0

I'm seeing periodic 4672 events (Special Logon) in my Windows Home 10 workstation.

What triggered my interest is that the events triggered by Security ID / Account name "SYSTEM", is that they occur at regular intervals over the last 12 hours.

Special privi0leges assigned to new logon.

Subject:
Security ID:        SYSTEM
Account Name:       SYSTEM
Account Domain:     NT AUTHORITY
Logon ID:       0x3E7

Privileges:
SeAssignPrimaryTokenPrivilege
            SeTcbPrivilege
        SeSecurityPrivilege
        SeTakeOwnershipPrivilege
        SeLoadDriverPrivilege
        SeBackupPrivilege
        SeRestorePrivilege
        SeDebugPrivilege
        SeAuditPrivilege
        SeSystemEnvironmentPrivilege
        SeImpersonatePrivilege

This occurs almost on the hour, overnight.

Then this morning I see an event 4797 (User account management) "An attempt was made to query the existence of a blank password for an account."

An attempt was made to query the existence of a blank password for an account.

Subject:
    Security ID:        -----
    Account Name:       -----
    Account Domain:     -----
    Logon ID:       0x946808E

Additional Information:
    Caller Workstation: -----
    Target Account Name:    Administrator
    Target Account Domain:  -----

This event is only seen once.

So my question is two-fold, what are the regular SYSTEM 4672 events and are they somehow related to the 4796 (User Account Management) event?

Thanks.

Paulie-C
  • 101
  • 5
  • 1
    4797 This is a normal event it is a Windows security audit......https://superuser.com/questions/774728/event-4797-an-attempt-was-made-to-query-the-existence-of-a-blank-password-for-a – Moab Oct 02 '19 at 12:16
  • 1
    4672 this is also normal....https://social.technet.microsoft.com/Forums/windowsserver/en-US/8bf6a0aa-2069-4bf0-abdd-f7fb84e07aae/lots-of-quotspecial-logonquot-events-for-computer-account?forum=winservergen – Moab Oct 02 '19 at 12:20

0 Answers0