Sign in with
Sign up | Sign in
Your question

Event ID 861

Last response: in Windows XP
March 3, 2005 10:55:07 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Very frequently I have a security entry in my event logs (show below). THe
help and support link in the event log results in nothing. The error appears
to be related to the Windows Firewall...does anyone know what this is about,
or how to stop it?


Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 3/3/2005
Time: 10:38:48 AM
Computer: <computername>
The Windows Firewall has detected an application listening for incoming

Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 1348
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1352
Allowed: No
User notified: No

For more information, see Help and Support Center at

More about : event 861

March 4, 2005 10:51:03 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Hi J,

Just as the post 27753650 Event ID 861 - OUTLOOK11.EXE Firewall issue.
They are all related to Windows Firewall.

For your convenience, I'll pasted as following:

Based on my research, even though Windows XP firewall is "turned off", the
service is still running. If your security auditing policy includes
auditing of failures for "audit process tracking", your security event logs
will be filling up quickly. If you want the events to go away, the only
solutions I have found so far are to turn off the auditing or to stop the
Windows Firewall/ICS service.

To turn off the auditing:

The Default Domain Policy was configured to push the following changes
Configuration->Windows Settings->Security Settings->Local Policies/Audit

Policy Setting
Audit account logon events Failure
Audit account management Success, Failure
Audit directory service access Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success, Failure
Audit privilege use Failure
Audit system events Failure

I recommended the following changes:

Policy Setting
Audit policy change Not Defined
Audit privilege use Not Defined
Audit object access Not Defined

To stop the Windows Firewall/ICS service:

Go to Start -> Run -> services.msc. Find Windows Firewall in the list,
double-click on it, set "Startup type" to "Disabled", and press Stop if it
is running.

Please take your time in trying the suggestion. If there is anything
unclear or any other questions about this issue, please feel free to let me
know. I'm looking forward to your reply.

Thanks & Regards

Amanda Wang[MSFT]

Microsoft Online Partner Support

Get Secure! -


When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.