Disable “Filtering Platform Connection” (Event ID 5156, 5158) Security Logging

When you open the Security Event log, the log may contain many “Filtering Platform Connection” events. The event ID of these entries maybe 5156 or 5158. The security log may record close to 100 events per minute, containing the event ID 5156 or 5158. This causes the security event log to become full very quickly.

windows filtering platform event id 5156

Sample Event ID 5156 entry

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/19/2022 11:27:37 AM
Event ID:      5156
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      OptiPlex-9020
Description:
The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		2592
	Application Name:	\device\harddiskvolume2\program files (x86)\microsoft\edge\application\msedge.exe

Network Information:
	Direction:		Outbound
	Source Address:		192.168.0.101
	Source Port:		63386
	Destination Address:	239.255.255.250
	Destination Port:		1900
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	144025
	Layer Name:		Connect
	Layer Run-Time ID:	48

Sample Event ID 5158 entry

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/19/2022 11:27:51 AM
Event ID:      5158
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      OptiPlex-9020
Description:
The Windows Filtering Platform has permitted a bind to a local port.

Application Information:
	Process ID:		7612
	Application Name:	\device\harddiskvolume2\program files (x86)\google\chrome\application\chrome.exe

Network Information:
	Source Address:		::
	Source Port:		60420
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	145279
	Layer Name:		Resource Assignment
	Layer Run-Time ID:	38

The security event log getting bombarded with 100 events per minute is never a good thing. Not only it’s an unnecessary disk I/O operation, but it also FIFOs out other vital security log data.

Cause

Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for creating network filtering applications. Windows Firewall is based on WFP.

On a standard Windows installation, the Success/Failure entries for “Filtering Platform Connection” aren’t audited/logged. However, third-party software may have enabled auditing for this category. If auditing is enabled, Windows Filtering Platform generates the events 5156 and 5158 when it has allowed a connection. Event ID 5157 is written when WFP has blocked a connection.

For more information on WFP auditing, see this Microsoft article.

This article tells you how to prevent a spate of “Filtering Platform Connection” events from being written to the Security event Log every minute.

Solution

To stop Windows Filtering Platform from (“Filtering Platform Connection”) from logging Success and Failure events (5156, 5157, and 5158) in the Security event log, follow these steps:

Disable “Filtering Platform Connection” Success Audit

First, open an admin Command Prompt.

Type the following command and press Enter:

auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable

windows filtering platform event id 5156 - eventpol

That’s it. The Security event log should no longer get bombarded with events 5156, 5157, or 5158 from now on.

Optionally, to verify if the auditing has been successfully disabled for “Success” and “Failure” events, run this command:

auditpol /get /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}"

You should see the following output:

System audit policy
Category/Subcategory                      Setting
Object Access
  Filtering Platform Connection           No Auditing

windows filtering platform event id 5156 - eventpol

The above output means auditing is disabled (for both “Success” and “Failure” WFP events) and nothing will be logged. This is what we wanted.



The security event log will have recorded the following event after the audit policy change:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/19/2022 12:50:01 PM
Event ID:      4719
Task Category: Audit Policy Change
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      OptiPlex-9020
Description:
System audit policy was changed.

Subject:
	Security ID:		OPTIPLEX-9020\ramesh
	Account Name:		ramesh
	Account Domain:		OPTIPLEX-9020
	Logon ID:		0x92A6F

Audit Policy Change:
	Category:		Object Access
	Subcategory:		Filtering Platform Connection
	Subcategory GUID:	{0cce9226-69ae-11d9-bed3-505054503030}
	Changes:		Success removed, Failure removed

“Filtering Platform Connection” Audit enables automatically?

On some systems, the WFP auditing may get re-enabled automatically in a few minutes. If you run the above “auditpol /get ...” command-line, you may see that audit of “Success and Failure” entries have been switched on automatically (perhaps by some third-party security software installed on the computer.)

windows filtering platform event id 5156 - eventpol

Malwarebytes “Brute Force Protection” setting

If you’re using Malwarebytes Premium and have enabled the Brute Force Protection option in the Security tab, turn the setting off.

If this setting is turned on, it enables WFP “Success and Failure” auditing automatically. Even if you disable auditing manually using auditpol.exe, Malwarebytes re-enables WFP auditing every 4-5 minutes.

Editor’s note: If you need the “Brute Force Protection” turned on and yet want to disable the WFP event logging, you may contact Malwarebytes support to see if a workaround is available.

malwarebytes brute force 5156 5158 wfp event log

Once done, re-run the following command from the admin Command Prompt:

auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable

This disables the excessive logging of the Windows Filtering Platform (“Filtering Connection Platform”) “Success” and “Failure” events (Event ID 5156, 5157, and 5158).

Alternatively, for diagnostic purposes, you can opt to log only the “Failure” entries using the auditpol.exe command. The “Failure” entries would be significantly less in number when compared to “Success” entries.

As of this blog post, Malwarebyte’s current version is 4.5.11.202 — Update package version is 1.0.57424 — Component package version is 1.0.1716.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

Leave a Comment