By taking advantage of Event Viewer, Windows users could keep an eye on operations on their PC and resolve issues with relative ease. However, it’s worth pointing out that some entries in Event Viewer require more than basic knowledge to decipher. One prime example is Event ID 4797: “An attempt was made to query the existence of a blank password”. If you keep seeing that entry as you open Event Viewer and don’t know why this article is for you.
What Is Going On
To put it plainly, the entry about Event ID 4797 only appears if users have enabled the security audit feature on their PC. The entry is a normal routine of the Windows security audit system. While many people assume the entry to be an indication of threats such as attacks from malicious programs but that isn’t the case. Usually, the user account management generates audit events every time users conduct management tasks.
All in all, users would be puzzled if they see a password box as they log in yet they don’t have passwords. Thus, the security audit feature will periodically check if users have set blank passwords. By doing so, the security audit feature ensures that other users won’t see a blank password box when they don’t have a password. That eliminates the possibility of the system asking users for passwords that don’t exist.
How To Remove The Entry
The entry about Event ID 4797: “An attempt was made to query the existence of a blank password” is bothering you? Well, if you don’t want to see that entry, feel free to get rid of it.
In the beginning, you need to create a backup of the audit policies. That is going to make it easy for you to revive the policies in times of need. To create a backup, open Command Prompt with administrator privileges then run the command; auditpol /backup /file:%userprofile%\Desktop\auditpol.bak. Assuming that things proceed smoothly, you should see the backup on the desktop.
Now, proceed to clear all audit policies by running the command auditpol /clear in Command Prompt (Admin). The process would take a couple of seconds and once it completes, restart your PC. When the screen comes back on, continue using your computer as usual. Of course, you may want to open Event Viewer from time to time and see if Event ID 4797 still show up among the entries.
The Importance Of Security Audit: Summary
Generally speaking, the security audit features facilitate the management of an organization’s data. If you plan to disable the security audit, check out the considerations down below:
- Forensic analysis. If the system experiences problems, the security audit logs will help determine the cause. People can use the logs to determine changes that could have caused the problem as well as which user applied them.
- Regulatory compliance. There is a limit to things that users can do on servers but the management is not always around to check up on everyone. By making use of security audit logs, the management should have an easy time controlling user access.
- Monitoring user activity. Security audit logs track user activity and discourage irresponsible behavior.
- Industrial regulation. Many countries and regions have rules regarding data management. Security audits can help implement the regulations and prove that users have obeyed them.
- Set strong audit credential validation on your security audit policy to ensure data security.
- Audit Kerberos service ticket operations and security group management.
- Audit computer and user account management
- Audit the system network policy and special log-in activities.
Is It Ok To Ignore Event ID 4797: “An Attempt Was Made To Query The Existence Of A Blank Password”?
The entry is no cause for concern so you don’t have to worry about the integrity of your system.
Is It Safe To Turn Off The Security Audit Feature?
You could turn off the security audit feature but that might compromise your system. Hence, if you can help it, keep the security audit feature enabled.
How Do I Turn On The Security Audit Feature?
By turning the security audit feature on, you would be able to secure your system while supervising access, changes, etc. To turn on the security audit feature, go through the following steps:
- Step 1: Log in to the domain controller with an admin account to gain control over the system. In case you don’t know, you must have admin privileges to change the systems audit system or access the logs.
- Step 2: Access the active directory users and computer snap-in.
- Step 3: Right-click the domain controller housing container then pick Properties
- Step 4: In Properties, select the Group Policy tab and select Edit to modify the default domain policy. Expand the Computer configuration tab, navigate to Windows settings and select Security settings to get to local policies.
- Step 5: In the local policies settings, choose Audit policy.