Opening Windows Firewall for specific services

Hello -

I have a number of workstations on my domain that are logging recurring Event ID 861 (Failure Audit) in their Security Event Logs.  I have this auditing enabled on my domain deliberately as an aid in tracking down rogue services and so forth.  Here is one sample event log entry:

-----------------------------------------------------------
Event Type:  Failure Audit
Event Source:  Security
Event ID:  861
User:  NT AUTHORITY\SYSTEM
Description:  The Windows Firewall has detected an application listening for incoming traffic.
 
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 2160
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 19600
Allowed: No
User notified: No
-----------------------------------------------------------

I know this PID to be the instance of svchost.exe that is running the Windows Image Acquisition (WIA) service:

-----------------------------------------------------------
C:\>tasklist /svc /fi "pid eq 2160"

Image Name  PID  Services
svchost.exe  2160  stisvc

C:\>
-----------------------------------------------------------

Disabling the workstations' Windows Firewall is not an available option.  Disabling these failure audits on the domain or the workstations is not an option, as I need those in place for other reasons.  Disabling the WIA service is also not an option, as our workstations are actually using that service.  The WIA service is called by svchost.exe -k imgsvc, which is in the stisvc group (hence the tasklist info), and calls %windir%\system32\wiaservc.dll to startup; I have tried adding that dll file to the allowed programs list in the Windows Firewall, but I continue to receive the failure audits.  There does not seem to be consistent port utilization by WIA, nor can I find a way to configure WIA to only use specific ports, so I am not sure if I can open particular ports to allow this.

finally, a netstat -anbov shows me the following about the particular PID that is running stisvc:

-----------------------------------------------------------
C:\>netstat -anbov
<---snip--->
 UDP    0.0.0.0:54925          *:*                                    2160
 C:\WINDOWS\system32\WS2_32.dll
 C:\WINDOWS\system32\BrNetSti.dll
 -- unknown component(s) --
 C:\WINDOWS\system32\DNSAPI.dll
 -- unknown component(s) --
 C:\WINDOWS\system32\RPCRT4.dll
<---snip--->
-----------------------------------------------------------

That UDP port will vary over time, so opening that will not help.  I am also frankly unsure if allowing dlls in the firewall has any effect at all, so I have not yet tried to add these particular dll files to my allowed list, but beyond that, I am not sure what else to try.

Please help!


MY GOAL:
configure Windows Firewall in such a way that these Failure Audits stop appearing in our security logs (it's wreaking havoc on my monitoring software).

MY CAVEATS:
* must leave windows firewall enabled.
* must leave these audit types enabled.
* must leave WIA enabled.

If I could offer more than 500 points for this I would gladly do so - it is very important that I get this resolved, and I am at my wits end here.  I expect that the solution for this will ultimately assist with other things as well, as I have seen a few other failure audits for other svchost.exe services (but to a much lesser extent than the stisvc).

thanks very much!