Why these errors in WinXP SP3?

M

Mike in Nebraska

I have a WinXP PC in our small LAN that runs QuickBooks. The Office Manager
has had problems with it and asked me to take a look. I continually find
errors in the Security Log that might be related, but I don't have the
experience to know where to go for resolution.

In anticipation of the question, detailed tracking for success & failure of
processes is turned on in the Local Security Policy.

Can someone give me some ideas on what these mean and how to resolve them?

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 7/30/2009
Time: 7:45:08 AM
User: NT AUTHORITY\SYSTEM
Computer: OFFICEMANAGER
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 812
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1381
Allowed: No
User notified: No

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
============
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 7/30/2009
Time: 7:45:09 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: OFFICEMANAGER
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1204
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 59463
Allowed: No
User notified: No

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
============
I'm assuming that find the Process ID (1204) is the key for scvhost.exe, but
where to go from here?
 
N

njem

I have a WinXP PC in our small LAN that runs QuickBooks.  The Office Manager
has had problems with it and asked me to take a look.  I continually find
Click to expand...

I see you're not getting any answers. I have numerous clients running
QB and the logs show lots of related warnings. I've talked to QB help
about these and they don't seem very concerned and everything works,
so.... On the other hand I don't remember seeing warnings about
listening applications. Do you get this on other systems? How about if
you turn off virtually all start up stuff? Safe mode with networking?
Do you have anti-virus/security software and does it complain? Is a
scan clean? You've probably thought of most of these but it looks like
you'll have to do your own detective work. Good luck. You might ask QB
support if it makes sense to them. Do you have the QB data server
program running on this one? It watches for other users accessing data
on the host system and serves it. That might show up as a listening
application.
 
R

Robinson Zhang [MSFT]

Hi Mike ,

These are just informational from the firewall to let you know that there
are listening applications on the machine. You can review the logs and
determine if that is something that you want to have listening for incoming
traffic on your machine or not.

Security Log Entries
=================
Windows Firewall writes entries to the security log when a computer is
started and when a program or system service attempts to listen for
unsolicited incoming traffic but is blocked. These entries provide
information about the status and configuration of Windows Firewall,
including information about the applications and ports that permit traffic
through Windows Firewall. These entries also provide information about
which ports and protocols a program or system services is trying to use so
you can configure the necessary exceptions in Windows Firewall. These
security log entries are viewed with Event Viewer, which can filter the
entries by Event IDs. The Event IDs associated with Windows Firewall are in
the range of 848 through 861.

For more information , refer to following links:
http://technet.microsoft.com/en-us/library/cc737845(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc739791(WS.10).aspx

However, these 861 events won't affect your system at all, they tell us
what applications or services are trying to listen on the network when the
Firewall is off. If you don't want to receive such events any more, you can
stop the Windows Firewall/Internet Connection Sharing service or disable
the auditing.

If you want to turn off the logging you should be able to by doing it
through a GPO:

(Computer Configuration->Windows Settings->Security Settings->Local
Policies/Audit Policy):

Policy Setting
Audit policy change Not Defined
Audit privilege use Not Defined

We do not suggest doing this though. I suggest leaving it and if you have a
problem troubleshoot the problem not the logs.

Hope it helps.

Thanks.

Best regards,

Robinson Zhang
Microsoft Online Support
 
R

Robinson Zhang [MSFT]

Hi Mike,

Appreciate your update and response. If you have any other questions or
concerns, please do not hesitate to contact us. It is always our pleasure
to be of assistance.

Have a nice day!

Best regards,

Robinson Zhang
Microsoft Online Support
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event ID 861 4
Event ID 861 3
lsass.exe security errors 2
is this normail? 5
Can somebody help ? This 861 error code keeping coming! 2
Windows XP PRO Newbee Please help 2
Event ID 861 1
failure audits 1

Top