Event ID 4793 - The Password Policy Checking API was called

Event ID 4793 - The Password Policy Checking API was called

The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.

Log Sample

{
 "EventTime": "2017/11/17 04:04:12"
 "Hostname": "WIN-AE4MOB56I4P.changeme.com"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4793
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 0
 "Task": 13827
 "OpcodeValue": 0
 "RecordNumber": 2034819
 "ProcessID": 776
 "ThreadID": 2032
 "Channel": "Security"
 "Message": "The Password Policy Checking API was called"
 "Category": "Audit Other Account Management Events"
 "TargetUserName": "sig"
 "SubjectUserSid": "S-1-5-21-924791265-3775684568-2843720401-500"
 "SubjectUserName": "Administrator"
 "SubjectDomainName": "changeme"
 "SubjectLogonId": "0x33903e"
 "Workstation": "DC01"
 "Status": "0x0"
 "EventReceivedTime": "2017/11/17 04:04:12"
 "SourceModuleName": "in"
 "SourceModuleType": "im_msvistalog"
}

General Description

• This event generates each time the Password Policy Checking API is called.
• This event, for example, generates during Directory Services Restore Mode (DSRM) account password reset procedure to check new DSRM password.
• This event generates on the computer where Password Policy Checking API was called.

Detail Description

Subject:

• SubjectUserSID: SID of account that requested the “create Computer object” operation. 
• SubjectUserName: the name of the account that requested the “create Computer object” operation.
• SubjectDomainName: subject’s domain name. Formats vary, and include the following:

Domain NETBIOS name example: CONTOSO

Lowercase full domain name: contoso.local

Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

• SubjectLogon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Additional Information

• Workstation: name of the computer from which the Password Policy Checking API was called.
• TargetUserName: the name of account, which password was provided/requested for validation. This parameter might not be captured in the event, and in that case appears as “-”.
• Status Code: typically has “0x0” value. Status code is “0x0”, no matter meets password domain Password Policy or not.