Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 861 - The Windows Firewall has detected an application listening for incoming traffic [Win 2003 / XP]
EventID 861 - The Windows Firewall has detected an application listening for incoming traffic [Win 2003 / XP]
This event indicates that an application requested to open UDP or TCP ports in listening mode and shows whether the request was allowed or not. The text of the error message contains the file path and name of the requestor, the process identifier, whether the requestor is a program or service, and the TCP or UDP port number.

Note: This event is not logged on Windows 2000 (and all Windows Firewall events as it was introduced only beginning from Windows XP / 2003).

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2008 
 Sample: 
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Detailed Tracking
        Event ID:       861
        Date:           10/26/2009
        Time:           07:41:25
        User:           NT AUTHORITY\SYSTEM
        Computer:       DC1
        Description:
        The Windows Firewall has detected an application listening for incoming traffic.
        Name: -
        Path: C:\WINDOWS\system32\lsass.exe
        Process identifier:	428
        User account:	SYSTEM
        User domain:	NT AUTHORITY
        Service:	Yes
        RPC server:	No
        IP version:	IPv4
        IP protocol:	UDP
        Port number:	4500
        Allowed:	Yes
        User notified:	No
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Windows XP
Category Detailed Tracking
Source Security
EventId 861
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Name Name of the application InsertionString1 -
Path Full path and name of the program listening for incoming traffic InsertionString2 C:\WINDOWS\system32\lsass.exe
Process Identifier ID of the process run by the application (see event 529) InsertionString3 428
User Account User account under which the process is running InsertionString4 SYSTEM
Domain Domain of user account InsertionString5 NT AUTHORITY
Service Indicates either the application is a system service or not (Yes/No) InsertionString6 Yes
RPC Server Indicates either the application is an RPC Server or not (Yes/No) InsertionString7 No
IP Version Indicates the version of IP used (IPv4 or IPv6) InsertionString8 IPv4
IP Protocol IP protocol used (UDP or TCP) InsertionString9 UDP
Port Number Number of the port on which the application is listening for incoming traffic InsertionString10 4500
Allowed Indicates wether Wiindows allowed or not the application to open the port (Yes/No) InsertionString11 Yes
User Notified Indicated wether or not Windows notified the user with a dialog box InsertionString12 No
Comments
You must be logged in to comment