On my Windows 8.1 desktop, I see a lot of messages like this from lsass.exe in the Event Viewer's audit log:
An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Additional Information:
Caller Workstation: PETTER
Target Account Name: Administrator
Target Account Domain: PETTER
It goes on once in a while for a few different Target Account Names, like Administrator, Guest, HomeGroupUser$, etc. This message shows up on certain intervals no matter if I am connected to the Internet or not.
To make sure that there was no malicious intent behind this, I ran a virus check with Malwarebytes, Trend Micro and AVG, which were all in agreement that the system in fact was clean.
I then reinstalled a clean system; the messages still re-appeared after a while.
It does not seem to matter whether system is connected to network or not; even with network cable unplugged, these messages appear. (Maybe not so strange considering that it's running as S-1-5-19 "Local Service".)
Strangely, on the Internet, there seems to be a lot of others who've faced this very issue, but the threads and questions there remain unanswered.
What is the origin of these messages, and why is there a constant scan for empty passwords?
Here is the output of auditpol:
C:\WINDOWS\system32>auditpol /get /user:Administrator /category:*
No audit policy is defined for the user account.
C:\WINDOWS\system32>auditpol /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success
Logon/Logoff
Logon Success
Logoff Success
Account Lockout Success
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success
Other Logon/Logoff Events No Auditing
Network Policy Server Success and Failure
User / Device Claims No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Removable Storage No Auditing
Central Policy Staging No Auditing
Privilege Use
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Sensitive Privilege Use No Auditing
Detailed Tracking
Process Creation No Auditing
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Policy Change
Authentication Policy Change Success
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Audit Policy Change Success
Account Management
User Account Management Success
Computer Account Management No Auditing
Security Group Management Success
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing
Answer
This is normal, don't panic.
One of these events is logged for each local account when one of these two things happens:
The user tile on the Start screen is pressed to get the dropdown of account-related options:
In this case, the Subject is the currently logged-in user (me, in the above screenshot). The events are logged even on domain-joined machines where no local accounts appear in the resulting menu.
- The logon UI appears to show the list of local users that can be signed into. In this case, the Subject is
NT AUTHORITY\LOCAL SERVICE. The events are not logged on domain-joined machines where only a username and password are entered.
As for what the event means, it's what it says on the tin - an application running as the Subject tested for a blank password on the account specified by the Target Account Name. Windows does that so that it doesn't need to prompt users for passwords they don't have; it would be confusing for some people to see a password box before they sign in when they have no password.
Windows shouldn't need to do that check until the user clicks on one of the other users on the logon screen or in the switch list, but it does.
No comments:
Post a Comment