Event 4797 "An attempt was made to query the existence of a blank password for an account"
This is normal, don't panic.
One of these events is logged for each local account when one of these two things happens:
The user tile on the Start screen is pressed to get the dropdown of account-related options:
In this case, the Subject is the currently logged-in user (me, in the above screenshot). The events are logged even on domain-joined machines where no local accounts appear in the resulting menu.
- The logon UI appears to show the list of local users that can be signed into. In this case, the Subject is
NT AUTHORITY\LOCAL SERVICE
. The events are not logged on domain-joined machines where only a username and password are entered.
As for what the event means, it's what it says on the tin - an application running as the Subject tested for a blank password on the account specified by the Target Account Name. Windows does that so that it doesn't need to prompt users for passwords they don't have; it would be confusing for some people to see a password box before they sign in when they have no password.
Windows shouldn't need to do that check until the user clicks on one of the other users on the logon screen or in the switch list, but it does.
Security audits
Security auditing is a powerful tool to help maintain the security of an enterprise. Auditing can be used for a variety of purposes, including forensic analysis, regulatory compliance, monitoring user activity, and troubleshooting.
You can use Windows security and system logs to create a security events tracking system, to record and store network activities that are associated with potentially harmful behaviors, and to mitigate those risks.
Source: Security Auditing Overview
Security audits are divided into different categories, such as registry and file system access, failed logon attempts, and user accounts changes. Certain categories are enabled by default. To get a list of the available ones you can run the following command from an elevated command prompt:
auditpol /get /category:*
Event 4797
Here's what a typical event looks like:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/29/2014 10:39:58 AM
Event ID: 4797
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: <ComputerName>
Description:
An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Additional Information:
Caller Workstation: <ComputerName>
Target Account Name: Administrator
Target Account Domain: <DomainName>
As you can see, the category is User Account Management, which generates audit events related to user accounts. Unlike others, this specific event doesn't seem to be documented.
Disable all audit policies
To confirm whether the built-in security auditing feature is the culprit, you can temporarily clear all audit policies, thus disabling them.
Open an elevated command prompt.
Make a backup of the audit policies by running this command:
auditpol /backup /file:"%userprofile%\Desktop\auditpol.bak"
Ensure the file was saved correctly. It should be located on the desktop. In case it's not, pick a different file path and try again.
Disable all audit policies:
auditpol /clear
Restart Windows, and check whether you're still getting the same events. To restore the policy backup you created earlier, run this command:
auditpol /restore /file:"%userprofile%\Desktop\auditpol.bak"
Further reading
- Security Auditing Overview
- Audit User Account Management
We had this occur on several systems in our company so we went straight to Microsoft:
"As Per my finding Regarding Event ID 4947 “An attempt was made to query the existence of a blank password for an account” You receive this event if you have Auditing Enable for “User Account Management”
The Level of Auditing is Informational and not a Warning or Error. This event can be safely ignored as it is only for informational purpose and to check if by any chance user is set for Blank password. You only see this event if only auditing is enabled and this event does not imply any breach in the system"