Re: Event 861 fills event log on newly built Domain Controller
- From: "Danny Sanders" <DSanders@xxxxxxxxxxxxxxx>
- Date: Tue, 16 Dec 2008 11:02:16 -0700
See:
http://eventid.net/display.asp?eventid=861&eventno=4615&source=Security&phase=1
hth
DDS
"Mygposts" <Mygposts@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C1A56DF1-FA84-431B-B7B1-75A539F12859@xxxxxxxxxxxxxxxx
I reenabled the firewall service and the logged events came back. This is
the info:
Can you tell why this scary warning message is being logged?
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 12/16/2008
Time: 9:39:18 AM
User: NT AUTHORITY\SYSTEM
Computer: ---
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 836
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: Yes
IP version: IPv4
IP protocol: TCP
Port number: 135
Allowed: No
User notified: No
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Then I ran the command again and found the process 836
svchost.exe 836 AeLookupSvc, AppMgmt, AudioSrv, BITS,
Browser, CryptSvc, dmserver,
EventSystem,
helpsvc, lanmanserver,
lanmanworkstation,
Netman, Nla, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, winmgmt,
wuauserv, WZCSVC
"Jorge Silva" wrote:
Hi
Go to cmd and type:
Tasklist /svc
Identify the PID 772 (should be the svchost) then under svchost you
should
have the child process that are running under that process, the next step
is
to isolate the process that is causing that event, and then identify why
that is happening.
Lets know the results.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"MyGposts" <mygposts@xxxxxxxxx> wrote in message
news:a32346e7-d1f5-486c-99f0-beae5d80cb46@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
He just built a new Server 2003 member server, made it a DNS server,
promoted it to a domain controller, then installed antivirus.
Shortly after promoting it to a domain controller, the log started
filling up with event 861.
It says:Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 12/15/2008
Time: 2:02:12 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: ---
Description:
The Windows Firewall has detected an application listening for
incoming traffic.
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 772
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 59798
Allowed: No
User notified: No
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
There are different paths and process identifiers, they are not all
svchost.exe, some are lsass.exe.
What could this be?
.
- Follow-Ups:
- References:
- Event 861 fills event log on newly built Domain Controller
- From: MyGposts
- Re: Event 861 fills event log on newly built Domain Controller
- From: Jorge Silva
- Re: Event 861 fills event log on newly built Domain Controller
- From: Mygposts
- Event 861 fills event log on newly built Domain Controller
- Prev by Date: Re: Password Change
- Next by Date: Re: Active Directory Logon to attribute
- Previous by thread: Re: Event 861 fills event log on newly built Domain Controller
- Next by thread: Re: Event 861 fills event log on newly built Domain Controller
- Index(es):
Relevant Pages
|
