locked
Define a Firewall Exception for SVCHOST.EXE RRS feed

  • Question

  • I have multiple Windows XP Professional workstations with SP3.  My security event logs are filling up with the following audit failure events (dozens logging every few seconds)...

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Detailed Tracking
    Event ID: 861
    Date: 5/22/2011
    Time: 10:38:01 AM
    User: NT AUTHORITY\LOCAL SERVICE
    Computer: XXXXXXXXXX
    Description:
    The Windows Firewall has detected an application listening for incoming traffic.

    Name: -
    Path: C:\WINDOWS\system32\svchost.exe
    Process identifier: 38888
    User account: LOCAL SERVICE
    User domain: NT AUTHORITY
    Service: Yes
    RPC server: No
    IP version: IPv4
    IP protocol: UDP
    Port number: 2169
    Allowed: No
    User notified: No

    The port number changes from event to event. Looking up the PID, I identified the actual process that's causing this as the "Pml Driver HPZ12" service.  The service is part of the HP Photosmart drivers package for my printer.  This particular service allows bi-directional communication in order to monitor things like ink level, paper out, etc.  The service is launched via the following command line...

    C:\WINDOWS\System32\svchost.exe -k HPZ12

    I tried to add a firewall exception for HPZipm12.dll but that didn't help. I don't really want to but the firewall won't let me add svchost.exe as an exception anyway.  It comes back with a "Windows Firewall cannot add 'svchost.exe' to the list of exceptions." message.

    I don't want to turn off failure auditing but even if I did, the constant firewall activity is still taking up CPU cycles.

    Any suggestions on how to stop these events from logging without sacrificing printer functionality?

    Thanks.
    Monday, May 23, 2011 8:51 AM