diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 8442d80c01d..cb056a98e67 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -60,6 +60,7 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff]
 
 *Winlogbeat*
 
+- Fix handling of empty strings in event_data. {pull}3705[3705]
 
 ==== Added
 
diff --git a/winlogbeat/sys/strings.go b/winlogbeat/sys/strings.go
index ce9d4db99f4..01009f00d7a 100644
--- a/winlogbeat/sys/strings.go
+++ b/winlogbeat/sys/strings.go
@@ -76,7 +76,7 @@ func UTF16BytesToString(b []byte) (string, int, error) {
 	offset := -1
 
 	// Find the null terminator if it exists and re-slice the b.
-	if nullIndex := indexNullTerminator(b); nullIndex > 0 {
+	if nullIndex := indexNullTerminator(b); nullIndex > -1 {
 		if len(b) > nullIndex+2 {
 			offset = nullIndex + 2
 		}
diff --git a/winlogbeat/sys/strings_test.go b/winlogbeat/sys/strings_test.go
index f7e3443e49d..145c0e6660e 100644
--- a/winlogbeat/sys/strings_test.go
+++ b/winlogbeat/sys/strings_test.go
@@ -54,6 +54,25 @@ func TestUTF16BytesToStringOffset(t *testing.T) {
 	assert.Equal(t, -1, offset)
 }
 
+func TestUTF16BytesToStringOffsetWithEmptyString(t *testing.T) {
+	in := bytes.Join([][]byte{toUTF16Bytes(""), toUTF16Bytes("two")}, []byte{0, 0})
+
+	output, offset, err := UTF16BytesToString(in)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Equal(t, "", output)
+	assert.Equal(t, 2, offset)
+
+	in = in[offset:]
+	output, offset, err = UTF16BytesToString(in)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Equal(t, "two", output)
+	assert.Equal(t, -1, offset)
+}
+
 func BenchmarkUTF16BytesToString(b *testing.B) {
 	utf16Bytes := toUTF16Bytes("A logon was attempted using explicit credentials.")