Windows Security Log Event ID 861

Operating Systems Windows 2003 and XP
CategoryProcess Tracking
Type Success
Corresponding events
in Windows 2008
and Vista
5154 , 5155  

861: The Windows Firewall has detected an application listening for incoming traffic

On this page

This event documents applications that request to open UDP or TCP ports in listening mode and whether the request was allowed.

Free Security Log Resources by Randy

Description Fields in 861

  • Name: the name of the application
  • Path: full path name of program listening for incomming traffic 
  • Process identifier: PID of process - same as in event ID 592 and in Task Manager
  • User account: user account process running as
  • User domain: domain of user account
  • Service: Yes or No - is the application is a system service?
  • RPC server: Yes or No - is it on an RPC server?
  • IP version: IPv4  or IPv6
  • IP protocol: UDP or TCP 
  • Port number: self explanatory 
  • Allowed: Yes or No - did Windows allow the application to open the port?
  • User notified: Yes or No - did Windows notify user with a dialog box?

Setup PowerShell Audit Log Forwarding in 4 Minutes


Examples of 861

The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 428
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 4500
Allowed: Yes
User notified: No

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources