If you are like me, your 125MB Windows Server 2008 R2 logs are jammed with “Event 5156: Windows Filtering Platform has permitted a connection”:
Event 5156: Windows Filtering Platform has permitted a connection
I could not figure out how to disable this because in LOCAL SECURITY POLICY it was greyed out, which I know means it is controlled by a Group Policy:
I was working on the DEFAULT DOMAIN POLICY which was not correcting the problem. The solution was to change the DEFAULT DOMAIN CONTROLLER POLICY > POLICIES > WINDOWS SETTINGS > SECURITY SETTINGS > AUDIT POLICY > AUDIT OBJECT ACCESS settings:
event-5156-The-Windows-Filtering-Platform-has-permitted-a-connection-domain-controller-gp
I have seen more number of logs with the Event ID 5156 while working with File System Auditing where this event is being repeatedly logged on my server 2008 R2 machine.
See the event in this picture
After I have analyzed for the reason of Event ID 5156 is being repeatedly logged, found the below solutions to stop the Event ID 5156 from being logged continuously
Event ID 5156 should occur if the Success or Failure audit was enabled for Filtering Platform Connection in Advanced Audit Policy Configuration setting which is available from Windows 2008 R2 and later versions.
Category: Object Access
Subcategory: Filtering Platform Connection
You will get the following Event IDs if the Filtering Platform Connection is enabled.
5031 – The Windows Firewall Service blocked an application from accepting incoming connections on the network.
5154 – The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155 – The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156 – The Windows Filtering Platform has allowed a connection
5157 – The Windows Filtering Platform has blocked a connection
5158 – The Windows Filtering Platform has permitted a bind to a local port.
5159 -The Windows Filtering Platform has blocked a bind to a local port.
We should disable the audit policy setting Filtering Platform Connection in Advanced Audit Policy Configuration to stop this event. We can do it in the following ways.
Possible Solution: 1- using Auditpol exe
If you would like to get rid of this Filtering Platform Connection event 5156 then you need to run the following commands in an elevated command prompt (Run As Administrator):
Auditpol /set /subcategory:”Filtering Platform Connection” /Success:disable
Then update gpo by this command
gpupdate /force
Possible Solution: 2 – using Local Security Policy
You can also disable Filtering Platform Connection in Advanced Audit Policy Configuration of Local Security Policy.
1. Press the key Windows + R
2. Type command secpol.msc, click OK
3. Then go to the node Advanced Audit Policy Configuration->Object Access.
4. Check the audit setting Audit Filtering Platform Connection If it is configured as Success, you can revert it Not Configured and Apply the setting.
Possible Solution: 3 – using Group Policy Object
If the setting is inherited from any other GPO to Local Security Policy,You need to edit the specific GPO which is configured with the setting Audit Filtering Platform Connection. You can find the GPO by running Resultant Set of Policy.
1. Press the key Windows + R
2. Type command rsop.msc, click OK.
3. Now you can the below result window. Then go to the node Computer Configuration ->Windows Settings ->Local Polices-> Audit Policy.
4. Now, you can see the Source GPO of the setting Audit Object Access which is the root Setting for Audit Filtering Platform Connection.
5. Then you can edit the Audit Filtering Platform Connection of corresponding GPO by running GPMC.msc command through Run window or command window.
Note:You need run the command GPUpdate /force after every changes to apply group policy to system immediately.
Morgan
Software Developer
This event documents each time WFP allows a program to connect to another process (on the same or a remote computer) on a TCP or UDP port.
The above example is of WFP allowing the DNS Server service to connect to the DNS client on the same computer.
Application Information:
Description Fields in
5156
Application Information:
- Process ID: %1
- Application Name: %2
Network Information:
- Direction: %3
- Source Address: %4
- Source Port: %5
- Destination Address: %6
- Destination Port: %7
- Protocol: %8
Filter Information:
- Filter Run-Time ID: %9
- Layer Name: %10
- Layer Run-Time ID: %11
Examples of 5156
The Windows Filtering Platform has allowed a connection.
Application Information:
Process ID: 1752
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.45.45.103
Source Port: 53
Destination Address: 10.45.45.103
Destination Port: 50146
Protocol: 17
Filter Information:
Filter Run-Time ID: 5
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter
to hear about the latest webinars, patches, CVEs, attacks, and more.
The Windows Filtering Platform has allowed a connection.
The Windows Filtering Platform has allowed a connection. Application Information: Process ID: %1 Application Name: %2 Network Information: Direction: %3 Source Address: %4 Source Port: %5 Destination Address: %6 Destination Port: %7 Protocol: %8 Filter Information: Filter Run-Time ID: %9 Layer Name: %10 Layer Run-Time ID: %11
This event generates when Windows Filtering Platform has allowed a connection.
Note: This event has 13 insertion strings but only 11 are displayed on the general tab.
Auditing:
Rarely
It’s only recommended to audit this event if every network connection of a process needs to be tracked.
Volume:
High
Very High
This event is logged for every network connection that is associated with a process, as such the volume of events is generally very high.
| Name | Field | Insertion String | OS | Example | |
|---|---|---|---|---|---|
|
|
Process ID | ProcessID | %1 | Any | 4556 |
|
|
Application Name | Application | %2 | Any | \device\harddiskvolume2\documents\listener.exe |
|
|
Direction | Direction | %3 | Any | %%14592 |
|
|
Source Address | SourceAddress | %4 | Any | 192.168.0.2 |
|
|
Source Port | SourcePort | %5 | Any | 3333 |
|
|
Destination Address | DestAddress | %6 | Any | 192.168.0.1 |
|
|
Destination Port | DestPort | %7 | Any | 49279 |
|
|
Protocol | Protocol | %8 | Any |
View Codes |
|
|
Filter Run-Time ID | FilterRTID | %9 | Any | 70201 |
|
|
Layer Name | LayerName | %10 | Any | 14610 |
|
|
Layer Run-Time ID | LayerRTID | %11 | Any | 44 |
| N/A | RemoteUserID | %12 | Any | S-1-0-0 | |
| N/A | RemoteMachineID | %13 | Any | S-1-0-0 |
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Filtering Platform Connection"
LEFT/RIGHT arrow keys for navigation
Back to List
What is ‘5157(F): Windows Filtering Platform has blocked a connection’ error in Windows 10/11?
In this post, we are going to discuss on How to fix 5157(F): Windows Filtering Platform has blocked a connection error in Windows 10/11. You are provided with easy steps/methods to resolve the issue. Let’s starts the discussion.
‘5157(F): Windows Filtering Platform has blocked a connection’ issue:
It is common Windows problem occurred usually during or after Windows upgrade. This issue is primarily appeared because of some issue occurred during Windows upgrade process. When you open Event Viewer app in Windows 10/11 computer in order to check why you are experiencing issue during or after Windows upgrade. This error is occurred when certain packets or connections are blocked by Base Filtering Engine.
If you are not aware, Windows Filtering Platform is set of services and API (Application Programming Interface) designed to help the developers create network filtering applications. It is used to develop independent firewalls, antivirus, and network-related applications. Also, an application can alter access points as they are processed. Windows Filtering Platform including Base Filter Engine, Generic Filter Engine and Callout Modules.
The possible reasons behind the issue can be the corruption system files and system image, interference of antivirus/firewall, issue with user account in computer, malware or viruses infections in computer, corruption in Windows computer, and other issues. If you are facing the same issue and searching for ways to fix, then you are in right-place for the solution. Let’s go for the solution.
How to fix 5157(F): Windows Filtering Platform has blocked a connection error in Windows 10/11?
Method 1: Fix ‘5157(F): Windows Filtering Platform has blocked a connection’ error with ‘PC Repair Tool’
‘PC Repair Tool’ is quick & easy ways to find and fix BSOD errors, DLL errors, EXE errors, problems with programs/applications, malware or viruses infections in computer, system files or registry issues, and other system issues with just few clicks.
Method 2: Disable Firewall
Interference of Windows firewall could be a reason behind the issue. You can disable your firewall in computer to fix.
Step 1: Open ‘Control Panel’ app in Windows PC via Windows Search Box and go to ‘System and Security > Windows Defender Firewall’
Step 2: Click ‘Turn Windows Defender Firewall ON or OFF’ option from left-pane, tick ‘Turn OFF Windows Defender Firewall (not recommended)’ under private and public network settings, and hit ‘Ok’ button to save the changes. Once done, restart your computer and check if the issue is resolved.
Method 3: Run SFC scan and DISM scan
You can run SFC scan and DISM scan in computer to repair corruption in system files and system images in computer and fix this issue.
Step 1: Type ‘cmd’ in Windows Search Box and press ‘CTRL + SHIFT + ENTER’ keys on keyboard to open ‘Command Prompt as Administrator’
Step 2: Type the following commands and hit ‘Enter’ key after each to execute.
sfc /scannow
DISM/Online /Cleanup-image /Scanhealth
DISM/Online /Cleanup-image /Restorehealth
Step 3: Once executed, restart your computer and check if the issue is resolved.
Method 4: Restart Windows Security Center
Another way to fix the issue is to restart Windows Security Center service in computer.
Step 1: Open ‘Services’ app in Windows PC via Windows Search Box
Step 2: Find and double-click ‘Windows Defender Firewall’ service to open its Properties.
Step 3: Select ‘Automatic’ from ‘Startup Type’ dropdown, and hit ‘Start’ button under ‘Service Status’ section, hit ‘Apply > Ok’ button to save the changes.
Step 4: Now, right-click ‘Start’ menu and select ‘Windows Terminal (Admin)’ to open it, and type the following commands and hit ‘Enter’ key to execute.
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v “DisableAntiSpyware” /d 1 /t REG_DWORD /f
Step 5: Once executed, restart your computer, and after restart, execute following commands in Windows Terminal
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v “DisableAntiSpyware” /d 0 /t REG_DWORD /f
Step 6: Once executed, restart your computer again and check if the issue is resolved.
Method 5: Disable your antivirus
Another way to fix the issue is to disable your antivirus software in computer.
Step 1: Open ‘Windows Security’ app via Windows Search Box and go to ‘Virus & Threat Protection’
Step 2: Click ‘Manage Settings’ under ‘Virus & Threat Protection settings’, and click toggle under ‘Real-Time Protection’ to disable the antivirus, and confirm it. Once done, check if the issue is resolved.
Method 6: Create a new user account
This issue can be occurred due to some issue with user account in Windows PC you are login. You can fix the issue by creating a new user account in Windows computer and login into computer with newly created account, and check if it works for you toward resolving the issue.
Conclusion
I hope this post helped you on How to fix5157(F): Windows Filtering Platform has blocked a connection error in Windows 10/11 with easy ways. You can read & follow our instructions to do so. That’s all. For any suggestions or queries, please write on comment box below.