• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Event ID 4797


vram

Member
Member
Posts
79
#1
I get these from time to time:

Event ID 4797

An attempt was made to query the existence of a blank password for an account.

Subject:
Security ID: XXXXXXX\XX
Account Name: XX
Account Domain: XXXXXXX
Logon ID: 0x53656

Additional Information:
Caller Workstation: XXXXXXX
Target Account Name: Guest
I run Kaspersky AV 2013, UAC set to always alert, user account is password protected, and built-in Admin/Guest accounts are disabled by default. Does anyone else get these? The description makes me a tad uneasy. Both KAV and MBAM say my system is clean. No odd behavior witnessed from the machine. I have the following programs installed:

Adobe Flash 11
Adobe Reader XI
Firefox 18.01
VMWARE Player
Paint.NET 3.5.10
Office 2007
Power Archiver 2012
Malwarebytes
KAV 2013
Microsoft Visual C++ 2008 x86/x64
Imgburn
Syncback SE
 
Last edited:

My Computer

System One

  • OS
    Windows 10 Pro 64-bit
    Computer type
    PC/Desktop
    CPU
    AMD Athlon II X2 260 @ 3.2GHz
    Motherboard
    Asus M4A88T-EVO
    Memory
    8GB
    Graphics Card(s)
    Asus Radeon R7 240 2GB
    Sound Card
    Realtek Integrated
    PSU
    Seasonic

DrHaze

Member
Member
Posts
26
#2
I get them on two Windows 8 Pro x64 Machines As well...

sometimes after i reboot.
But other times a day may go by then suddenly it questions the administrator, guest and the two other accounts on the pc with the message in the security event viewer log.
An attempt was made to query the existence of a blank password for an account.
You are the first person I have found so far that has the identical problem.
I have Avast Antivirus and Comodo Firewall 6.0 build 2674 on both PC's.
I Do Not have any VMPLAYER OR WMWARE anything installed.
I am uneasy as well. I want an Answer to this. But no one seems to have the Answer.

i get Logon ID: 0x481F8E

I do not have VMPLAYER installed, I have zero VM software installed.. But Comodo has their new Virtual Kiosk Virtual Environment Maybe their is a link to a component they are using but i don't Know. No one in the Comodo forums has this problem so i Don't think it's their Virtual Kiosk.
 
Last edited:

My Computer

System One

  • OS
    Windows 8 X64 Pro

vram

Member
Member
Posts
79
#3
sometimes after i reboot.
But other times a day may go by then suddenly it questions the administrator, guest and the two other accounts on the pc with the message in the security event viewer log.
An attempt was made to query the existence of a blank password for an account.
You are the first person I have found so far that has the identical problem.
I have Avast Antivirus and Comodo Firewall 6.0 build 2674 on both PC's

I'm going to uninstall VMWARE and see if they disappear. Do you have Visual C++ 2008 Redist installed? I ask because VMWARE installs that as well.
 
Last edited:

My Computer

System One

  • OS
    Windows 10 Pro 64-bit
    Computer type
    PC/Desktop
    CPU
    AMD Athlon II X2 260 @ 3.2GHz
    Motherboard
    Asus M4A88T-EVO
    Memory
    8GB
    Graphics Card(s)
    Asus Radeon R7 240 2GB
    Sound Card
    Realtek Integrated
    PSU
    Seasonic

DrHaze

Member
Member
Posts
26
#4
Yes C++ 2008 Look at attached Screenshot

Yes I have a variety of Visual C++ installed see attached screenshot. It doesn't sound like Vmware. This problem must just be starting to happen and we are the first. Or maybe one of the c++? i can't see how that would do it. It's been going on for a week if i were to guess maybe a little longer..
 

Attachments

My Computer

System One

  • OS
    Windows 8 X64 Pro

vram

Member
Member
Posts
79
#5
Hmmm.....I'm wondering if thats what it actually is seeing as that is the only commonality we both share other than the OS.
 

My Computer

System One

  • OS
    Windows 10 Pro 64-bit
    Computer type
    PC/Desktop
    CPU
    AMD Athlon II X2 260 @ 3.2GHz
    Motherboard
    Asus M4A88T-EVO
    Memory
    8GB
    Graphics Card(s)
    Asus Radeon R7 240 2GB
    Sound Card
    Realtek Integrated
    PSU
    Seasonic

DrHaze

Member
Member
Posts
26
#6
Did you mark this thread as solved?I don't think it solved by a long shot. I am Windows 8 Pro x64 are you Pro x64 too?
 

My Computer

System One

  • OS
    Windows 8 X64 Pro

vram

Member
Member
Posts
79
#7
Did you mark this thread as solved?I don't think it solved by a long shot. I am Windows 8 Pro x64 are you Pro x64 too?
After your post, I changed it back to unsolved pending further investigation.

Yes, I'm also running 64-bit Win8 Pro. I've uninstalled VMWARE, keeping the Visual C++ 2008 Redist. Going to monitor for a bit and see if the Event pops back up.
 

My Computer

System One

  • OS
    Windows 10 Pro 64-bit
    Computer type
    PC/Desktop
    CPU
    AMD Athlon II X2 260 @ 3.2GHz
    Motherboard
    Asus M4A88T-EVO
    Memory
    8GB
    Graphics Card(s)
    Asus Radeon R7 240 2GB
    Sound Card
    Realtek Integrated
    PSU
    Seasonic

DrHaze

Member
Member
Posts
26
#8
Great. Maybe some one will reply to us in these forums. There no real hits in Google on this. You would figure a Microsoft knowledge base atricle would popup but not a one yet. That's three PC's One Intel core 2 Quad, One AMD Phenom x4, and your PC.
so monitor your system after vmware is removed. and let me know what happens. I believe something new is happening. I sure hope not.All 3 are running Windows 8 x64 Pro. Both of mine are upgrades from Windows 7 x64. I am assuming you are a clean install or is yours a Win 8 Pro x64 Upgrade as well?Yeah I have a Avast Antivirus, Comodo 6 Firewall, and a hardware Firewall as well. I too periodically image my system to another hard drive with Acronis True Image Home.My windows firewall service is disabled and my windows defender service is disabled.After I started seeing this in the event viewer i enabled group policy to audit logins. check this link out. How To See Who Logged Into a Computer and When - How-To Geek
 

My Computer

System One

  • OS
    Windows 8 X64 Pro

vram

Member
Member
Posts
79
#9
Great. Maybe some one will reply to us in these forums. There no real hits in Google on this. You would figure a Microsoft knowledge base atricle would popup but not a one yet. That's three PC's One Intel core 2 Quad, One AMD Phenom x4, and your PC.
so monitor your system after vmware is removed. and let me know what happens. I believe something new is happening. I sure hope not.All 3 are running Windows 8 x64 Pro. Both of mine are upgrades from Windows 7 x64. I am assuming you are a clean install or is yours a Win 8 Pro x64 Upgrade as well?
Mine was an upgrade, but I didn't keep anything other than my files, so its essentially a clean install. This system was also re-imaged the other day and I didn't start browsing the net till all updates were applied and KAV 2013 was installed. My system is also behind a hardware firewall in addition to the built-in Windows firewall.


No more 4797 IDs as of yet...


Thanks for the link. I enabled logging as well :)
 
Last edited:

My Computer

System One

  • OS
    Windows 10 Pro 64-bit
    Computer type
    PC/Desktop
    CPU
    AMD Athlon II X2 260 @ 3.2GHz
    Motherboard
    Asus M4A88T-EVO
    Memory
    8GB
    Graphics Card(s)
    Asus Radeon R7 240 2GB
    Sound Card
    Realtek Integrated
    PSU
    Seasonic

DrHaze

Member
Member
Posts
26
#10
I just saw all of my accounts get questioned again with the 4797 ID. I have not rebooted. Maybe you will get lucky. i will not.

I looked on my AMD PC and it has not happened in a few days. I thoroughly went through the startup process and apparently i unchecked something the other day. I was using comodo autorun analyzer. I did however see that this started on 11/20/2012 in the event viewer on the amd which is the day i upgraded the amd from windows 7 to windows 8. So far I am only seeing it on the intel core 2 quad happening now.
 

My Computer

System One

  • OS
    Windows 8 X64 Pro

vram

Member
Member
Posts
79
#12
I bookmarked those links, thanks. I'm not convinced this is malware or some sort of attack. The event log message is certainly troubling and if its a legit function of the OS, they could've worded it better, thats for sure.

I got some more 4797's this morning, btw. They referenced my Administrator, Guest, Homegroup and personal user accounts.
 

My Computer

System One

  • OS
    Windows 10 Pro 64-bit
    Computer type
    PC/Desktop
    CPU
    AMD Athlon II X2 260 @ 3.2GHz
    Motherboard
    Asus M4A88T-EVO
    Memory
    8GB
    Graphics Card(s)
    Asus Radeon R7 240 2GB
    Sound Card
    Realtek Integrated
    PSU
    Seasonic

DrHaze

Member
Member
Posts
26
#13
Well my AMD started again. 21 times in a row last night hammering my accounts. i don' think it's built in to the os as security feature.
 

My Computer

System One

  • OS
    Windows 8 X64 Pro

vram

Member
Member
Posts
79
#14
Well my AMD started again. 21 times in a row last night hammering my accounts. i don' think it's built in to the os as security feature.
I'm tempted to enable my guest account and leave the password blank to see what happens. During the times of these events, are you getting any prompts from your firewall about suspicious inbound/outbound connections? Some thoughts: Why would malware continuously scan for blank passwords once it determines none exist and why are there no log entries indicating failed login attempts if whatever this is is truly attempting to gain access into your PC? Maybe we can use Sysinertnals Process Monitor to log whats happening? I used it yesterday to record system activity while troubleshooting a software error @ work.

Process Monitor
 

My Computer

System One

  • OS
    Windows 10 Pro 64-bit
    Computer type
    PC/Desktop
    CPU
    AMD Athlon II X2 260 @ 3.2GHz
    Motherboard
    Asus M4A88T-EVO
    Memory
    8GB
    Graphics Card(s)
    Asus Radeon R7 240 2GB
    Sound Card
    Realtek Integrated
    PSU
    Seasonic

vram

Member
Member
Posts
79
#16
No alerts from my firewall.I am familiar with Process Monitor
I've completely disconnected this PC from the network/internet to see if the log entries continue. If they continue, then at least I know for sure the queries aren't originating from the internet somehow.

Been updating/Running MBAM a couple of times per day and it, along with KAV continue to come up clean.
 

My Computer

System One

  • OS
    Windows 10 Pro 64-bit
    Computer type
    PC/Desktop
    CPU
    AMD Athlon II X2 260 @ 3.2GHz
    Motherboard
    Asus M4A88T-EVO
    Memory
    8GB
    Graphics Card(s)
    Asus Radeon R7 240 2GB
    Sound Card
    Realtek Integrated
    PSU
    Seasonic

DrHaze

Member
Member
Posts
26
#17
I uplugged the ethernet and cleaned the event logs bare. i shutdown down the pc(powered off)
Turned on PC after boot got 4797 on all accounts. Sounds like an infection..Hmmm..
Have you contacted Kaspersky on this as they seem to find new infections/malware it would be interesting to hear their opinion.
 

My Computer

System One

  • OS
    Windows 8 X64 Pro

vram

Member
Member
Posts
79
#18
I uplugged the ethernet and cleaned the event logs bare. i shutdown down the pc(powered off)
Turned on PC after boot got 4797 on all accounts. Sounds like an infection..Hmmm..
Have you contacted Kaspersky on this as they seem to find new infections/malware it would be interesting to hear their opinion.
I left my PC for over an hour disconnected from the network and the only logon/logoff events logged were me unlocking the PC when I came back. I reconnected it and I immediately got 4797 on admin, guest, homegroup and my account. I'll email Kaspersky later tonight if I have time.
 

My Computer

System One

  • OS
    Windows 10 Pro 64-bit
    Computer type
    PC/Desktop
    CPU
    AMD Athlon II X2 260 @ 3.2GHz
    Motherboard
    Asus M4A88T-EVO
    Memory
    8GB
    Graphics Card(s)
    Asus Radeon R7 240 2GB
    Sound Card
    Realtek Integrated
    PSU
    Seasonic

vram

Member
Member
Posts
79
#19
Posted problem over in KAV forums:

Hopefully, they can help.
 
Last edited:

My Computer

System One

  • OS
    Windows 10 Pro 64-bit
    Computer type
    PC/Desktop
    CPU
    AMD Athlon II X2 260 @ 3.2GHz
    Motherboard
    Asus M4A88T-EVO
    Memory
    8GB
    Graphics Card(s)
    Asus Radeon R7 240 2GB
    Sound Card
    Realtek Integrated
    PSU
    Seasonic

WiFi Ed

New Member
VIP Member
Member
Posts
146
#20
I checked my logs and see the same error message on both my desktop and notebook. 61 events in the last hour, hundreds in the last week. They're showing up under the "Audit Success" event type. The "Target Account Name" on both machines is "HomeGroupUser$". Both machines are part of my HomeGroup. Both machines show no infections after scanning with both NOD32 & Malwarebytes.
 

My Computer

System One

  • OS
    Windows 8.1 Pro x64
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Dell E520
    CPU
    Intel Q6700 Core 2 Quad - 2.66 GHz
    Motherboard
    Whatever Dell put in there...
    Memory
    8 GB Mushkin 800 MHz DDR2
    Graphics Card(s)
    NVIDIA GTX 650 - 2 GB GDDR5
    Sound Card
    Integrated
    Monitor(s) Displays
    2 x 19" ViewSonic LCD's
    Screen Resolution
    2560 x 1024
    Hard Drives
    1 Intel X25-M 120G SSD, 2 WD RE4 2TB HD's
    PSU
    PCPower & Cooling Silencer 500 Watt
    Internet Speed
    100/10 Time Warner Cable

Users Who Are Viewing This Thread (Users: 0, Guests: 1)