Kathy Ingwerson
asked on
Crazy number of rapid-fire 4797 inquiries in Security Auditing Logs Bad News?
Getting hundreds of 4797 password inquiries showing in my Windows 8.1 Event Logs>Windows>Security>Audi ting. There are, for example, 37 within 2 minutes last Friday.
My computer name is CheekyXMonkey. I am not aware of anything I did to generate a password inquiry. HP Computer (2014), AMD processor (specs ? ), 16 gigs of DDRAM, 500 gig hard drive (15% used), Firefox 52.4 (downgraded from FF v. 57 due to dislike). Passport one terabyte external backup drive.
Is someone trying to hack my computer? I recently had a close call with a fake internet movie website that turned out to be a international scam. (Yes, I'm horrified! Thought I was too smart for that to happen! And, no, it wasn't porn! LOL) I was able to realize it was too questionable before entering any info, but a lot of odd things have happened on my computer since! I am the only one who uses this home computer.
TIA for any help and info you can give me!
Kathy Wardlow Ingwerson, Outer Banks, NC USA
Log Name: Security
Source: Microsoft-Windows-Security -Auditing
Date: 03/02/2018 4:19:12 PM
Event ID: 4797
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: CheekyXMonkey
Description:
An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Additional Information:
Caller Workstation: CHEEKYXMONKEY
Target Account Name: Guest
Target Account Domain: CHEEKYXMONKEY
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se curity-Aud iting" Guid="{54849625-5478-4994- A5BA-3E3B0 328C30D}" />
<EventID>4797</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x80200000000000 00</Keywor ds>
<TimeCreated SystemTime="2018-03-02T21: 19:12.1314 47400Z" />
<EventRecordID>241726</Eve ntRecordID >
<Correlation />
<Execution ProcessID="792" ThreadID="844" />
<Channel>Security</Channel >
<Computer>CheekyXMonkey</C omputer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1- 5-19</Data >
<Data Name="SubjectUserName">LOC AL SERVICE</Data>
<Data Name="SubjectDomainName">N T AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e 5</Data>
<Data Name="Workstation">CHEEKYX MONKEY</Da ta>
<Data Name="TargetUserName">Gues t</Data>
<Data Name="TargetDomainName">CH EEKYXMONKE Y</Data>
</EventData>
</Event>
My computer name is CheekyXMonkey. I am not aware of anything I did to generate a password inquiry. HP Computer (2014), AMD processor (specs ? ), 16 gigs of DDRAM, 500 gig hard drive (15% used), Firefox 52.4 (downgraded from FF v. 57 due to dislike). Passport one terabyte external backup drive.
Is someone trying to hack my computer? I recently had a close call with a fake internet movie website that turned out to be a international scam. (Yes, I'm horrified! Thought I was too smart for that to happen! And, no, it wasn't porn! LOL) I was able to realize it was too questionable before entering any info, but a lot of odd things have happened on my computer since! I am the only one who uses this home computer.
TIA for any help and info you can give me!
Kathy Wardlow Ingwerson, Outer Banks, NC USA
Log Name: Security
Source: Microsoft-Windows-Security
Date: 03/02/2018 4:19:12 PM
Event ID: 4797
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: CheekyXMonkey
Description:
An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Additional Information:
Caller Workstation: CHEEKYXMONKEY
Target Account Name: Guest
Target Account Domain: CHEEKYXMONKEY
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se
<EventID>4797</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x80200000000000
<TimeCreated SystemTime="2018-03-02T21:
<EventRecordID>241726</Eve
<Correlation />
<Execution ProcessID="792" ThreadID="844" />
<Channel>Security</Channel
<Computer>CheekyXMonkey</C
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
<Data Name="SubjectUserName">LOC
<Data Name="SubjectDomainName">N
<Data Name="SubjectLogonId">0x3e
<Data Name="Workstation">CHEEKYX
<Data Name="TargetUserName">Gues
<Data Name="TargetDomainName">CH
</EventData>
</Event>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Naveen, you inadvertantly got me the answer I needed, via some info on the last link you posted, so thank you for that. I have to say I had a difficult time understanding what you were saying due to your broken English. I have no problem with broken English except when I can't understand what you mean or are saying. The problem was not due to an app or service making the inquiries, as in my post I showed you the logs which identified who was making the inquiries (it is coded but not an app or service). And it was not my security software either. Same reason. "Also keep system is up to date"? What? What are you talking about?
Thank you for your inadvertant help.
Thank you for your inadvertant help.
ASKER
The info at the last link on this page has a response from Microsoft about the inquiries which resolves the question.
Well, it sure looks like mischief afoot to me.