Many 5159 events are logged in the Security event log after you disable Windows Firewall and enable the “Filtering Platform Connection” auditing policy
Consider the following scenario:
- On a computer that is running Windows Vista or Windows Server 2008, you disable Windows Firewall for the Domain profile, the Private profile and the Public profile.
- You enable the “Filtering Platform Connection” audit policy.
In this scenario, the following Event ID 5159 is logged many times in the Security event log:
Log Name: Security Source: Microsoft-Windows-Security-Auditing Event ID: 5159 Task Category: Filtering Platform Connection Level: Information Keywords: Audit Failure User: N/A Description: The Windows Filtering Platform has blocked a bind to a local port. Application Information: Process ID: process ID Application Name: %path to some application% Network Information: Source Address: IP address Source Port: port number Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36
These events quickly fill the Security event log. Because of the large number of entries in the Security event log, it is difficult to monitor audit failures.
For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB969257.