Windows 8.1 - An attempt was made to query the existence of a blank password for an account.

In my security event logs, I have a lot of this messages and I don't know how to trace where are the coming from. Please help me with that

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5-1-2014 08:52:08
Event ID:      4797
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Computername
Description:
An attempt was made to query the existence of a blank password for an account.

Subject:
    Security ID:        LOCAL SERVICE
    Account Name:        LOCAL SERVICE
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3E5

Additional Information:
    Caller Workstation:    ComputerName
    Target Account Name:    Guest
    Target Account Domain:    Computername

It's not only the guest account, but also the Administrator account, and the Updatu

January 5th, 2014 8:23am

May be an effect of automated default password matching software making quiries.. 

http://social.technet.microsoft.com/Forums/windows/en-US/e6db8fba-c2c8-47be-a992-96e383e34693/windows-8-event-id-4797-in-security-log?forum=w8itprosecurity

http://technet.microsoft.com/en-us/library/cc774338(v=ws.10).aspx


Free Windows Admin Tool Kit Click here and download it now
January 5th, 2014 9:39am

I just did a scan with malwarebytes and windows defender and nothing was f
January 5th, 2014 1:46pm

If someone is using his/her pc with a hacking software? 
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2014 1:54pm

No hacking software was found.... I did a full scan with malwarebytes, malwarebytes anti-rootkit and windows defender. Any other tools I can run a scan
January 5th, 2014 1:58pm

system automatically assigns a PW for guest accounts. Hetti Arachchige V Aravinda is correct.

Hackers will use a key generator for guess accounts mailed to you, if you click, your are actually installing a run script,  usually this will run all the time, if there is an connection, the guest account will tell you the connection and where. This is most famous with IIS ftp service for guest accounts. This was a major flaw with IIS ftp service in previous OS the ftp world get confused with the amount of failed attempts and grant admin abilities to your ftp.

Your event for guest account would show may attempts, this is a very common old way that spammers  used to connect to a device to spread spam.

Wireshark is a sure way to trace packets in and out of your ISP. You can  now see what is coming. if you do this, do not let pcap run on start up. I am positive you have nothing to worry about. If you do trace your IP and you see lots of proxys coming in, I suggest you contact your ISP about this.




  • Edited by colakid Sunday, January 05, 2014 3:44 PM
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2014 3:38pm

Yeah I understand that, but for example in Windows 7 I did not see these events. So the audit policies must have changed in Windows 8.1?
January 5th, 2014 7:22pm

My apologies for bumping an old thread... also sorry to the OP for this hijack  :)  but my question is relevant, as a proper answer will help those who may come to this thread for a similar issue.

@colakid said;

"Wireshark is a sure way to trace packets in and out of your ISP. You can  now see what is coming. if you do this, do not let pcap run on start up. I am positive you have nothing to worry about. If you do trace your IP and you see lots of proxys coming in, I suggest you contact your ISP about this.

any suggestions for an easy-to-use manual for Wireshark?  Specifically a resource that speaks directly to what one should be looking for, again, specifically in regards to this blank password issue, but also generally as far as hack defense and forensics.  Any help you can provide would be great appreciated.

Also, in the last sentence you mention tracing the IP.  Are you referring to the tracert via command line?

I suspect my home computer, a standalone non-domain, non-work/homegroup PC running Windows 8.1 x64 is experiencing a long term, very persistent  compromise.  Botnet?  mal/spyware?  active surveillance hack?  (as I am a noisy activist)  I am seeing rootkit/bootkit type symptoms that I have been unable to finger a known malicious source for.  Having made so many attempts to directly identify the problem, I am simply seeking knowledge as much as possible, from those whom seem knowledgeable whenever I come across a thread that seems similar.


Anyhow, like I said any advice you might be able to share would be gentlemanly of you.  Thanks!


Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 9:39pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics