Windows Security Log Event ID 4797

Operating Systems Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory		Account Management
 • User Account Management
Type Success
Corresponding events
in Windows 2003
and before		  

4797: An attempt was made to query the existence of a blank password for an account

On this page

There is a lot of confusion about this event and no good explanation. If you see this event for many different target account names I would investigate. Or if you see this event on many different systems where caller workstation name is the same. Otherwise ignore.

More: This event is worthless. I just set up a new Windows 10 VM, installed one very safe piece of software on it, and logged on as a non-admin user. After logon, that user, according to the security log, queried the existence of a blank password for every local account on the system. I'm certain the system is clean of malware. If this event at least included the process that made the request we'd have a chance of tracking down what is causing it but all you get is the target account and who did it.

Free Security Log Resources by Randy

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 4797

An attempt was made to query the existence of a blank password for an account.

Subject:
    Security ID:    %1
    Account Name:   %2
    Account Domain: %3
    Logon ID:       %4

Additional Information:
    Caller Workstation:    %5
    Target Account Name:   %6
    Target Account Domain: %7

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



Mini-Seminars Covering Event ID 4797
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
Additional Resources

    Go To Event ID:

    Security Log
    Quick Reference
    Chart
    Download now!