Windows 8 and 8.1 Forums

Event ID 4797

  1. #51

    Bit of an old post I know but did anyone get to the bottom of this ? No word from Microsoft , well not that I can find anyway.

      My System SpecsSystem Spec

  2. #52

    Posts : 1
    Windows 8.0

    I was having this same problem. Computer waking up about 20 seconds after being instructed to sleep. Very high number of 4797's in the Event Viewer. I tried disallowing my mouse to wake the computer. The problem seems to have gone away. The funny thing is that clicking the mouse still wakes the computer, but now it actually stays asleep. Now I am only seeing 4797 events corresponding to actual keystrokes or mouse clicks used to wake the machine.
      My System SpecsSystem Spec

  3. #53

    Posts : 1
    Windows 8 Core 64-bit

    You r stuck in Audit mode.

    I reinstalled my operating system just today, and it did not require me to accept the terms. That's the first sign of Audit Mode (explaining what Audit mode is after). So I went to Event Logs and saw the EXACT error. So I went to sysprep and made it generalize and enter OOBE (Out of box experience, when u buy a new computer. But then, IT MAKES EXACT ERROR!!!
    Audit mode is so that the manufacturer can SECRETLY and UNTRACEABLY install stuff. It's been around from XP, 12 years ago, with Sysprep.

    So now the problem lies with Windows. The Event ID 4797, or (An attempt was made to query the existence of a blank password for an account.)is part of the symptoms for being Stuck In Audit Mode.

    So, to solve this, figure out how to turn Audit Mode off.

    My computer is a NP300E5C-A07US, the Thanksgiving Best Buy Combo Model.
    Last edited by okcnaline; 19 Aug 2013 at 16:15. Reason: Adds my computer model
      My System SpecsSystem Spec

  4. #54

    Posts : 1
    Windows 8.1 Pro


    Okay, it sounds like we want to know if the originating software (for the Event 4797) is local to the machine (and a Microsoft-related activity) or is not local to the machine and therefore probably a hacker.

    Try this:
    1) First, go into Computer Management -> Local Users and Groups and review your existing users. Note whether or not Administrator, Guest and HomeGroupUser$ are disabled or not. You might also note whether or not the default users are renamed or not.
    2) Also, go into Event Viewer -> Event Viewer (Local) -> Windows Logs -> Security -> (go to one of the Event 4797 log events) -> look at Additional Information, Target Account Name and verify that it's "Administrator"
    3) Local Group Policy Editor -> Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Accounts: Rename administrator account = Administrator

    You might try renaming the Administrator account to AdminTest, rebooting your computer and waiting maybe ten minutes.

    In theory, if the culprit is something like Microsoft Security Essentials (Windows Defender) or whatever audits the group/local policies then it will know that the administrator account has been changed and it should now create audit events for 4797 which mention AdminTest in the Additional Information area of the Event Log detail.

    If the culprit is external to your system then in theory it would have no means of knowing that you'd changed the admin's name and would continue to query "Administrator". This then might be a good litmus test for determining if the originating software is local or remote. If the culprit is local then you might also infer that it's either Microsoft or non-Microsoft based upon this knowledge. (You can of course rename your admin user when you're finished with this test.)

    Good luck,
      My System SpecsSystem Spec

  5. #55

    Posts : 275
    Windows 8.1 64 bit

    Is there a solution to this long standing issue which appears to be a 'feature' of Windows 8? I checked both my PCs running Windows 8.1 x64 and both have the same frequent reports of Event ID4797.

    Is there a way of just disabling the checking of the existence of a blank password to prevent these events filling up the log file?
      My System SpecsSystem Spec

Page 6 of 6 FirstFirst ... 456
Event ID 4797

Similar Threads
Thread Forum
Event Viewer - Event Log Online Help
Hi, I am new to the forum and have searched to see if I can find a fix for my issue. My issue is whenever I use the Event Log Online Help link in any Event Notification all I get is transferred to this page Page Not Found I am new to Windows 8 but I used this service regularly with XP. I...
Performance & Maintenance
How do I rectify Event ID 131 in Event Viewer so I don't
keep getting it logged as an error. I have gone into Adjust Date and Time\Internet Time\and it is set to automatically synchronize with and on a scheduled basis. When I try to update or change the setting I get an error message that an error occurred while windows was...
Performance & Maintenance
Event ID 219
Hi, I am getting this error every time I turn on my computer. From Event Log: The driver \Driver\WUDFRd failed to load for the device ROOT\SYSTEM\0001. - System
General Support
BSOD playing war thunder, Event viewer event 41
While playing war thunder on steam my screen went black and i couldn't do anything. I restart my computer and play again it crashes. After one more time i look at my event viewer and find critical error event ID:41. I don't whether its the game or my pc.
BSOD Crashes and Debugging
event viewer EVENT 14 HAL. What is it ?
Hello. I'am unable to find any information regard one entry in event viewer (eventvwr.msc) EVENT ID is 14, Source Microsoft-Windows-HAL screens: It stays, somethink like. system was limited to the periodic cycle due to...
Performance & Maintenance
Curious event in Event Viewer concerning 'with WMC'
I've noticed an intriguing event in Event viewer... Log Name: Application Source: Microsoft-Windows-Security-SPP Date: 25. 1. 2013. 8:13:00 PM Event ID: 8208 Task Category: None Level: Error Keywords: Classic User: N/A
Windows Updates & Activation
Event 98
Hi, I'm having a problem with an error that gets logged when I startup or restart. Volume HDDRECOVERY (\Device\HarddiskVolume3) needs to be taken offline to perform a Full Chkdsk. Please run "CHKDSK /F" locally via the command line, or run "REPAIR-VOLUME <drive:>" locally or remotely via...
Drivers & Hardware

Eight Forums Android App Eight Forums IOS App Follow us on Facebook