Windows Event Viewer Event ID 4797.All Windows 8 Only Ask For Blank Pw?

[DrHaze]

 I am getting lots and lots of these on all of my accounts.
and i am not alone. is this an infection? No one seems to know the answer.Look at these discussions.

www.eightforums.com/system-security/18843-event-id-4797-a.html

http://social.technet.microsoft.com/Forums/en-CA/w8itprosecurity/thread/e6db8fba-c2c8-47be-a992-96e383e34693

www.neowin.net/forum/topic/1133164-win8-event-id-4797/page__hl__4797__fromsearch__1

http://forum.kaspersky.com/index.php?showtopic=254992



An attempt was made to query the existence of a blank password for an account.

Subject:
   Security ID:      QUADCORE\Crusader
   Account Name:      Crusader
   Account Domain:      QUADCORE
   Logon ID:      0x29D07

Additional Information:
   Caller Workstation:   QUADCORE
   Target Account Name:   DrHaze
   Target Account Domain:   QUADCORE
An attempt was made to query the existence of a blank password for an account.

Subject:
   Security ID:      QUADCORE\Crusader
   Account Name:      Crusader
   Account Domain:      QUADCORE
   Logon ID:      0x29D07

Additional Information:
   Caller Workstation:   QUADCORE
   Target Account Name:   Guest
   Target Account Domain:   QUADCORE

[DrHaze]

has Anyone Seen This?? Go to control panel, administrative options, event viewer. then look under windows /security.

[deecab]

Hey Dr Haze

Have you been able to figure this out?  I have been getting this a lot.  I'm on a new machine, it's the Microsoft Surface Pro so it's only 2 weeks old.  Checking the event log, this has been happening since I got the machine.  It seems to happen quite often. 

[xenon2000]

I too have this. But I am not yet sure it's related to Avast. Since I had Avast when I upgraded from Windows 7 to Windows 8. My event viewer didn't have this before 2/15/2013 when I did the upgrade. But I hear this is a new event ID specifically for Windows 8. So that makes sense. Also. I did fully remove and reinstall Avast on 2/15/2013 when I did the upgrade.

I get these events randomly in bursts since Windows 8. I also have the issue where Network Shield does not work. And when it does/did work, it was causing massive slow downs in all web browsers and often would cause me to lose the ability to browse the internet at all. Yet LAN shares would continue to work. But I will post that in another thread.

Still, I am not convinced yet that the 4797 is because of Avast. I have another Win8 system with Avast to check on. And that system I can try removing Avast to see if it makes a difference.

[xenon2000]

Well, now I am on Avast 8.0.1482 on my main system. And the Network Shield works again. Going to see if the Event ID 4797 keeps happening. I also want to see if this event happens on my other Windows 8 system, and if it does; remove Avast from that system to see if it has any affect. I don't think it will.

[REDACTED]

Yes I have seen this one as well as few other events. See below...
============================================================================
- System

  - Provider

   [ Name]  ATIeRecord
 
  - EventID 16388

   [ Qualifiers]  49152
 
   Level 2
 
   Task 16
 
   Keywords 0x80000000000000
 
  - TimeCreated

   [ SystemTime]  2013-03-03T03:17:41.000000000Z
 
   EventRecordID 329446
 
   Channel Application
 
   Computer BlazeXPS
 
   Security
 

 EventData




============================================================================
 
 Detail 17 user registry handles leaked from \Registry\User\S-1-5-21-3696759819-2108805933-2292163332-1001: Process 1044 (\Device\HarddiskVolume5\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001 Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001 Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001 Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001 Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001 Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Microsoft\SystemCertificates\TrustedPeople Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Microsoft\SystemCertificates\Disallowed Process 1200 (\Device\HarddiskVolume5\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Policies\Microsoft\SystemCertificates Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Policies\Microsoft\SystemCertificates Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Policies\Microsoft\SystemCertificates Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Policies\Microsoft\SystemCertificates Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Microsoft\SystemCertificates\Root Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Microsoft\SystemCertificates\trust Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Microsoft\SystemCertificates\SmartCardRoot Process 844 (\Device\HarddiskVolume5\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Microsoft\SystemCertificates\CA Process 1044 (\Device\HarddiskVolume5\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3696759819-2108805933-2292163332-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 

============================================================================

- System

  - Provider

   [ Name]  ESENT
 
  - EventID 507

   [ Qualifiers]  0
 
   Level 3
 
   Task 7
 
   Keywords 0x80000000000000
 
  - TimeCreated

   [ SystemTime]  2013-03-03T02:53:41.000000000Z
 
   EventRecordID 329298
 
   Channel Application
 
   Computer BlazeXPS
 
   Security
 

- EventData
============================================================================

   LiveComm
   4196
   C:\Users\Jeremy\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\50b184a9b07c48cd\120712-0049\: 
   C:\Users\Jeremy\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\50b184a9b07c48cd\120712-0049\DBStore\livecomm.edb
   1409024 (0x0000000000158000)
   8192 (0x00002000)
   15

[REDACTED]

Funny thing...sass.exe on a websearch says its a trojan from like 5 years ago.  If that is the case then why didn't avast catch it? I'm guessing it's not a Funsta trojan...

[REDACTED]

By the way, I fixed my ATIerecord issue. I downloaded the latest drives from AMD. Uninistalled Catalyst from the Control Panel - programs and then uninstalled the driver under display adapters in the Control Panel - Device Manager. Rebooted and reinstalled fresh drivers (via the catalyst all in one...i actually set mine to winxp service pack 3 compatibility) and the ATIerecord stopped calling errors every 15 seconds. Haven't seen any since doing this.

[xenon2000]

I have Nvidia cards in the systems with my 4797 events. Glad you found a fix for your issue, but it sounds like it's not the same issue.  Also, I didn't see you mention if you have Windows 8 or not. If you are not running Windows 8, then you certainly did not have the same issue as Event ID 4797 "An attempt was made to query the existence of a blank password for an account." is new and unique to Windows 8 and is not in Windows 7 and lower. (not speaking of Server OSes).

I also get Events 4624 4634 4672.

I have uninstalled Avast from another Windows 8 PC last night. So far I don't have the 4797 events. But those were and on and off again event. So I will wait longer. But I am still getting the 4624, 4634, and 4672 events.

As for the systems I upgraded to Avast 8, my Windows 8 system with Avast 8 still had the 4797 event. So overall I am still not convinced it's related to Avast.

[DrHaze]

I have never figured it out. I have seen it on every copy of windows 8. so even on surface now huh?
Micro$oft won't answer the question in their own forums..
Google it and you will see i have been trying..
It's not related to Avast..

[xenon2000]

I agree. I still haven't seen anything that implies it's Avast. I only started posting here since the questions was asked by the OP. On my test system I removed Avast and the 4797 still occurs. I am going to check out other forums now about this.