Vista - Event ID 5032

Hello,

Windows VISTA Business on an SBS2003 network. Every time I boot, I see:

--
Windows Firewall was unable to notify the user that it blocked an
application from accepting incoming connections on the network.

Error Code: 2
--

It doesn't mention the application name or port .... why can't the message
give more detail and how could you figure this out?

-Robert

"Robert Paresi" <FirstInitialLastName@innquest.com> wrote in message
news:%23672y7HmHHA.596@TK2MSFTNGP06.phx.gbl...
> Hello,
>
> Windows VISTA Business on an SBS2003 network. Every time I boot, I see:
>
> --
> Windows Firewall was unable to notify the user that it blocked an
> application from accepting incoming connections on the network.
>
> Error Code: 2
> --
>
> It doesn't mention the application name or port .... why can't the message
> give more detail and how could you figure this out?
>

You put a short-cut for CurrPorts in the start-up folder so when you boot
and logon you might be able to see something. You set refresh rate to high
and make sure to enable the column for Process Name so you can see the
process.

Also Vista's FW logs will give you traffic details for outbound traffic on
ports to remote IP(s).

http://www.bestvistadownloads.com/do...-software.html

Hello,

The message I got was:

========
Logged: 5/18/2007 7:47:05 AM

Windows Firewall was unable to notify the user that it blocked an
application from accepting incoming connections on the network.

Error Code: 2
=======

But, the Firewall shows this:

2007-05-18 07:47:05 ALLOW UDP 10.0.0.117 10.0.0.1 123 123 0 - - - - - - -
SEND
2007-05-18 07:47:05 ALLOW UDP 10.0.0.117 10.0.0.1 49200 53 0 - - - - - - -
SEND
2007-05-18 07:47:05 ALLOW TCP 10.0.0.117 10.0.0.1 49181 445 0 - 0 0 0 - - -
SEND
2007-05-18 07:47:05 ALLOW ICMP 10.0.0.117 10.0.0.1 - - 0 - - - - 8 0 - SEND
2007-05-18 07:47:05 ALLOW UDP 127.0.0.1 239.255.255.250 49201 3702
0 - - - - - - - RECEIVE
2007-05-18 07:47:05 ALLOW UDP ::1 ff02::c 49202 3702 0 - - - - - - - RECEIVE

As you can see, everything at that time didn't have any bad messages - only
ALLOW.

-Robert
"Mr. Arnold" <MR. Arnold@Arnold.com> wrote in message
news:utBBHUJmHHA.2596@TK2MSFTNGP06.phx.gbl...
>
> "Robert Paresi" <FirstInitialLastName@innquest.com> wrote in message
> news:%23672y7HmHHA.596@TK2MSFTNGP06.phx.gbl...
>> Hello,
>>
>> Windows VISTA Business on an SBS2003 network. Every time I boot, I see:
>>
>> --
>> Windows Firewall was unable to notify the user that it blocked an
>> application from accepting incoming connections on the network.
>>
>> Error Code: 2
>> --
>>
>> It doesn't mention the application name or port .... why can't the
>> message give more detail and how could you figure this out?
>>
>
> You put a short-cut for CurrPorts in the start-up folder so when you boot
> and logon you might be able to see something. You set refresh rate to high
> and make sure to enable the column for Process Name so you can see the
> process.
>
> Also Vista's FW logs will give you traffic details for outbound traffic on
> ports to remote IP(s).
>
> http://www.bestvistadownloads.com/do...-software.html

"Robert Paresi" <FirstInitialLastName@innquest.com> wrote in message
news:evtN6VUmHHA.3496@TK2MSFTNGP03.phx.gbl...
> Hello,
>
> The message I got was:
>
> ========
> Logged: 5/18/2007 7:47:05 AM
>
> Windows Firewall was unable to notify the user that it blocked an
> application from accepting incoming connections on the network.
>
> Error Code: 2
> =======
>
> But, the Firewall shows this:
>
> 2007-05-18 07:47:05 ALLOW UDP 10.0.0.117 10.0.0.1 123 123 0 - - - - - - -
> SEND
> 2007-05-18 07:47:05 ALLOW UDP 10.0.0.117 10.0.0.1 49200 53 0 - - - - - - -
> SEND
> 2007-05-18 07:47:05 ALLOW TCP 10.0.0.117 10.0.0.1 49181 445 0 - 0 0
> 0 - - - SEND
> 2007-05-18 07:47:05 ALLOW ICMP 10.0.0.117 10.0.0.1 - - 0 - - - - 8 0 -
> SEND
> 2007-05-18 07:47:05 ALLOW UDP 127.0.0.1 239.255.255.250 49201 3702
> 0 - - - - - - - RECEIVE
> 2007-05-18 07:47:05 ALLOW UDP ::1 ff02::c 49202 3702 0 - - - - - - -
> RECEIVE
>
> As you can see, everything at that time didn't have any bad messages -
> only ALLOW.
>

Yes, it would be true that you wouldn't see any outbound, since it was
blocked.

That's why you can use CurrPort to see if you can see something.

You can also turn on auditing, which is on a NT class O/S such as Vista and
has a lot of ways to audit things, like what objects or programs are
starting and ending. use Google and look it up.


Advanced Security Settings

Enable Auditing on your Workstations
While this is a fairly normal practice for servers, it isn't usually
performed on workstations unless there is a high risk of data theft. Our
philosophy is that the time to fix the roof is before it starts to rain. By
selectively auditing a few key actions, you'll have a place to start
investigating theft or destruction of data if someone ever does compromise
your workstation. We recommend auditing the following actions:

Event Level of Auditing
Account logon events Success, failure

Account management Success, failure
Logon events Success, failure
Object access Success
Policy change Success, failure
Privilege use Success, failure
System events Success, failure