Event ID 861

[Frederick R. Hutchings]

XP Pro SP3

Hi,

I am getting a lot of events in the security log with ID 861:

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 2009.9.12
Time: 6:15:10 p
User: NT AUTHORITY\NETWORK SERVICE
Computer: COMPUTER01
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1840
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 64697
Allowed: No
User notified: No

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 2009.9.9
Time: 9:31:23 p
User: NT AUTHORITY\SYSTEM
Computer: COMPUTER01
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1684
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 68
Allowed: No
User notified: No

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


The one from NETWORK SERVICE is by far the most prevalent occurring every 1
to 5 minutes. The one with SYSTEM doesn't happen very often. The ports
appear random. It's always svchost.exe.

Any suggestions as to what it doesn't like, and how to fix it?

Thanks,
Fred

 

[PA Bear [MS MVP]]

See http://lmgtfy.com/?q=event+id+861

 

[Frederick R. Hutchings]

Well, I'm confused. I checked the Security log, and I was getting those
consistent errors until 629a. There was another one at 1019a, but not one
since. This is on 9-13-2009. Maybe it fixed itself? Anyway, here's what I
had done.

I actually had googled it before, but I did find some info I had missed.
Most of them do not apply to svchost.exe, but these did:

These solutions don't sound good at all:
http://www.eventid.net/display.asp?eventid=861&eventno=4615&source=Security&phase=1
"Peter Colsch (Last update 9/28/2004):
Even though Windows XP firewall is "turned off", the service is still
running. If your security auditing policy includes auditing of failures for
"audit process tracking", your security event logs will be filling up
quickly. If you want the events to go away, the only solutions I have found
so far are to turn off the auditing or to stop the Windows Firewall/ICS
service. Go to Start -> Run -> services.msc. Find Windows Firewall in the
list, double-click on it, set "Startup type" to "Disabled", and press Stop
if it is running."

http://serverfault.com/questions/59...-has-detected-an-application-listening-for-in
"I've decided my solution to this is once I audit the machines to verify
every single one (not just assume all of them) have a 3rd party security
tool I'm just going to disable the entire Windows Firewall and that will fix
my problem"

This solution had some possibly useful info:
http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_22152313.html
He used this command:
'tasklist /svc /fi "pid eq 2160"'
I tried it with the PID of my service (1840) and got Dnscache. It called it
a service. I didn't check the "answer" on the web page, as they require
that I register to look at it and I try to avoid giving out personal info
unless it appears to be absolutely necessary. I don't like to lie, either.

I googled dnscache and learned, I think, that it controls a cache of
recently used URLs. I have a workgroup and Norton
Internet Security 2009.

Looks like it fixed itself?

Thanks, Fred

 

[Frederick R. Hutchings]

Well, it didn't fix itself. The log was just full.

I installed SQL Server 2008 Express recently and it appeared to install IIS.
Could that have anything to do with it?

Thanks, Fred

 

[Jose]

Well, it didn't fix itself.  The log was just full.

I installed SQL Server 2008 Express recently and it appeared to install IIS.
Could that have anything to do with it?

Thanks, Fred

If you enable Security event logging to troubleshoot an issue, that is
a good thing.

Some folks enable it just because it is usually empty and think it
should not be empty, it will soon (depening on the settings) fill
itself up, overflow, etc. as Windows write events that may be of no
consequence and make you think there is an error when there is really
no problem.

It is a log of events (Event Log), not just a log for errors that need
attention and may not mean there is a problem.

There's a difference.