Information that makes life easier when it comes to installing, managing, and using Windows Vista.
Start About FAQ Blogroll Shop

ITsVISTA KB-Link: KB969257

Many 5159 events are logged in the Security event log after you disable Windows Firewall and enable the “Filtering Platform Connection” auditing policy

Consider the following scenario:

  • On a computer that is running Windows Vista or Windows Server 2008, you disable Windows Firewall for the Domain profile, the Private profile and the Public profile.
  • You enable the “Filtering Platform Connection” audit policy.

In this scenario, the following Event ID 5159 is logged many times in the Security event log:

Log Name:      Security 
Source:        Microsoft-Windows-Security-Auditing 
Event ID:      5159 
Task Category: Filtering Platform Connection 
Level:         Information 
Keywords:      Audit Failure 
User:          N/A 
The Windows Filtering Platform has blocked a bind to a local port.
Application Information: 
        Process ID:             process ID 
        Application Name:       %path to some application%
Network Information: 
        Source Address:         IP address 
        Source Port:            port number
        Protocol:               17 
Filter Information: 
        Filter Run-Time ID:     0 
        Layer Name:             Resource Assignment 
        Layer Run-Time ID:      36

These events quickly fill the Security event log. Because of the large number of entries in the Security event log, it is difficult to monitor audit failures.

There is a download that resolves this issue. See Hotfixes for details.

For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB969257.

Get notified of new posts for FREE via RSS or E-mail

Subscribe to ITsVISTA!

Related Posts