HELP! "Firewall has detected an application listening for incoming traffic." Event ID# 861  lsass.exe

Posted on 2005-07-26
Last Modified: 2011-08-18
I just got in some new Dell Optiplexes preinstalled with Win XP Pro SP2.  They are identical.  I have joined the computers to the domain.  The only software they have installed is ISA Firewall client, Symantec AV, Lotus Notes, Adobe Reader, Windows XP, Office 2003.  All of those programs work fine.  Computers correctly locate the proxy server, update their definitions, talk to the server, launch lotus notes, etc.  But on all of them I keep getting this error en-masse.  It appears over and over again, filling up the logs.   I know its not a trojan or virus, these are brand new machines.  I'd like to keep the XP firewall turned on, if possible.  Any help is truly appreciated.

Event ID# 861
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 700
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 4299
Allowed: No
User notified: No

For more information, see Help and Support Center at
Question by:bctek
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 14535024
Hi bctek,

If you run Dell OMCC (Dell OpenManage Client Connector (OMCC)), you have to allow remote administration service in firewall.
just type the command below on Command Prompt,
netsh firewall set service RemoteAdmin

Hope this help

Author Comment

ID: 14552125
doesn't work, tried it.  I opened up a new dell and this time watched the event log with each step.  The error message begins filling up the security log the instant I join the computer to the domain.  

I power up the new dell with XP SP2.  FW turned on.   No security messages.  Join to domain and they all begin to start.  This is before I install a single piece of software

Assisted Solution

reffandy earned 150 total points
ID: 14552269
Hi bctek,

Could paste here firewall state, run
netsh firewall show state verbose=enable
on Command prompt.

LVL 23

Accepted Solution

Tim Holman earned 350 total points
ID: 14553400
Use a netsh script on each machine:

netsh firewall add allowedprogram LSASS \ C:\WINDOWS\system32\lsass.exe

This will allow lsass.exe outbound, and will get rid of these messages.
Maybe put this in a login script to make things easier?

Expert Comment

ID: 23742684
Hi all, I've found this answer in a forum. hope it could be useful.

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Hi J,

Just as the post 27753650 Event ID 861 - OUTLOOK11.EXE Firewall issue.
They are all related to Windows Firewall.

For your convenience, I'll pasted as following:

Based on my research, even though Windows XP firewall is "turned off", the
service is still running. If your security auditing policy includes
auditing of failures for "audit process tracking", your security event logs
will be filling up quickly. If you want the events to go away, the only
solutions I have found so far are to turn off the auditing or to stop the
Windows Firewall/ICS service.

To turn off the auditing:

The Default Domain Policy was configured to push the following changes
Configuration->Windows Settings->Security Settings->Local Policies/Audit

Policy Setting
Audit account logon events Failure
Audit account management Success, Failure
Audit directory service access Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success, Failure
Audit privilege use Failure
Audit system events Failure

I recommended the following changes:

Policy Setting
Audit policy change Not Defined
Audit privilege use Not Defined
Audit object access Not Defined

To stop the Windows Firewall/ICS service:

Go to Start -> Run -> services.msc. Find Windows Firewall in the list,
double-click on it, set "Startup type" to "Disabled", and press Stop if it
is running.

Please take your time in trying the suggestion. If there is anything
unclear or any other questions about this issue, please feel free to let me
know. I'm looking forward to your reply.

Thanks & Regards

Amanda Wang[MSFT]

Microsoft Online Partner Support

Get Secure! -


When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.


Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question