Event ID 861

  • Thread starter Thread starter Frederick R. Hutchings
  • Start date Start date
F

Frederick R. Hutchings

XP Pro SP3

Hi,

My Security Log is filling up with these:

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 2009.9.12
Time: 6:15:10 p
User: NT AUTHORITY\NETWORK SERVICE
Computer: COMPUTER01
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1840
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 64697
Allowed: No
User notified: No

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 2009.9.9
Time: 9:31:23 p
User: NT AUTHORITY\SYSTEM
Computer: COMPUTER01
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1684
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 68
Allowed: No
User notified: No

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


The NETWORK SERVICE event happens every 1 - 5 minutes. SYSTEM happens
rarely. They are always svchost.exe. The port is random.

I'm actually using Norton Internet Security 2009, which may have it's own
firewall.

What's the best way to handle it?

Thanks, Fred
 
Port 68 is DHCP.

64697 UDP - not sure.

http://technet.microsoft.com/en-us/sysinte...s/bb897437.aspx

May help to identify the process responsible.

"Frederick R. Hutchings" wrote:

> XP Pro SP3
>
> Hi,
>
> My Security Log is filling up with these:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Detailed Tracking
> Event ID: 861
> Date: 2009.9.12
> Time: 6:15:10 p
> User: NT AUTHORITYNETWORK SERVICE
> Computer: COMPUTER01
> Description:
> The Windows Firewall has detected an application listening for incoming
> traffic.
>
> Name: -
> Path: C:WINDOWSsystem32svchost.exe
> Process identifier: 1840
> User account: NETWORK SERVICE
> User domain: NT AUTHORITY
> Service: Yes
> RPC server: No
> IP version: IPv4
> IP protocol: UDP
> Port number: 64697
> Allowed: No
> User notified: No
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Detailed Tracking
> Event ID: 861
> Date: 2009.9.9
> Time: 9:31:23 p
> User: NT AUTHORITYSYSTEM
> Computer: COMPUTER01
> Description:
> The Windows Firewall has detected an application listening for incoming
> traffic.
>
> Name: -
> Path: C:WINDOWSsystem32svchost.exe
> Process identifier: 1684
> User account: SYSTEM
> User domain: NT AUTHORITY
> Service: Yes
> RPC server: No
> IP version: IPv4
> IP protocol: UDP
> Port number: 68
> Allowed: No
> User notified: No
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> The NETWORK SERVICE event happens every 1 - 5 minutes. SYSTEM happens
> rarely. They are always svchost.exe. The port is random.
>
> I'm actually using Norton Internet Security 2009, which may have it's own
> firewall.
>
> What's the best way to handle it?
>
> Thanks, Fred
>
>
>
 
Its Windows Firewall problem.

Event ID 861 Source Security
http://www.eventid.net/display.asp?eventid...ecurity&phase=1

Transcript: Windows XP SP2: Windows Firewall,
http://www.microsoft.com/windowsxp/expertz...n12_win_fw.mspx
browse down to one of Jo_MS answeres

Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2
http://www.microsoft.com/downloads/details...&displaylang=en
download = WF_Tshoot.doc

or try a third party firewall, there are some good free obnes.

--
Rey


"Frederick R. Hutchings" wrote:

> XP Pro SP3
>
> Hi,
>
> My Security Log is filling up with these:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Detailed Tracking
> Event ID: 861
> Date: 2009.9.12
> Time: 6:15:10 p
> User: NT AUTHORITYNETWORK SERVICE
> Computer: COMPUTER01
> Description:
> The Windows Firewall has detected an application listening for incoming
> traffic.
>
> Name: -
> Path: C:WINDOWSsystem32svchost.exe
> Process identifier: 1840
> User account: NETWORK SERVICE
> User domain: NT AUTHORITY
> Service: Yes
> RPC server: No
> IP version: IPv4
> IP protocol: UDP
> Port number: 64697
> Allowed: No
> User notified: No
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Detailed Tracking
> Event ID: 861
> Date: 2009.9.9
> Time: 9:31:23 p
> User: NT AUTHORITYSYSTEM
> Computer: COMPUTER01
> Description:
> The Windows Firewall has detected an application listening for incoming
> traffic.
>
> Name: -
> Path: C:WINDOWSsystem32svchost.exe
> Process identifier: 1684
> User account: SYSTEM
> User domain: NT AUTHORITY
> Service: Yes
> RPC server: No
> IP version: IPv4
> IP protocol: UDP
> Port number: 68
> Allowed: No
> User notified: No
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> The NETWORK SERVICE event happens every 1 - 5 minutes. SYSTEM happens
> rarely. They are always svchost.exe. The port is random.
>
> I'm actually using Norton Internet Security 2009, which may have it's own
> firewall.
>
> What's the best way to handle it?
>
> Thanks, Fred
>
>
>
 
TCPView doesn't list the process. Task Manager does. Perhaps because it's
UDP? In any case I think that SysInternals is excellent. I have used them
before. My problem appears to be fixed. Please see my other post.

Thanks, Fred

"Anteaus" wrote in message
news:65F3F361-7B4D-4E13-9D1B-311D2418427D@microsoft.com...
> Port 68 is DHCP.
>
> 64697 UDP - not sure.
>
> http://technet.microsoft.com/en-us/sysinte...s/bb897437.aspx
>
> May help to identify the process responsible.
>
> "Frederick R. Hutchings" wrote:
>
>> XP Pro SP3
>>
>> Hi,
>>
>> My Security Log is filling up with these:
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Detailed Tracking
>> Event ID: 861
>> Date: 2009.9.12
>> Time: 6:15:10 p
>> User: NT AUTHORITYNETWORK SERVICE
>> Computer: COMPUTER01
>> Description:
>> The Windows Firewall has detected an application listening for incoming
>> traffic.
>>
>> Name: -
>> Path: C:WINDOWSsystem32svchost.exe
>> Process identifier: 1840
>> User account: NETWORK SERVICE
>> User domain: NT AUTHORITY
>> Service: Yes
>> RPC server: No
>> IP version: IPv4
>> IP protocol: UDP
>> Port number: 64697
>> Allowed: No
>> User notified: No
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>>
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Detailed Tracking
>> Event ID: 861
>> Date: 2009.9.9
>> Time: 9:31:23 p
>> User: NT AUTHORITYSYSTEM
>> Computer: COMPUTER01
>> Description:
>> The Windows Firewall has detected an application listening for incoming
>> traffic.
>>
>> Name: -
>> Path: C:WINDOWSsystem32svchost.exe
>> Process identifier: 1684
>> User account: SYSTEM
>> User domain: NT AUTHORITY
>> Service: Yes
>> RPC server: No
>> IP version: IPv4
>> IP protocol: UDP
>> Port number: 68
>> Allowed: No
>> User notified: No
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>>
>> The NETWORK SERVICE event happens every 1 - 5 minutes. SYSTEM happens
>> rarely. They are always svchost.exe. The port is random.
>>
>> I'm actually using Norton Internet Security 2009, which may have it's own
>> firewall.
>>
>> What's the best way to handle it?
>>
>> Thanks, Fred
>>
>>
>>
 
Back
Top