none
Event ID 861 caused by lsass.exe on many ports. Why is it scanning?

    Question

  • I'm getting repeated entries (every 20 or 30 seconds) in the Security event log from c:\windows\system32\lsass.exe. (Windows Server 2003 R2 SP2).
    The error: "The Windows Firewall has detected an application listening for incoming traffic."
    Path: C:\WINDOWS\system32\lsass.exe, Process identifier: 492, User account: SYSTEM, User domain: NT AUTHORITY, Service: Yes
    RPC server: No, IP version: IPv4, IP protocol: UDP, Port number: 53548, Allowed: No, User notified: No

    The funny thing is, the service seems to be scanning ports. E.g. on 10:26:59 "Port Number" is 53522. On 10:27:20, the port number is 53525. Then, it goes on to 53526, 53527, 53530 and so forth. The Process Identifier (492) and other details remain the same. There seems to be nothing wrong with the server. Some Google entries suggest it is the Sasser worm but I don't think this is the Sasser virus.

    I used "tasklist /svc" in the command prompt and under PID 492, I see "HTTPFilter, PolicyAgent, ProtectedStorage and SamSs".

    Seems that the event log can't help to distinguish which service is raising the events.

    Does anyone have any ideas of how to proceed, or suggestions of this specific event type? Thankful for any advice!
    Saturday, May 09, 2009 2:40 AM

Answers

  • Hi Theodore_J,

    To isolate the root cause of the issue, you may try running the Windows Sysinternals tools called TCPView on the problematic server.

    TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.

    By using TCPView, we can isolcate which process is scanning the specific ports on that server. We can right-click on the problematic process and select "Process Properties..." to check the detailed information.



    Download: TCPView for Windows v2.54
    http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

    Hope this can be helpful for you.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Monday, May 18, 2009 3:39 AM
    Monday, May 11, 2009 10:10 AM
  • Thank you David, it is a very nice tool. Now the trouble is that the process ID in the event is not among the processes listed in TCPView.
    The event occurs on process ID 896. I can see this in the "classic" Task Manager (Menu > View > Select Columns > Check PID).
    That process runs as NETWORK SERVICE. It's like the service is not "sitting" there, perhaps it just connects instantaneously.

    Some further testing reveals that a few of these events are added when I visit an IIS6 ASP.NET web site.

    Before this event I may also get the following event:

    Failure Audit, Object Access, ID 560, Source: Security:

    Object Open:
         Object Server:    SC Manager
         Object Type:    SERVICE OBJECT
         Object Name:    WinHttpAutoProxySvc
         Handle ID:    -
         Operation ID:    {0,18924315}
         Process ID:    480
         Image File Name:    C:\WINDOWS\system32\services.exe
         Primary User Name:    MYSERVER$
         Primary Domain:    MYDOMAIN
         Primary Logon ID:    (0x0,0x3E7)
         Client User Name:    shareuser
         Client Domain:    MYSERVER
         Client Logon ID:    (0x0,0x120B57F)
         Accesses:    Query status of service
                Start the service
                Query information from service
               
         Privileges:    -
         Restricted Sid Count:    0
         Access Mask:    0x94


    Would this help to determine the cause?

    Hi,

    Thanks for the reply.

    concerning the Event ID 560, I think ehe option "Audit: Audit the access of global system objects" on Local Security Policy might be enabled.

    would you please refer to the following KB articles to apply the hotfix and resolution?

    908473 FIX: A Failure Audit event with event ID 560 appears in the Security log when you enable object auditing in Windows XP or in Windows Server 2003
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;908473

    934016 Availability of Windows Server 2003 Post-Service Pack 2 COM+ 1.5 Hotfix Rollup Package 12
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;934016

    841001 Event IDs 560 and 562 appear many times in the security event log
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;841001

    Hope it helps.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Monday, May 18, 2009 3:39 AM
    Tuesday, May 12, 2009 7:30 AM

All replies

  • Hi Theodore_J,

    To isolate the root cause of the issue, you may try running the Windows Sysinternals tools called TCPView on the problematic server.

    TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.

    By using TCPView, we can isolcate which process is scanning the specific ports on that server. We can right-click on the problematic process and select "Process Properties..." to check the detailed information.



    Download: TCPView for Windows v2.54
    http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

    Hope this can be helpful for you.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Monday, May 18, 2009 3:39 AM
    Monday, May 11, 2009 10:10 AM
  • Thank you David, it is a very nice tool. Now the trouble is that the process ID in the event is not among the processes listed in TCPView.
    The event occurs on process ID 896. I can see this in the "classic" Task Manager (Menu > View > Select Columns > Check PID).
    That process runs as NETWORK SERVICE. It's like the service is not "sitting" there, perhaps it just connects instantaneously.

    Some further testing reveals that a few of these events are added when I visit an IIS6 ASP.NET web site.

    Before this event I may also get the following event:

    Failure Audit, Object Access, ID 560, Source: Security:

    Object Open:
         Object Server:    SC Manager
         Object Type:    SERVICE OBJECT
         Object Name:    WinHttpAutoProxySvc
         Handle ID:    -
         Operation ID:    {0,18924315}
         Process ID:    480
         Image File Name:    C:\WINDOWS\system32\services.exe
         Primary User Name:    MYSERVER$
         Primary Domain:    MYDOMAIN
         Primary Logon ID:    (0x0,0x3E7)
         Client User Name:    shareuser
         Client Domain:    MYSERVER
         Client Logon ID:    (0x0,0x120B57F)
         Accesses:    Query status of service
                Start the service
                Query information from service
               
         Privileges:    -
         Restricted Sid Count:    0
         Access Mask:    0x94


    Would this help to determine the cause?
    Monday, May 11, 2009 10:25 AM
  • Thank you David, it is a very nice tool. Now the trouble is that the process ID in the event is not among the processes listed in TCPView.
    The event occurs on process ID 896. I can see this in the "classic" Task Manager (Menu > View > Select Columns > Check PID).
    That process runs as NETWORK SERVICE. It's like the service is not "sitting" there, perhaps it just connects instantaneously.

    Some further testing reveals that a few of these events are added when I visit an IIS6 ASP.NET web site.

    Before this event I may also get the following event:

    Failure Audit, Object Access, ID 560, Source: Security:

    Object Open:
         Object Server:    SC Manager
         Object Type:    SERVICE OBJECT
         Object Name:    WinHttpAutoProxySvc
         Handle ID:    -
         Operation ID:    {0,18924315}
         Process ID:    480
         Image File Name:    C:\WINDOWS\system32\services.exe
         Primary User Name:    MYSERVER$
         Primary Domain:    MYDOMAIN
         Primary Logon ID:    (0x0,0x3E7)
         Client User Name:    shareuser
         Client Domain:    MYSERVER
         Client Logon ID:    (0x0,0x120B57F)
         Accesses:    Query status of service
                Start the service
                Query information from service
               
         Privileges:    -
         Restricted Sid Count:    0
         Access Mask:    0x94


    Would this help to determine the cause?

    Hi,

    Thanks for the reply.

    concerning the Event ID 560, I think ehe option "Audit: Audit the access of global system objects" on Local Security Policy might be enabled.

    would you please refer to the following KB articles to apply the hotfix and resolution?

    908473 FIX: A Failure Audit event with event ID 560 appears in the Security log when you enable object auditing in Windows XP or in Windows Server 2003
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;908473

    934016 Availability of Windows Server 2003 Post-Service Pack 2 COM+ 1.5 Hotfix Rollup Package 12
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;934016

    841001 Event IDs 560 and 562 appear many times in the security event log
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;841001

    Hope it helps.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Monday, May 18, 2009 3:39 AM
    Tuesday, May 12, 2009 7:30 AM
  • Hi, I am having the exact same problem, does anyone know what this is?
    I am geting 10 logs per second:
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Detailed Tracking
    Event ID: 861
    Date:  14/07/2009
    Time:  14:40:33
    User:  NT AUTHORITY\SYSTEM
    Computer: blabla
    Description:
    The Windows Firewall has detected an application listening for incoming traffic.
     
    Name: -
    Path: C:\WINDOWS\system32\lsass.exe
    Process identifier: 496
    User account: SYSTEM
    User domain: NT AUTHORITY
    Service: Yes
    RPC server: No
    IP version: IPv4
    IP protocol: UDP
    Port number: 60200
    Allowed: No
    User notified: No

    can anyone help with this?

    Thanks

    Shaggy

    Tuesday, July 14, 2009 1:58 PM
  • I'm having the EXACT same issue on a number of my Company's Workstations. Did anyone find a solution?
    Wednesday, February 17, 2010 9:16 AM
  • My Company Domain Workstations are also getting the Security logs filled with Event ID 861.

    They are all coming from Windows Firewall, and all seem to be from the either SVCHOST.EXE or LSASS.EXE.

    Is there a solution or a Windows Firewall setting to resolve this?

    Thursday, June 03, 2010 12:02 PM