JeremyNicoll 78 Posted July 10, 2013 Report Share Posted July 10, 2013 XP Pro SP3 etc My Security Event log shows typically between 2 and 6 event log records per second, all created - it seems - by the Windows Firewall. Examples are ---------- Event Type: Failure AuditEvent Source: SecurityEvent Category: Detailed TrackingEvent ID: 861Date: 10/07/2013Time: 11:01:26User: NT AUTHORITY\NETWORK SERVICEComputer: DELL-650Description:The Windows Firewall has detected an application listening for incoming traffic. Name: -Path: C:\WINDOWS\system32\svchost.exeProcess identifier: 1124User account: NETWORK SERVICEUser domain: NT AUTHORITYService: YesRPC server: NoIP version: IPv4IP protocol: UDPPort number: 52814Allowed: NoUser notified: NoFor more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ---------- Looking at a few seconds' worth, these are all for the same pid. Just at the moment, pid 1124 is executing C:\WINDOWS\System32\svchost.exe -k NetworkService SysInternals' ProcExp tell me that this is running: dnsrslvr.dll - I assume that's the DNS resolver. This event is described as a "Failure Audit" and I also see "Allowed: No" - which strongly suggests Windows Firewall blocked something. Why is Windows Firewall doing anything at all? On this system OA started at boot, which was approx 10:15. Much less often - once per minute I see ---------- Event Type: Success AuditEvent Source: SecurityEvent Category: Detailed TrackingEvent ID: 861Date: 10/07/2013Time: 11:03:01User: DELL-650\AdministratorComputer: DELL-650Description:The Windows Firewall has detected an application listening for incoming traffic. Name: AboutTime cient/serverPath: C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exeProcess identifier: 2260User account: AdministratorUser domain: DELL-650Service: NoRPC server: NoIP version: IPv4IP protocol: UDPPort number: 1658Allowed: YesUser notified: NoFor more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ---------- - which is caused by a once-per-minute NNTP time check being executed by: C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe ... but I still don't understand why Windows Firewall is reporting this. AboutTime was started at 1042 - well after the system was booted, and certainly well after OA started at 10:15. Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 10, 2013 Report Share Posted July 10, 2013 Usually the Windows Firewall is being disabled by Online Armor automatically and turned back on only if you close Online Armor. It could be that one of your other applications turned it on again or that disabling it somehow failed during the Online Armor start up. In both cases I would suggest to just disable it yourself manually. Quote Link to post Share on other sites
JeremyNicoll 78 Posted July 10, 2013 Author Report Share Posted July 10, 2013 Hmm. OA is on, at least according to its log. According to the Windows Security Centre, the firewall that's on is OA. Via Control Panel - Admin Tools - Services, I see that "Windows Firewall/Internet Connection Sharing" is Started, both on the machine that's generating the Event records, and also on an XP Home machine I have, which is not generating equivalent records. I think I'd want to know more abouut this - is it normal for the service to be Started, so that it's there to take over if OA is shut down? Do other XP users of OA also have their Windows Firewall Service started? If it's meant to be disabled, and isn't - or isn't fully disabled - how can I help you find out why? Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 10, 2013 Report Share Posted July 10, 2013 We disable the firewall component using the official Windows APIs. That does not mean that we stop or mess with the firewall service, as doing that could interfere in cases where people use the Windows internet connection sharing features. So it is completely normal that the service is still running. If you want to check whether the Windows firewall is enabled or not you can use the following netsh command: netsh firewall show stateIf Online Armor is running, Operational Mode should be disabled. If you close Online Armor, it should switch to enabled. If it is enabled even with Online Armor running, someone is turning it on again after Online Armor turns it off. If it is disabled and there are still event log entries, chances are it's a bug in the Windows firewall. In those cases you may want to contact Microsoft. Quote Link to post Share on other sites
JeremyNicoll 78 Posted July 10, 2013 Author Report Share Posted July 10, 2013 Thank-you. It does seem to be disabled; the reposnse from that command (in case anyone else is interested, or wants to compare what they see) is C:\>netsh firewall show stateFirewall status:-------------------------------------------------------------------Profile = StandardOperational mode = DisableException mode = EnableMulticast/broadcast response mode = EnableNotification mode = EnableGroup policy version = NoneRemote admin mode = DisablePorts currently open on all network interfaces:Port Protocol Version Program-------------------------------------------------------------------13 TCP IPv4 C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe37 TCP IPv4 C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe37 UDP IPv4 C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe17500 UDP IPv4 C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe17500 TCP IPv4 C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe137 UDP IPv4 (null)139 TCP IPv4 (null)138 UDP IPv4 (null)445 TCP IPv4 (null)4588 UDP IPv4 C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe2869 TCP IPv4 (null)1900 UDP IPv4 C:\WINDOWS\system32\svchost.exe I hope the second part of the display - the "ports currently open" part, doesn't mean those ports are under Windows Firewall's control, and is just a list of network activity on this machine now... I'll see if I can find out what "Exception mode:" and "Notification mode:" mean. : Quote Link to post Share on other sites
JeremyNicoll 78 Posted July 10, 2013 Author Report Share Posted July 10, 2013 Googling I've found other people asking the same question about Event Log records being generated even when WF is disabled, but no answers. There's lots of info about how WF works at: http://technet.microsoft.com/en-us/library/bb457029.aspx including a list of which Event log records are generated in which cases, but not explaining how one might turn these off, nor why a disabled WF is still monitoring anything at all. Control Panel - Windows Firewall ... opens a dialog allowing one to configure the thing; I have found that I must have seen some of this before because I find I have defined 'Exceptions' ie rules to allow some kinds of traffic. I also find that in the Advanced pane of this dialog where one can configure a WF log - at C:\Windows\pfirewall.log - that it was last recording traffic in March 2013, which is when I uninstalled ZoneAlarmPro and started playing with OA. (Incidentally I found I could not open pfirewall.log to read it until I'd copied it elsewhere AND renamed the copied file to something else.) The first pane on the WF config dialog says that 'Exceptions' (ie user-created firewall rules) are a bad idea if one's on a public network. Although this dialog shows that my WF is disabled, that does not prevent one from using the Exceptions or Advanced tabs to see what would be allowed/blocked if the WF was enabled. Exception mode - enable/disable - seems to correspond to the Control Panel - Windows Firewall - main pane option (if the WF is on) whether Exceptions are to be allowed. Notification mode - seems to match whether or not one has ticked the "Display a notification when WF blocks a program" option on the WF Exceptions tab. Presumably such a notifcation is a pop-up, and has nothing to do with the Event logs I'm seeing. Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 11, 2013 Report Share Posted July 11, 2013 I have found that I must have seen some of this before because I find I have defined 'Exceptions' ie rules to allow some kinds of traffic.Not necessarily. The Windows firewall rules are pretty much unprotected. So plenty of applications will just add themselves to ensure they are working correctly. Quote Link to post Share on other sites
JeremyNicoll 78 Posted July 11, 2013 Author Report Share Posted July 11, 2013 I've read that I might be able to suppress the 861 eventlog records, by turning off the "audit process tracking" option in my Local Security Policy (something one can only do in XP /Pro/ of course). However as that flag also controls whether the event logs show process (pid) creation, exit etc and I find those records really useful for chasing other problems, I won't be turning that off. I'm guessing that the reason I'm not seeing the 861s in an XP Home system I have is that although that machine does have a Security log, I have no control over the sorts of records being written to it; it also doesn't contain any records for process creation/exit etc. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.