Event ID 4797

[vram]

Yea is this a new feature that even Microsoft won't comment on in their own forums...
61 times..hundreds in weeks? My moms windows 8 home is even doing it. It's definitely solely related to windows 8 that i can see any Windows 7 users out there with 4797's??????????
I checked Dad's Windows 7 Home Premium. Not a single 4797 in it.

I have a Win 7 Home Prem laptop and no 4797's either. It appears to be Win 8 specific.

 

[DrHaze]

https://forums.comodo.com/general-s...-out-the-windows-84797-event-id-t91407.0.html

 

[NKF]

I have a brand new laptop (10 days old) with this issue. The laptop is running like a dog which is what prompted me to start looking through the logs in the first place. Apps are constantly being reported as "not responding". The only software I have installed so far is Mozilla Thunderbird email client and Chrome browser. I am going to have to uninstall Chrome as it is completely unusable now despite being fine for the first few days. This error started 4 days ago which is when I first noticed these performance errors. Unlikely to be a coincidence I would say. I am running Norton Internet Security.

 

[DrHaze]

What brand of laptop have you paid for that Norton security yet?

 

[NKF]

What brand of laptop have you paid for that Norton security yet?

This is a Samsung NP350VC. Since yesterday's post I have realised the issue has been going on since the day I got it - must have had the logs filtered yesterday. Norton is still on the 60 day trial. Really disappointed with this laptop so far. My work laptop (Win 7) has a lower spec cpu and less RAM but runs rings around this thing.

 

[DrHaze]

Everyone Check Windows 8 Event Viewer/Security Look For ID 4797/Blank PW? « How-To Geek Forums

posted in how to geek forums.

 

[DrHaze]

What brand of laptop have you paid for that Norton security yet?

This is a Samsung NP350VC. Since yesterday's post I have realised the issue has been going on since the day I got it - must have had the logs filtered yesterday. Norton is still on the 60 day trial. Really disappointed with this laptop so far. My work laptop (Win 7) has a lower spec cpu and less RAM but runs rings around this thing.

I would uninstall everything that is not needed. and go with www.avast.com antivirus. not Symantec. Avast Is Free.
Alot of times there is Excessive software (Known As Bloatware) installed on new name brand name retail laptops/pc's that make run very slow/crawl.

 

[xolos9]

Hey guys I have been having the same problems with this stupid 4797 event. It was happening all the frikkin time. I played with some Local Policy Settings in the group policy editor and now these events only occur during logon (Which I think they are supposed to any way based on the policy).

Local Computer Policy -> Windows Settings --> Account Policies --> Password Policy --> Minimum Password Length - default "0"
(I switched this to 5, anything but 0)


Local Computer Policy -> Windows Settings --> Account Policies --> Local Policies --> Security Options -> Accounts: Limit Local Use of Blank Passwords to console logon only - Default - "Enabled"
(I switched this to disabled)

for what ever reason the security events have stopped, I only see them during logon and that is it. not every minute for days...

I hope this helps, maybe its just a buggy policy that Microsoft needs to address, I dont know

 

[xolos9]

Hey guys I have been having the same problems with this stupid 4797 event. It was happening all the frikkin time. I played with some Local Policy Settings in the group policy editor and now these events only occur during logon (Which I think they are supposed to any way based on the policy).

Local Computer Policy -> Windows Settings --> Account Policies --> Password Policy --> Minimum Password Length - default "0"
(I switched this to 5, anything but 0)


Local Computer Policy -> Windows Settings --> Account Policies --> Local Policies --> Security Options -> Accounts: Limit Local Use of Blank Passwords to console logon only - Default - "Enabled"
(I switched this to disabled)

for what ever reason the security events have stopped, I only see them during logon and that is it. not every minute for days...

I hope this helps, maybe its just a buggy policy that Microsoft needs to address, I dont know

Ok so It started happening again, though it hadn't all day after I changed the settings in the local policies. but I just watched Netflix and surfed the web. This told me it was just a coincidence. So I decided to try and hunt down what was prompting it.

With a clean desktop in the event viewer open I would do things and see if the 4797 showed up.

I found this.

Anytime i opened a new instance of the file explorer the 4797 logged. Just browsing the files system did not prompt any new 4797 logs until I closed the explorer and opened a fresh instance.

I opened up Word and as soon as it needed to access the file system either to save or retrieve a file the 4797 logged.


Why the hell does Windows 8 run this audit check when accessing the files? I'm done ****ing with it for now. Hopefully Microsoft will address this at some point. At least I can pretty much say it doesn't appear to be malicious or external. Its Windows being a dumb ass. Or there's a genius reason for it and I just don't get it..

 

[arachnaut]

I have noticed that this is related to doing a refresh in Windows File Explorer.

Try this:

Load Nirsoft 'MyEventViewer' to monitor the events.

Open File Explorer.

Right click and select Refresh.

Every time I do this I immediately see two events:

1) An attempt was made to query the existence of a blank password for an account.

Subject:
Security ID: xxxxxxxxxxxxxxxxxxx
Account Name: Jim
Account Domain: Morbius
Logon ID: xxxxxxxxxxxx


Additional Information:
Caller Workstation: MORBIUS
Target Account Name: Administrator
Target Account Domain: Morbius

2) An attempt was made to query the existence of a blank password for an account.

Subject:
Security ID: xxxxxxxxxxxxxxxxxxx
Account Name: Jim
Account Domain: Morbius
Logon ID: xxxxxxxxxxxxxx


Additional Information:
Caller Workstation: MORBIUS
Target Account Name: Guest
Target Account Domain: Morbius

 

[sean6027]

Bit of an old post I know but did anyone get to the bottom of this ? No word from Microsoft , well not that I can find anyway.

 

[kendalltr]

I was having this same problem. Computer waking up about 20 seconds after being instructed to sleep. Very high number of 4797's in the Event Viewer. I tried disallowing my mouse to wake the computer. The problem seems to have gone away. The funny thing is that clicking the mouse still wakes the computer, but now it actually stays asleep. Now I am only seeing 4797 events corresponding to actual keystrokes or mouse clicks used to wake the machine.

 

[okcnaline]

You r stuck in Audit mode.

I reinstalled my operating system just today, and it did not require me to accept the terms. That's the first sign of Audit Mode (explaining what Audit mode is after). So I went to Event Logs and saw the EXACT error. So I went to sysprep and made it generalize and enter OOBE (Out of box experience, when u buy a new computer. But then, IT MAKES EXACT ERROR!!!
Audit mode is so that the manufacturer can SECRETLY and UNTRACEABLY install stuff. It's been around from XP, 12 years ago, with Sysprep.

So now the problem lies with Windows. The Event ID 4797, or (An attempt was made to query the existence of a blank password for an account.)is part of the symptoms for being Stuck In Audit Mode.

So, to solve this, figure out how to turn Audit Mode off.

My computer is a NP300E5C-A07US, the Thanksgiving Best Buy Combo Model.

 

[AlbusDumbledore]

Strategy

Okay, it sounds like we want to know if the originating software (for the Event 4797) is local to the machine (and a Microsoft-related activity) or is not local to the machine and therefore probably a hacker.

Try this:
1) First, go into Computer Management -> Local Users and Groups and review your existing users. Note whether or not Administrator, Guest and HomeGroupUser$ are disabled or not. You might also note whether or not the default users are renamed or not.
2) Also, go into Event Viewer -> Event Viewer (Local) -> Windows Logs -> Security -> (go to one of the Event 4797 log events) -> look at Additional Information, Target Account Name and verify that it's "Administrator"
3) Local Group Policy Editor -> Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Accounts: Rename administrator account = Administrator

You might try renaming the Administrator account to AdminTest, rebooting your computer and waiting maybe ten minutes.

In theory, if the culprit is something like Microsoft Security Essentials (Windows Defender) or whatever audits the group/local policies then it will know that the administrator account has been changed and it should now create audit events for 4797 which mention AdminTest in the Additional Information area of the Event Log detail.

If the culprit is external to your system then in theory it would have no means of knowing that you'd changed the admin's name and would continue to query "Administrator". This then might be a good litmus test for determining if the originating software is local or remote. If the culprit is local then you might also infer that it's either Microsoft or non-Microsoft based upon this knowledge. (You can of course rename your admin user when you're finished with this test.)

Good luck,
Albus

 

[Steve C]

Is there a solution to this long standing issue which appears to be a 'feature' of Windows 8? I checked both my PCs running Windows 8.1 x64 and both have the same frequent reports of Event ID4797.

Is there a way of just disabling the checking of the existence of a blank password to prevent these events filling up the log file?