The windows filtering platform has permitted a connection

If you are like me, your 125MB Windows Server 2008 R2 logs are jammed with “Event 5156: Windows Filtering Platform has permitted a connection”:

Event 5156: Windows Filtering Platform has permitted a connection

I could not figure out how to disable this because in LOCAL SECURITY POLICY it was greyed out, which I know means it is controlled by a Group Policy:

I was working on the DEFAULT DOMAIN POLICY which was not correcting the problem. The solution was to change the DEFAULT DOMAIN CONTROLLER POLICY > POLICIES > WINDOWS SETTINGS > SECURITY SETTINGS > AUDIT POLICY > AUDIT OBJECT ACCESS settings:

event-5156-The-Windows-Filtering-Platform-has-permitted-a-connection-domain-controller-gp

 I have seen more number of  logs with the Event ID 5156 while working with File System Auditing where this event is being repeatedly logged on my server 2008 R2 machine.

See the event in this picture

Event 5156 Repeated log

After I have analyzed for the reason of Event ID 5156 is being repeatedly logged,  found the below solutions to stop the Event ID 5156 from being logged continuously 

Event ID 5156 should occur if the Success or Failure audit was enabled for Filtering Platform Connection in Advanced Audit Policy Configuration setting which is available from Windows 2008 R2 and later versions.

Category: Object Access

Subcategory: Filtering Platform Connection

You will get the following Event IDs if  the Filtering Platform Connection is enabled. 

5031 – The Windows Firewall Service blocked an application from accepting incoming connections on the network.
   5154 – The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
   5155 – The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
   5156 – The Windows Filtering Platform has allowed a connection
   5157 – The Windows Filtering Platform has blocked a connection
   5158 – The Windows Filtering Platform has permitted a bind to a local port.
   5159 -The Windows Filtering Platform has blocked a bind to a local port.

We should disable the audit policy setting Filtering Platform Connection in Advanced Audit Policy Configuration to stop this event. We can do it in the following ways.

Possible Solution: 1- using Auditpol exe

    If you would like to get rid of this Filtering Platform Connection event 5156 then you need to run the following commands in an elevated command prompt (Run As Administrator):

    Auditpol /set /subcategory:”Filtering Platform Connection” /Success:disable



Then update gpo by this command

    gpupdate /force

Possible Solution: 2 – using Local Security Policy

    You can also disable Filtering Platform Connection in Advanced Audit Policy Configuration of Local Security Policy.

    1. Press the key Windows + R

    2. Type command secpol.msc, click OK

    3. Then go to the node Advanced Audit Policy Configuration->Object Access.

    4. Check the audit setting Audit Filtering Platform Connection If it is configured as Success, you can   revert it Not Configured and Apply the setting.

Possible Solution: 3 – using Group Policy Object

    If the setting is inherited from any other GPO to Local Security Policy,You need to edit the specific GPO which is configured with the setting Audit Filtering Platform Connection. You can find the GPO by running Resultant Set of Policy. 

   1. Press the key Windows + R 

   2. Type command rsop.msc, click OK.

   3. Now you can the below result window. Then go to the node Computer Configuration ->Windows Settings ->Local Polices-> Audit Policy.

   4. Now, you can see the Source GPO of the setting Audit Object Access which is the root Setting for Audit Filtering Platform Connection.

    5. Then you can edit the Audit Filtering Platform Connection of corresponding GPO by running GPMC.msc command through Run window or command window.

    Note:You need run the command GPUpdate /force after every changes to apply group policy to system immediately.

Morgan

Software Developer

This event documents each time WFP allows a program to connect to another process (on the same or a remote computer) on a TCP or UDP port.

The above example is of WFP allowing the DNS Server service to connect to the DNS client on the same computer.

Application Information:


Description Fields in
5156

Application Information:

  •  Process ID:  %1
  •  Application Name: %2

Network Information:

  •  Direction:  %3
  •  Source Address:  %4
  •  Source Port:  %5
  •  Destination Address: %6
  •  Destination Port:  %7
  •  Protocol:  %8

Filter Information:

  •  Filter Run-Time ID: %9
  •  Layer Name:  %10
  •  Layer Run-Time ID: %11

Examples of 5156

The Windows Filtering Platform has allowed a connection.

Application Information:

   Process ID:  1752
   Application Name: \device\harddiskvolume1\windows\system32\dns.exe

Network Information:

   Direction:  Inbound
   Source Address:  10.45.45.103
   Source Port:  53
   Destination Address: 10.45.45.103
   Destination Port:  50146
   Protocol:  17

Filter Information:

   Filter Run-Time ID: 5
   Layer Name:  Receive/Accept
   Layer Run-Time ID: 44

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Stay up-to-date on the Latest in Cybersecurity

Sign up for the Ultimate IT Security newsletter
to hear about the latest webinars, patches, CVEs, attacks, and more.

The Windows Filtering Platform has allowed a connection.

The Windows Filtering Platform has allowed a connection.

Application Information:

   Process ID:        %1
   Application Name:  %2

Network Information:

   Direction:           %3
   Source Address:      %4
   Source Port:         %5
   Destination Address: %6
   Destination Port:    %7
   Protocol:            %8

Filter Information:

   Filter Run-Time ID:  %9
   Layer Name:          %10
   Layer Run-Time ID:   %11

This event generates when Windows Filtering Platform has allowed a connection.

Note: This event has 13 insertion strings but only 11 are displayed on the general tab.


Auditing:
   
Rarely

It’s only recommended to audit this event if every network connection of a process needs to be tracked.


Volume:
   
High
Very High

This event is logged for every network connection that is associated with a process, as such the volume of events is generally very high.

Name Field Insertion String OS Example

Process ID ProcessID %1 Any 4556

Application Name Application %2 Any \device\harddiskvolume2\documents\listener.exe

Direction Direction %3 Any %%14592

Source Address SourceAddress %4 Any 192.168.0.2

Source Port SourcePort %5 Any 3333

Destination Address DestAddress %6 Any 192.168.0.1

Destination Port DestPort %7 Any 49279

Protocol Protocol %8 Any
View Codes

Filter Run-Time ID FilterRTID %9 Any 70201

Layer Name LayerName %10 Any 14610

Layer Run-Time ID LayerRTID %11 Any 44
N/A RemoteUserID %12 Any S-1-0-0
N/A RemoteMachineID %13 Any S-1-0-0


Lookup Audit Policy Configuration Settings


C:\> AuditPol.exe /get /subcategory:"Filtering Platform Connection"



LEFT/RIGHT arrow keys for navigation

Back to List

What is ‘5157(F): Windows Filtering Platform has blocked a connection’ error in Windows 10/11?

In this post, we are going to discuss on How to fix 5157(F): Windows Filtering Platform has blocked a connection error in Windows 10/11. You are provided with easy steps/methods to resolve the issue. Let’s starts the discussion.

‘5157(F): Windows Filtering Platform has blocked a connection’ issue:

It is common Windows problem occurred usually during or after Windows upgrade. This issue is primarily appeared because of some issue occurred during Windows upgrade process. When you open Event Viewer app in Windows 10/11 computer in order to check why you are experiencing issue during or after Windows upgrade. This error is occurred when certain packets or connections are blocked by Base Filtering Engine.

If you are not aware, Windows Filtering Platform is set of services and API (Application Programming Interface) designed to help the developers create network filtering applications. It is used to develop independent firewalls, antivirus, and network-related applications. Also, an application can alter access points as they are processed. Windows Filtering Platform including Base Filter Engine, Generic Filter Engine and Callout Modules.

The possible reasons behind the issue can be the corruption system files and system image, interference of antivirus/firewall, issue with user account in computer, malware or viruses infections in computer, corruption in Windows computer, and other issues. If you are facing the same issue and searching for ways to fix, then you are in right-place for the solution. Let’s go for the solution.

How to fix 5157(F): Windows Filtering Platform has blocked a connection error in Windows 10/11?

Method 1: Fix ‘5157(F): Windows Filtering Platform has blocked a connection’ error with ‘PC Repair Tool’

‘PC Repair Tool’ is quick & easy ways to find and fix BSOD errors, DLL errors, EXE errors, problems with programs/applications, malware or viruses infections in computer, system files or registry issues, and other system issues with just few clicks.

Method 2: Disable Firewall

Interference of Windows firewall could be a reason behind the issue. You can disable your firewall in computer to fix.

Step 1: Open ‘Control Panel’ app in Windows PC via Windows Search Box and go to ‘System and Security > Windows Defender Firewall’

Step 2: Click ‘Turn Windows Defender Firewall ON or OFF’ option from left-pane, tick ‘Turn OFF Windows Defender Firewall (not recommended)’ under private and public network settings, and hit ‘Ok’ button to save the changes. Once done, restart your computer and check if the issue is resolved.

Method 3: Run SFC scan and DISM scan

2-59-4159552

You can run SFC scan and DISM scan in computer to repair corruption in system files and system images in computer and fix this issue.

Step 1: Type ‘cmd’ in Windows Search Box and press ‘CTRL + SHIFT + ENTER’ keys on keyboard to open ‘Command Prompt as Administrator’

Step 2: Type the following commands and hit ‘Enter’ key after each to execute.

sfc /scannow

DISM/Online /Cleanup-image /Scanhealth

DISM/Online /Cleanup-image /Restorehealth

Step 3: Once executed, restart your computer and check if the issue is resolved.

Method 4: Restart Windows Security Center

1-70-8897394

Another way to fix the issue is to restart Windows Security Center service in computer.

Step 1: Open ‘Services’ app in Windows PC via Windows Search Box

Step 2: Find and double-click ‘Windows Defender Firewall’ service to open its Properties.

Step 3: Select ‘Automatic’ from ‘Startup Type’ dropdown, and hit ‘Start’ button under ‘Service Status’ section, hit ‘Apply > Ok’ button to save the changes.

Step 4: Now, right-click ‘Start’ menu and select ‘Windows Terminal (Admin)’ to open it, and type the following commands and hit ‘Enter’ key to execute.

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v “DisableAntiSpyware” /d 1 /t REG_DWORD /f

Step 5: Once executed, restart your computer, and after restart, execute following commands in Windows Terminal

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v “DisableAntiSpyware” /d 0 /t REG_DWORD /f

Step 6: Once executed, restart your computer again and check if the issue is resolved.

Method 5: Disable your antivirus

Another way to fix the issue is to disable your antivirus software in computer.

Step 1: Open ‘Windows Security’ app via Windows Search Box and go to ‘Virus & Threat Protection’

Step 2: Click ‘Manage Settings’ under ‘Virus & Threat Protection settings’, and click toggle under ‘Real-Time Protection’ to disable the antivirus, and confirm it. Once done, check if the issue is resolved.

Method 6: Create a new user account

This issue can be occurred due to some issue with user account in Windows PC you are login. You can fix the issue by creating a new user account in Windows computer and login into computer with newly created account, and check if it works for you toward resolving the issue.

Conclusion

I hope this post helped you on How to fix5157(F): Windows Filtering Platform has blocked a connection error in Windows 10/11 with easy ways. You can read & follow our instructions to do so. That’s all. For any suggestions or queries, please write on comment box below.

Понравилась статья? Поделить с друзьями:
0 0 голоса
Рейтинг статьи
Подписаться
Уведомить о
guest

0 комментариев
Старые
Новые Популярные
Межтекстовые Отзывы
Посмотреть все комментарии
  • Intel core i5 2400 windows 11
  • Виджеты для windows 10 яндекс музыка
  • Голоса для text to speech windows
  • Прописать маршрут в windows 10 пример
  • Как очистить диск с от старых обновлений в windows 10