Why these errors in WinXP SP3?

  • Thread starter Thread starter Mike in Nebraska
  • Start date Start date
M

Mike in Nebraska

I have a WinXP PC in our small LAN that runs QuickBooks. The Office Manager
has had problems with it and asked me to take a look. I continually find
errors in the Security Log that might be related, but I don't have the
experience to know where to go for resolution.

In anticipation of the question, detailed tracking for success & failure of
processes is turned on in the Local Security Policy.

Can someone give me some ideas on what these mean and how to resolve them?

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 7/30/2009
Time: 7:45:08 AM
User: NT AUTHORITY\SYSTEM
Computer: OFFICEMANAGER
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 812
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1381
Allowed: No
User notified: No

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
============
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 7/30/2009
Time: 7:45:09 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: OFFICEMANAGER
Description:
The Windows Firewall has detected an application listening for incoming
traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1204
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 59463
Allowed: No
User notified: No

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
============
I'm assuming that find the Process ID (1204) is the key for scvhost.exe, but
where to go from here?

--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a conservation non-profit (501
 
Hi Mike ,

These are just informational from the firewall to let you know that there
are listening applications on the machine. You can review the logs and
determine if that is something that you want to have listening for incoming
traffic on your machine or not.

Security Log Entries
=================
Windows Firewall writes entries to the security log when a computer is
started and when a program or system service attempts to listen for
unsolicited incoming traffic but is blocked. These entries provide
information about the status and configuration of Windows Firewall,
including information about the applications and ports that permit traffic
through Windows Firewall. These entries also provide information about
which ports and protocols a program or system services is trying to use so
you can configure the necessary exceptions in Windows Firewall. These
security log entries are viewed with Event Viewer, which can filter the
entries by Event IDs. The Event IDs associated with Windows Firewall are in
the range of 848 through 861.

For more information , refer to following links:
http://technet.microsoft.com/en-us/library...845(WS.10).aspx
http://technet.microsoft.com/en-us/library...791(WS.10).aspx

However, these 861 events won't affect your system at all, they tell us
what applications or services are trying to listen on the network when the
Firewall is off. If you don't want to receive such events any more, you can
stop the Windows Firewall/Internet Connection Sharing service or disable
the auditing.

If you want to turn off the logging you should be able to by doing it
through a GPO:

(Computer Configuration->Windows Settings->Security Settings->Local
Policies/Audit Policy):

Policy Setting
Audit policy change Not Defined
Audit privilege use Not Defined

We do not suggest doing this though. I suggest leaving it and if you have a
problem troubleshoot the problem not the logs.

Hope it helps.

Thanks.

Best regards,

Robinson Zhang
Microsoft Online Support
 
OK, thanks.


""Robinson Zhang [MSFT]"" wrote in message
news:PIKbn3YEKHA.5096@TK2MSFTNGHUB02.phx.gbl...
> Hi Mike ,
>
> These are just informational from the firewall to let you know that there
> are listening applications on the machine. You can review the logs and
> determine if that is something that you want to have listening for
> incoming
> traffic on your machine or not.
>
> Security Log Entries
> =================
> Windows Firewall writes entries to the security log when a computer is
> started and when a program or system service attempts to listen for
> unsolicited incoming traffic but is blocked. These entries provide
> information about the status and configuration of Windows Firewall,
> including information about the applications and ports that permit traffic
> through Windows Firewall. These entries also provide information about
> which ports and protocols a program or system services is trying to use so
> you can configure the necessary exceptions in Windows Firewall. These
> security log entries are viewed with Event Viewer, which can filter the
> entries by Event IDs. The Event IDs associated with Windows Firewall are
> in
> the range of 848 through 861.
>
> For more information , refer to following links:
> http://technet.microsoft.com/en-us/library...845(WS.10).aspx
> http://technet.microsoft.com/en-us/library...791(WS.10).aspx
>
> However, these 861 events won't affect your system at all, they tell us
> what applications or services are trying to listen on the network when the
> Firewall is off. If you don't want to receive such events any more, you
> can
> stop the Windows Firewall/Internet Connection Sharing service or disable
> the auditing.
>
> If you want to turn off the logging you should be able to by doing it
> through a GPO:
>
> (Computer Configuration->Windows Settings->Security Settings->Local
> Policies/Audit Policy):
>
> Policy Setting
> Audit policy change Not Defined
> Audit privilege use Not Defined
>
> We do not suggest doing this though. I suggest leaving it and if you have
> a
> problem troubleshoot the problem not the logs.
>
> Hope it helps.
>
> Thanks.
>
> Best regards,
>
> Robinson Zhang
> Microsoft Online Support
>
 
Hi Mike,

Appreciate your update and response. If you have any other questions or
concerns, please do not hesitate to contact us. It is always our pleasure
to be of assistance.

Have a nice day!

Best regards,

Robinson Zhang
Microsoft Online Support
 
Back
Top