microsoft.public.windowsxp.security_admin
back to index
From: Bo Berglund
Date: Tuesday, March 25, 2008 1:02 PM
Subject: Re: Event log fills up with Failure Audit events (XP-Pro)
On Sat, 22 Mar 2008 08:06:01 -0500, "Shenan Stanley"
>Bo Berglund wrote:
>> My Event log continuously fills up with failure audit events of this
>> type:
>>
>> The Windows Firewall has detected an application listening for
>> incoming traffic.
>>
>> Name: -
>> Path: C:\WINDOWS\system32\lsass.exe
>> Process identifier: 1312
>> User account: SYSTEM
>> User domain: NT AUTHORITY
>> Service: Yes
>> RPC server: No
>> IP version: IPv4
>> IP protocol: UDP
>> Port number: 3562
>> Allowed: No
>> User notified: No
>>
>> The strange thing is that I am behind a firewall so Windows Firewall
>> is set to OFF....
>> How can Windows Firewall log events if it is OFF?????
>>
>> And how can I get rid of this nuisance?
>> I am running a fully up to date Symantec Corporate antivirus on this
>> PC.
>
>http://www.eventid.net/display.asp?eventid=861&eventno=4615&source=Security&phase=1
>
I noticed that even if Windows Firewall is ste to off it seems to be
active anyway. So I stopped the service and set it for manual start.
Now I don't get nearly as many log entries, but I still have a fair
amount of unuseful entries, like:
A new process has been created:
New Process ID: 4908
Image File Name:
C:\Engineering\Projects\Bosse\MailCheck\MailCheck.exe
Creator Process ID: 240
User Name: Bosse
Domain: MYDOMAIN
Logon ID: (0x0,0x1ACAD)
And then after the program exits:
A process has exited:
Process ID: 4908
Image File Name:
C:\Engineering\Projects\Bosse\MailCheck\MailCheck.exe
User Name: Bosse
Domain: MYDOMAIN
Logon ID: (0x0,0x1ACAD)
What is the purpose of logging these items?
Again the event log fills up with non-usable entries.
It would have been useful if failures were logged, but why log normal
activity?
And how can I reduce this?
Bo Berglund
