I have seen more number of logs with the Event ID 5156 while working with File System Auditing where this event is being repeatedly logged on my server 2008 R2 machine.
See the event in this picture
After I have analyzed for the reason of Event ID 5156 is being repeatedly logged, found the below solutions to stop the Event ID 5156 from being logged continuously
Event ID 5156 should occur if the Success or Failure audit was enabled for Filtering Platform Connection in Advanced Audit Policy Configuration setting which is available from Windows 2008 R2 and later versions.
Category: Object Access
Subcategory: Filtering Platform Connection
You will get the following Event IDs if the Filtering Platform Connection is enabled.
5031 – The Windows Firewall Service blocked an application from accepting incoming connections on the network.
5154 – The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155 – The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156 – The Windows Filtering Platform has allowed a connection
5157 – The Windows Filtering Platform has blocked a connection
5158 – The Windows Filtering Platform has permitted a bind to a local port.
5159 -The Windows Filtering Platform has blocked a bind to a local port.
We should disable the audit policy setting Filtering Platform Connection in Advanced Audit Policy Configuration to stop this event. We can do it in the following ways.
Possible Solution: 1- using Auditpol exe
If you would like to get rid of this Filtering Platform Connection event 5156 then you need to run the following commands in an elevated command prompt (Run As Administrator):
Auditpol /set /subcategory:”Filtering Platform Connection” /Success:disable
Then update gpo by this command
gpupdate /force
Possible Solution: 2 – using Local Security Policy
You can also disable Filtering Platform Connection in Advanced Audit Policy Configuration of Local Security Policy.
1. Press the key Windows + R
2. Type command secpol.msc, click OK
3. Then go to the node Advanced Audit Policy Configuration->Object Access.
4. Check the audit setting Audit Filtering Platform Connection If it is configured as Success, you can revert it Not Configured and Apply the setting.
Possible Solution: 3 – using Group Policy Object
If the setting is inherited from any other GPO to Local Security Policy,You need to edit the specific GPO which is configured with the setting Audit Filtering Platform Connection. You can find the GPO by running Resultant Set of Policy.
1. Press the key Windows + R
2. Type command rsop.msc, click OK.
3. Now you can the below result window. Then go to the node Computer Configuration ->Windows Settings ->Local Polices-> Audit Policy.
4. Now, you can see the Source GPO of the setting Audit Object Access which is the root Setting for Audit Filtering Platform Connection.
5. Then you can edit the Audit Filtering Platform Connection of corresponding GPO by running GPMC.msc command through Run window or command window.
Note:You need run the command GPUpdate /force after every changes to apply group policy to system immediately.
Morgan
Software Developer
If you are like me, your 125MB Windows Server 2008 R2 logs are jammed with “Event 5156: Windows Filtering Platform has permitted a connection”:
Event 5156: Windows Filtering Platform has permitted a connection
I could not figure out how to disable this because in LOCAL SECURITY POLICY it was greyed out, which I know means it is controlled by a Group Policy:
I was working on the DEFAULT DOMAIN POLICY which was not correcting the problem. The solution was to change the DEFAULT DOMAIN CONTROLLER POLICY > POLICIES > WINDOWS SETTINGS > SECURITY SETTINGS > AUDIT POLICY > AUDIT OBJECT ACCESS settings:
event-5156-The-Windows-Filtering-Platform-has-permitted-a-connection-domain-controller-gp
Windows 11, the latest iteration in the series from Microsoft, is said to be the most advanced and user-oriented. However, encountering errors remains as common, if not more than the previous version. In this article, we will be taking up the Windows Filtering Platform has blocked a connection problem.
The error arises when certain packets or connections are blocked by the Base Filtering Engine. Though the problem may seem intricate to most users, its solutions are rather simple and have been listed out in the following sections.
For those encountering the error in Windows 11, it’s likely that the upgrade didn’t go through successfully and there’s some kind of misrecognition in Windows Firewall.
But, before we head to the fixes, it’s imperative that you understand the role of the Windows Filtering Platform and its main features.
How does the Windows Filtering Platform help developers?
Windows Filtering Platform, a set of system services and API (Application Programming Interface) allows developers to create network filtering applications. It was first introduced in Windows Vista and has been a part of the Windows ecosystem ever since.
It can also be used to build independent firewalls, antivirus, amongst other network-related applications. With this, an application can access and modify packets while these are being processed.
The three main features of the Windows Filtering Platform are as follows:
- Base Filter Engine
- Generic Filter Engine
- Callout Modules
Now that you are fairly acquainted with the concept, let’s head to the most effective fixes for the Windows Filtering Platform has blocked a connection problem in Windows 11.
How can I fix the Windows Filtering Platform has blocked a connection error in Windows 11?
1. Disable the Firewall
- Press Windows + S to launch the Search menu. Enter Windows Defender Firewall in the text field at top and click on the relevant search result that appears.
- Next, click on Turn Windows Defender Firewall on or off from the list of options on the left.
- Tick the checkboxes for Turn off Windows Defender Firewall (not recommended) under both Private network settings and Public network settings, and click on OK at the bottom to save the changes.
After making the changes, restart the system and check if the Windows Filtering Platform has blocked a connection problem is eliminated in Windows 11. If not, head to the fix listed next.
2. Run DISM tool
- Press Windows + S to launch the Search menu. Enter Windows Terminal in the text field at the top, right-click on the relevant search result and select Run as administrator from the context menu.
- Click Yes on the UAC (User Account Control) prompt that pops up.
- Click on the downward-facing arrow at the top and select Command Prompt from the list of options. Alternatively, you can hit the Ctrl + Shift + 2 to launch Command Prompt in a new tab in Windows Terminal.
- Next, paste the following command and hit Enter to execute it:
DISM/Online /Cleanup-image /Scanhealth
- Finally, execute the following command:
DISM/Online /Cleanup-image /Restorehealth
3. Perform a quick SFC scan
- Press Windows + R to launch the Run command. Enter wt in the text field, press and hold the Ctrl + Shift keys, and then either click on OK or hit Enter to launch an elevated Windows Terminal.
- Click Yes on the UAC (User Account Control) prompt.
- Click on the downward arrow and select Command Prompt from the menu that appears.
- Next, type/paste the following command and hit Enter to run the SFC scan:
sfc /scannow
The SFC (System File Checker) scan is used to identify corrupt system files, and if any are found, replace them with their cached copy stored on the system. So, if it’s the corrupt system files that are causing the Windows Filtering Platform has blocked a connection problem in Windows 11, running the SFC scan should fix it.
After executing the command, wait for the scan to complete, then restart the computer and check if the problem is eliminated. If the issue still persists, you can try using a third-party repair app that has more advanced features.
4. Restart Windows Security Center
- Press Windows + R to launch the Run command. Enter services.msc in the text field, and either click on OK or hit Enter to launch the Services app.
- Locate and double-click on the Windows Defender Firewall service.
- Check if the Service status reads Running.
- If not, click on the Start button under Service status to run the service.
- Next, press Windows + S to launch the Search menu. Enter Windows Terminal in the text field, right-click on the relevant search result that appears, and select Run as administrator from the context menu.
- Click Yes on the UAC (User Account Control) prompt that appears.
- Next, execute the following command and then restart the PC:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
- After the computer restarts, paste the following command and hit Enter:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 0 /t REG_DWORD /f
Once done, again restart the computer and check if the Windows Filtering Platform has blocked a connection problem is fixed in Windows 11.
5. Disable your antivirus
NOTE
We have listed the steps to disable the built-in Windows Security app. In case you are using a third-party antivirus, check its settings or head to the FAQ section on the manufacturer’s website for the steps to disable it.
- Press Windows + S to launch the Search menu. Enter Windows Security in the text field at the top, and then click on the relevant search result that appears.
- Click on Virus & threat protection.
- Click on Manage settings under Virus & threat protection settings.
- Next, click on the toggle under Real-time protection to disable the antivirus.
- Lastly, click Yes on the UAC (User Account Control) prompt that pops up.
Oftentimes, the antivirus is known to conflict with the network settings and lead to a bunch of errors. This the generally the case with third-party antiviruses but the built-in Windows Security is also sometimes found to be the culprit.
Hence if the above fixes haven’t worked, you can try disabling the antivirus and check if the Windows Filtering Platform has blocked a connection problem is eliminated in Windows 11.
In case the error persists, uninstall the third-party antivirus app and verify if that changes the situation. Also, check out our curated list of the best antivirus software for Windows 11.
6. Create a new local account
In many cases, it was a corruption in the user account that led to the Windows Filtering Platform has blocked a connection problem. If that’s the case, and the above methods have fixed it, you can create a new local account on your Windows 11 PC.
While there is a lot of debate around whether you should go for a Microsoft account or a Local one, the latter should be a better choice here since it’s not linked to any servers and can be used independently on the device.
Once you have created a new local account, the error should not be present in the Event Viewer anymore.
Which is better, Windows 11 or Windows 10?
With Windows 11 finally launched, most have been nothing but excited to get their hands on the latest iteration. But, a lot of users have been skeptical of the upgrade owing to various factors.
The primary reason is that they are accustomed to Windows 10 and it will take some time to get familiar with the new OS. But, that’s not a good enough reason since Windows 11 offers both a slightly better user interface along with a bunch of other features and security enhancements, meant to improve your experience.
If you too are confused between the two, go through our guide where we compare Windows 11 and Windows 10.
That’s all there is to the Windows Filtering Platform has blocked a connection problem in Windows 11 along with the most relevant fixes for it.
In case the methods listed above do not eliminate the Windows Filtering Platform has blocked a packet error, you can either perform a system restore or reset Windows 11 to its factory settings.
Tell us which fix worked and your thoughts on the whole Windows 11 vs Windows 10 debate in the comments section below.
Kazim Ali Alvi
Windows Hardware Expert
Kazim has always been fond of technology, be it scrolling through the settings on his iPhone, Android device, or Windows PC. He’s specialized in hardware devices, always ready to remove a screw or two to find out the real cause of a problem.
Long-time Windows user, Kazim is ready to provide a solution for your every software & hardware error on Windows 11, Windows 10 and any previous iteration. He’s also one of our experts in Networking & Security.
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022 |
|
Category • Subcategory |
Object Access • Filtering Platform Connection |
| Type | Failure |
|
Corresponding events in Windows 2003 and before |
5159: The Windows Filtering Platform has blocked a bind to a local port
On this page
- Description of this event
- Field level details
- Examples
This event is logged every time WFP prevents a client or server application binds to a port. Binding is the first step in TCP or UDP communications.
Application Information:
- Process ID: process ID specified when the executable started as logged in 4688
- Application Name: the program executable on this computer’s side of the packet transmission
Free Security Log Resources by Randy
- Free Security Log Quick Reference Chart
- Windows Event Collection: Supercharger Free Edtion
- Free Active Directory Change Auditing Solution
- Free Course: Security Log Secrets
Description Fields in
5159
Application Information:
- Process ID: %1
- Application Name: %2
Network Information:
- Source Address: %3
- Source Port: %4
- Protocol: %5
Filter Information:
- Filter Run-Time ID: %6
- Layer Name: %7
- Layer Run-Time ID: %8
Setup PowerShell Audit Log Forwarding in 4 Minutes
Your browser does not support video
Examples of 5159
The Windows Filtering Platform has blocked a bind to a local port.
Application Information:
Process ID: 592
Application Name: \device\harddiskvolume1\windows\system32 \lsass.exe
Network Information:
Source Address: fe80::9516:1afb:3656:dab1
Source Port: 389
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter
to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:
|
Upcoming Webinars
|
Additional Resources |