事件 4797“尝试查询帐户是否存在空白密码”
Pet*_*r H 11 security event-viewer windows-8
在我的 Windows 8.1 桌面上,我lsass.exe在事件查看器的审核日志中看到了很多这样的消息:
An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Additional Information:
Caller Workstation: PETTER
Target Account Name: Administrator
Target Account Domain: PETTER
它那张曾经在一段时间了几个不同的目标帐户的名称,如Administrator,Guest,HomeGroupUser$,等这条消息显示出来在一定的时间间隔,无论我是否连接到互联网或没有。
为了确保这背后没有恶意,我对 Malwarebytes、Trend Micro 和 AVG 进行了病毒检查,他们一致认为系统实际上是干净的。
然后我重新安装了一个干净的系统;一段时间后,消息仍然重新出现。
系统是否连接到网络似乎并不重要;即使拔掉网络电缆,也会出现这些消息。(考虑到它作为S-1-5-19“本地服务”运行,也许并不奇怪。)
奇怪的是,在互联网上,似乎有很多其他人也遇到过这个问题,但那里的线索和问题仍未得到解答。
这些消息的来源是什么,为什么要不断扫描空密码?
这是输出auditpol:
C:\WINDOWS\system32>auditpol /get /user:Administrator /category:*
No audit policy is defined for the user account.
C:\WINDOWS\system32>auditpol /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success
Logon/Logoff
Logon Success
Logoff Success
Account Lockout Success
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success
Other Logon/Logoff Events No Auditing
Network Policy Server Success and Failure
User / Device Claims No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Removable Storage No Auditing
Central Policy Staging No Auditing
Privilege Use
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Sensitive Privilege Use No Auditing
Detailed Tracking
Process Creation No Auditing
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Policy Change
Authentication Policy Change Success
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Audit Policy Change Success
Account Management
User Account Management Success
Computer Account Management No Auditing
Security Group Management Success
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing
Ben*_*n N 14
这是正常现象,不要惊慌。
当发生以下两种情况之一时,将为每个本地帐户记录以下事件之一:
按下开始屏幕上的用户磁贴以获取与帐户相关的选项的下拉列表:
在这种情况下,主题是当前登录的用户(我,在上面的屏幕截图中)。即使在结果菜单中未显示本地帐户的已加入域的计算机上,也会记录事件。
- 登录 UI 似乎显示了可以登录的本地用户列表。在这种情况下,主题是
NT AUTHORITY\LOCAL SERVICE。这些事件不会记录在仅输入用户名和密码的加入域的计算机上。
至于事件意味着什么,它就是它在罐头上所说的 - 作为主题运行的应用程序在目标帐户名称指定的帐户上测试空白密码。Windows 这样做是为了不需要提示用户输入他们没有的密码;有些人在没有密码的情况下在登录前看到密码框会让人感到困惑。
在用户单击登录屏幕或切换列表中的其他用户之一之前,Windows 不需要执行该检查,但确实如此。
| 归档时间: |
|
| 查看次数: |
38319 次 |
| 最近记录: |