Go Premium for a chance to win a PS4. Enter to Win


HELP! "Firewall has detected an application listening for incoming traffic." Event ID# 861  lsass.exe

Posted on 2005-07-26
Medium Priority
Last Modified: 2011-08-18
I just got in some new Dell Optiplexes preinstalled with Win XP Pro SP2.  They are identical.  I have joined the computers to the domain.  The only software they have installed is ISA Firewall client, Symantec AV, Lotus Notes, Adobe Reader, Windows XP, Office 2003.  All of those programs work fine.  Computers correctly locate the proxy server, update their definitions, talk to the server, launch lotus notes, etc.  But on all of them I keep getting this error en-masse.  It appears over and over again, filling up the logs.   I know its not a trojan or virus, these are brand new machines.  I'd like to keep the XP firewall turned on, if possible.  Any help is truly appreciated.

Event ID# 861
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 700
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 4299
Allowed: No
User notified: No

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Question by:bctek

Expert Comment

ID: 14535024
Hi bctek,

If you run Dell OMCC (Dell OpenManage Client Connector (OMCC)), you have to allow remote administration service in firewall.
just type the command below on Command Prompt,
netsh firewall set service RemoteAdmin

Hope this help

Author Comment

ID: 14552125
doesn't work, tried it.  I opened up a new dell and this time watched the event log with each step.  The error message begins filling up the security log the instant I join the computer to the domain.  

I power up the new dell with XP SP2.  FW turned on.   No security messages.  Join to domain and they all begin to start.  This is before I install a single piece of software

Assisted Solution

reffandy earned 600 total points
ID: 14552269
Hi bctek,

Could paste here firewall state, run
netsh firewall show state verbose=enable
on Command prompt.

LVL 23

Accepted Solution

Tim Holman earned 1400 total points
ID: 14553400
Use a netsh script on each machine:

netsh firewall add allowedprogram LSASS \ C:\WINDOWS\system32\lsass.exe

This will allow lsass.exe outbound, and will get rid of these messages.
Maybe put this in a login script to make things easier?

Expert Comment

ID: 23742684
Hi all, I've found this answer in a forum. hope it could be useful.

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Hi J,

Just as the post 27753650 Event ID 861 - OUTLOOK11.EXE Firewall issue.
They are all related to Windows Firewall.

For your convenience, I'll pasted as following:

Based on my research, even though Windows XP firewall is "turned off", the
service is still running. If your security auditing policy includes
auditing of failures for "audit process tracking", your security event logs
will be filling up quickly. If you want the events to go away, the only
solutions I have found so far are to turn off the auditing or to stop the
Windows Firewall/ICS service.

To turn off the auditing:

The Default Domain Policy was configured to push the following changes
Configuration->Windows Settings->Security Settings->Local Policies/Audit

Policy Setting
Audit account logon events Failure
Audit account management Success, Failure
Audit directory service access Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success, Failure
Audit privilege use Failure
Audit system events Failure

I recommended the following changes:

Policy Setting
Audit policy change Not Defined
Audit privilege use Not Defined
Audit object access Not Defined

To stop the Windows Firewall/ICS service:

Go to Start -> Run -> services.msc. Find Windows Firewall in the list,
double-click on it, set "Startup type" to "Disabled", and press Stop if it
is running.

Please take your time in trying the suggestion. If there is anything
unclear or any other questions about this issue, please feel free to let me
know. I'm looking forward to your reply.

Thanks & Regards

Amanda Wang[MSFT]

Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security


When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question