I'm seeing periodic 4672 events (Special Logon) in my Windows Home 10 workstation.
What triggered my interest is that the events triggered by Security ID / Account name "SYSTEM", is that they occur at regular intervals over the last 12 hours.
Special privi0leges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges:
SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
This occurs almost on the hour, overnight.
Then this morning I see an event 4797 (User account management) "An attempt was made to query the existence of a blank password for an account."
An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: -----
Account Name: -----
Account Domain: -----
Logon ID: 0x946808E
Additional Information:
Caller Workstation: -----
Target Account Name: Administrator
Target Account Domain: -----
This event is only seen once.
So my question is two-fold, what are the regular SYSTEM 4672 events and are they somehow related to the 4796 (User Account Management) event?
Thanks.
