... not sure but that stoped it on my computer

    for now

    edit: stoped for 10 mins go t2 more almost 10mins exactly

    so sounds like a task schedualed


    • Edited by way2dumb Monday, December 16, 2013 8:25 PM
    Monday, December 16, 2013 8:24 PM
  • I have the same problem and had the same experience when clicking the help link - page not found.

    Searched event 4797 on technet to get here.

    This seems to have started on my HP envy dv6 laptop after the latest Nvidia update done yesterday as I've never noticed the icon in my system tray that warned me of its occurrence before.

    I have not checked beyond that, but am sensitized to hacking attempts big time since I have a particular domain they love to target that I constantly have to restore backups to in order to keep it up.

    Tuesday, June 10, 2014 2:06 AM
  • In the Event Log window I clicked on the "Event Log Online Help" link and it brought me to a Technet web page that said "The page I requested could not be found."

    This, to me, represents a blatant failure by Microsoft to support their product properly or sufficiently.

    I have been complaining about this complete failure to document the product for a long time.  It does no good.

    One time Microsoft folks actually suggested I search online for anecdotal information on particular events.  Seems funny they've left the links in there.

     

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Tuesday, June 17, 2014 12:53 PM
  • This is due to a process in the win os itself... Seemingly, the code pounds user accounts with a pw query. It checks local guest and admin whether they are disabled or not and any locally created accounts including your primary MS login credentials (Win8). Eventvwr.msc reports it is a query for blank pw. For all intent and purpose I would say disregard this security information however, I do find it strange TechNet has no official explanations.

    Rest assured - there is no extended compromise beyond what there is when using a PC or the Internet in general. Not a "virus".

    Saturday, June 21, 2014 2:38 PM
  • This same message has occurred for me on several attempts to get explanations for log entries.  It is very frustrating at best. 
    Thursday, February 19, 2015 1:11 AM
  • For all intent and purpose I would say disregard this security information however, I do find it strange TechNet has no official explanations.

    I would like to disregard except it's starting to fill up my production Win Server 2012 R2 / SQL Server 2014 logs that host our flagship product.  Microsoft is in radio silence on this issue.  The only suggested solution that I can find so far is to temporarily disable auditing and reboot to see if auditing is the culprit:

    Event ID:4797 “An attempt was made to query the existence of a blank password for an
    account.”

    I don't think that's a best practice for a production database server running a cloud-based product.

    An actual solution would be greatly appreciated (Microsoft...???  Hello....).

    Jeff


    • Edited by JeffTX Friday, August 7, 2015 7:05 PM
    Friday, August 7, 2015 5:50 PM
  • I agree with you. I have been unsuccessful in finding explanations on Microsoft's Tech Site for dozens of  Event Viewer Messages. The Event Viewer hotlink has never made a connection with any info on TechNet for over a three year period using Vista, 8.0 and 8.1. Microsoft has never responded to my comments regarding the poor quality of their Event Viewer software, its support documents and their lack of responsiveness in addressing   maintenance issues. Windows 10 no doubt has the same problems.   
    Monday, December 7, 2015 4:25 AM
  • "Rest assured" is truly a bizarre phrase to use when discussing a software issue particularly one related to security.

    Monday, December 7, 2015 4:39 AM
  • Windows 10 no doubt has the same problems.   

    And all new ones.

    Microsoft provides an even lower level of documentation now, if you can believe it - just look at Windows Update descriptions any more.  They feel Since they'll be delivering Windows As A Service, you should not even want to know what's going on inside.

    Someone in Redmond has really got a twisted idea of where computing needs to go.

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Tuesday, December 8, 2015 7:37 AM
  • HI Dr Haze, I believe I know you ! Is your first name Purple ? Also -awesome avatar. Pink Floyd was one of my favorites to listen to when... Anyway I too have this problem on Windows 8.1 and I am getting close too committing hari-kari  on my pc!!!
    Sunday, December 27, 2015 3:54 AM
  • I agree with you. I have been unsuccessful in finding explanations on Microsoft's Tech Site for dozens of  Event Viewer Messages. The Event Viewer hotlink has never made a connection with any info on TechNet for over a three year period using Vista, 8.0 and 8.1. Microsoft has never responded to my comments regarding the poor quality of their Event Viewer software, its support documents and their lack of responsiveness in addressing   maintenance issues. Windows 10 no doubt has the same problems.   

    I have the same experience. Why bother anyway offering links that are unusable?


    Saturday, January 16, 2016 9:23 PM