14 DAY TRIAL // Nothing but bad design is responsible for Windows XP failures. The consistent volume of logon failure events in Windows XP, when the operating system is not part of a domain, is generated by the design of the overall log in process. Eric Fitzgerald, Program Manager, Windows Auditing and Intrusion Detection Microsoft, revealed that the shell teams had to make up during the development process for the lack of a application programming interface designed to indicate accounts that had blank passwords.
"When in a workgroup (not domain joined), Windows XP displays a welcome screen that has little pictures (called "tiles") for each user who is permitted to log on to the computer. The shell team wanted the experience that when you click on a tile, that you will immediately be logged on if your password is blank (we have good data that a large percentage of home users have blank passwords). They only want you to be prompted for a password if you actually have a password. Fair enough, and it also helps with accessibility for people for whom typing is challenging", Fitzgerald explained.
Simply put - during the start-up process, Windows XP has to make up for the missing API via a trial and error action, namely the XP Welcome Screen will use a blank password in order to log in each user. Accounts with passwords will generate failures immediately, while accounts without passwords will produce log in success just to also fail the logon. This issue has gone unfixed in SP1 and SP2. In Windows Vista the Welcome Screen was redesigned in order to scrap the problem.
"The Welcome Screen uses the result of these logon attempts to decide whether to display a password box when you select a user's tile. If the user has a blank password, they will be logged on instead of being prompted for a password. Why are they logging on the account? Well it turns out to be the easiest way to tell if your password is blank. We don't have a "is your password blank" API- that would be a security disaster - and we would prefer that the shell team not go mucking about in the SAM, retrieving hashes and computing the blank password hash for each account so that it could compare them", Fitzgerald added.