{"id":26889,"date":"2022-07-19T12:16:08","date_gmt":"2022-07-19T06:46:08","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=26889"},"modified":"2022-07-26T23:26:58","modified_gmt":"2022-07-26T17:56:58","slug":"disable-filtering-platform-connection-audit-event-logging","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/disable-filtering-platform-connection-audit-event-logging\/","title":{"rendered":"Disable “Filtering Platform Connection” (Event ID 5156, 5158) Security Logging"},"content":{"rendered":"

When you open the Security Event log, the log may contain many “Filtering Platform Connection” events. The event ID of these entries maybe 5156<\/code> or 5158<\/code>. The security log may record close to 100 events per minute, containing the event ID 5156<\/code> or 5158<\/code>. This causes the security event log to become full very quickly.<\/p>\n

\"windows<\/p>\n

Sample Event ID 5156 entry<\/strong><\/p>\n

Log Name:      Security\r\nSource:        Microsoft-Windows-Security-Auditing\r\nDate:          7\/19\/2022 11:27:37 AM\r\nEvent ID:      5156\r\nTask Category: Filtering Platform Connection\r\nLevel:         Information\r\nKeywords:      Audit Success\r\nUser:          N\/A\r\nComputer:      OptiPlex-9020\r\nDescription:\r\nThe Windows Filtering Platform has permitted a connection.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t2592\r\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\microsoft\\edge\\application\\msedge.exe\r\n\r\nNetwork Information:\r\n\tDirection:\t\tOutbound\r\n\tSource Address:\t\t192.168.0.101\r\n\tSource Port:\t\t63386\r\n\tDestination Address:\t239.255.255.250\r\n\tDestination Port:\t\t1900\r\n\tProtocol:\t\t17\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t144025\r\n\tLayer Name:\t\tConnect\r\n\tLayer Run-Time ID:\t48\r\n<\/pre>\n
Sample Event ID 5158 entry<\/strong><\/p>\n
Log Name:      Security\r\nSource:        Microsoft-Windows-Security-Auditing\r\nDate:          7\/19\/2022 11:27:51 AM\r\nEvent ID:      5158\r\nTask Category: Filtering Platform Connection\r\nLevel:         Information\r\nKeywords:      Audit Success\r\nUser:          N\/A\r\nComputer:      OptiPlex-9020\r\nDescription:\r\nThe Windows Filtering Platform has permitted a bind to a local port.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t7612\r\n\tApplication Name:\t\\device\\harddiskvolume2\\program files (x86)\\google\\chrome\\application\\chrome.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t::\r\n\tSource Port:\t\t60420\r\n\tProtocol:\t\t17\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t145279\r\n\tLayer Name:\t\tResource Assignment\r\n\tLayer Run-Time ID:\t38\r\n<\/pre>\n
The security event log getting bombarded with 100 events per minute is never a good thing. Not only it’s an unnecessary disk I\/O operation, but it also FIFOs out other vital security log data.<\/p>\n
Cause<\/h2>\n
Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for creating network filtering applications. Windows Firewall is based on WFP.<\/p>\n
On a standard Windows installation, the Success\/Failure entries for “Filtering Platform Connection” aren’t audited\/logged. However, third-party software may have enabled auditing for this category. If auditing is enabled, Windows Filtering Platform generates the events 5156<\/code> and 5158<\/code> when it has allowed a connection. Event ID 5157<\/code> is written when WFP has blocked a connection.<\/p>\n
For more information on WFP auditing, see this Microsoft article<\/a>.<\/p>\n
This article tells you how to prevent a spate of “Filtering Platform Connection” events from being written to the Security event Log every minute.<\/p>\n
Solution<\/h2>\n
To stop Windows Filtering Platform from (“Filtering Platform Connection”) from logging Success and Failure events (5156<\/code>, 5157<\/code>, and 5158<\/code>) in the Security event log, follow these steps:<\/p>\n
Disable “Filtering Platform Connection” Success Audit<\/h3>\n
First, open an admin Command Prompt<\/a>.<\/p>\n
Type the following command and press Enter<\/kbd>:<\/p>\n
auditpol \/set \/subcategory:\"{0CCE9226-69AE-11D9-BED3-505054503030}\" \/success:disable \/failure:disable<\/pre>\n
\"windows<\/p>\n
That’s it. The Security event log should no longer get bombarded with events 5156<\/code>, 5157<\/code>, or 5158<\/code> from now on.<\/p>\n
\nOptionally<\/strong>, to verify if the auditing has been successfully disabled for “Success” and “Failure” events, run this command:<\/p>\n
auditpol \/get \/subcategory:\"{0CCE9226-69AE-11D9-BED3-505054503030}\"<\/pre>\n
You should see the following output:<\/p>\n
System audit policy\r\nCategory\/Subcategory                      Setting\r\nObject Access\r\n  Filtering Platform Connection           No Auditing<\/pre>\n
\"windows<\/p>\n
The above output means auditing is disabled (for both “Success” and “Failure” WFP events) and nothing will be logged. This is what we wanted.\n<\/p><\/div>\n
The security event log will have recorded the following event after the audit policy change:<\/p>\n
Log Name:      Security\r\nSource:        Microsoft-Windows-Security-Auditing\r\nDate:          7\/19\/2022 12:50:01 PM\r\nEvent ID:      4719\r\nTask Category: Audit Policy Change\r\nLevel:         Information\r\nKeywords:      Audit Success\r\nUser:          N\/A\r\nComputer:      OptiPlex-9020\r\nDescription:\r\nSystem audit policy was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tOPTIPLEX-9020\\ramesh\r\n\tAccount Name:\t\tramesh\r\n\tAccount Domain:\t\tOPTIPLEX-9020\r\n\tLogon ID:\t\t0x92A6F\r\n\r\nAudit Policy Change:\r\n\tCategory:\t\tObject Access\r\n\tSubcategory:\t\tFiltering Platform Connection\r\n\tSubcategory GUID:\t{0cce9226-69ae-11d9-bed3-505054503030}\r\n\tChanges:\t\tSuccess removed, Failure removed<\/strong><\/pre>\n
\n
“Filtering Platform Connection” Audit enables automatically?<\/h3>\n
On some systems, the WFP auditing may get re-enabled automatically in a few minutes. If you run the above “auditpol \/get ...<\/code>” command-line, you may see that audit of “Success and Failure<\/code>” entries have been switched on automatically (perhaps by some third-party security software installed on the computer.)<\/p>\n
\"windows<\/p>\n
Malwarebytes “Brute Force Protection” setting<\/h4>\n
If you’re using Malwarebytes Premium and have enabled the Brute Force Protection option in the Security tab, turn the setting off.<\/p>\n
If this setting is turned on, it enables WFP “Success and Failure” auditing automatically. Even if you disable auditing manually using auditpol.exe<\/code>, Malwarebytes re-enables WFP auditing every 4-5 minutes.<\/p>\n
Editor’s note:<\/strong> If you need the “Brute Force Protection” turned on and yet want to disable the WFP event logging, you may contact Malwarebytes support to see if a workaround is available.<\/em><\/p>\n
\"malwarebytes<\/p>\n
Once done, re-run the following command from the admin Command Prompt:<\/p>\n
auditpol \/set \/subcategory:\"{0CCE9226-69AE-11D9-BED3-505054503030}\" \/success:disable \/failure:disable<\/pre>\n
This disables the excessive logging of the Windows Filtering Platform (“Filtering Connection Platform”) “Success” and “Failure” events (Event ID 5156, 5157, and 5158).<\/p>\n
Alternatively, for diagnostic purposes, you can opt to log only the “Failure” entries using the auditpol.exe<\/code> command. The “Failure” entries would be significantly less in number when compared to “Success” entries.<\/em><\/p>\n
As of this blog post, Malwarebyte’s current version is 4.5.11.202<\/code> — Update package version is 1.0.57424<\/code> — Component package version is 1.0.1716<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"
When you open the Security Event log, the log may contain many “Filtering Platform Connection” events. The event ID of these entries maybe 5156 or 5158. The security log may record close to 100 events per minute, containing the event ID 5156 or 5158. This causes the security event log to become full very quickly. … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7],"tags":[779,303],"class_list":["post-26889","post","type-post","status-publish","format-standard","hentry","category-windows","tag-event-viewer","tag-malwarebytes"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":75211,"url":"https:\/\/www.winhelponline.com\/blog\/how-to-read-chkdsk-log-event-viewer\/","url_meta":{"origin":26889,"position":0},"title":"How to Read Chkdsk Log in the Event Viewer","author":"Ramesh","date":"May 16, 2024","format":false,"excerpt":"The Chkdsk utility checks the file system and file system metadata of a volume for logical and physical errors and repairs them. When you run Chkdsk c: \/r and schedule it for the next boot, Chkdsk runs the scan during the next boot. The results of the Chkdsk operation is\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"windows event log - filter current log","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/05\/chkdsk-event-log-wininit-chkdsk.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/05\/chkdsk-event-log-wininit-chkdsk.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/05\/chkdsk-event-log-wininit-chkdsk.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/05\/chkdsk-event-log-wininit-chkdsk.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":5819,"url":"https:\/\/www.winhelponline.com\/blog\/fix-event-id-10016-distributedcom-error-event-log-dcomcnfg-permissions\/","url_meta":{"origin":26889,"position":1},"title":"Fix: Event ID 10016 DistributedCOM Errors Recorded in the Event Log","author":"Ramesh","date":"November 4, 2017","format":false,"excerpt":"Even in a fresh Windows 10 installation, you might see some DistributedCOM (DCOM) errors Event ID: 10016 in the System event log. Here are some sample events: Log Name: System Source: Microsoft-Windows-DistributedCOM Date: Event ID: 10016 Task Category: None Level: Error Keywords: Classic User: DESKTOP-JKJ4G5Q\\ramesh Computer: DESKTOP-JKJ4G5Q Description: The machine-default\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"dcom error filter event log xml","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/dcomncfg-filter-event-log.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/dcomncfg-filter-event-log.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/dcomncfg-filter-event-log.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/dcomncfg-filter-event-log.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":30558,"url":"https:\/\/www.winhelponline.com\/blog\/kb5020044-process-creation-audit-event-4688-1108\/","url_meta":{"origin":26889,"position":2},"title":"Event ID 1108\/4688 Process Creation Audit Issue Fixed in KB5020044","author":"Ramesh","date":"December 4, 2022","format":false,"excerpt":"If process creation audit is enabled, Windows is supposed to create an event log entry (ID: 4688) for every new process creation event. However, Windows 11 22H2 had a bug wherein the process creation audit logging didn't work. Instead, Windows 11 generated the event entry 1108 for each process creation\u2026","rel":"","context":"In "Windows 11"","block_context":{"text":"Windows 11","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-11\/"},"img":{"alt_text":"event id 1108 issue - 4688 process creation","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/event-id-1108-4688.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/event-id-1108-4688.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/event-id-1108-4688.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/event-id-1108-4688.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/event-id-1108-4688.png?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":19493,"url":"https:\/\/www.winhelponline.com\/blog\/jump-directly-to-specific-event-log-eventvwr\/","url_meta":{"origin":26889,"position":3},"title":"How to Jump to a Specific Event Log (Channel) Directly in Event Viewer","author":"Ramesh","date":"October 24, 2020","format":false,"excerpt":"The event logging service in Windows records important software and hardware events from various sources and stores them in a collection named event log. There are various event log channels in addition to the well-known built-in channels like Application, System, Security, etc.\u00a0The Event Viewer (eventvwr.msc or eventvwr.exe) enables you to\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"eventvwr command-line parameters list","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/eventvwr-commandline.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/eventvwr-commandline.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/eventvwr-commandline.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":1430,"url":"https:\/\/www.winhelponline.com\/blog\/fix-base-filtering-engine-service-startup-problems\/","url_meta":{"origin":26889,"position":4},"title":"How to Fix Base Filtering Engine Service Startup Problems","author":"Ramesh","date":"January 14, 2016","format":false,"excerpt":"The Base Filtering Engine (BFE) service is a crucial network component targeted by malware. If the BFE service doesn't start, many services, such as Windows Firewall, Routing, Remote Access, and others, fail to start. If the BFE service is missing from the Services MMC or the Action Center warns you\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"BFE service permissions fix - Services MMC","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/01\/bfe-permissions-10.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":10532,"url":"https:\/\/www.winhelponline.com\/blog\/trigger-launch-program-script-connecting-to-specific-network\/","url_meta":{"origin":26889,"position":5},"title":"Trigger a Program Upon Connecting to a Specific Network in Windows","author":"Ramesh","date":"July 30, 2019","format":false,"excerpt":"Depending upon the network you're connected to, you may want to run certain tasks. For instance, when you're connected to a specific network -- e.g., home network -- you may want to assign a different printer as the default, using command-line or script. This is especially needed in Windows 10\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"trigger launch program when connecting to a specific network connection","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/07\/trigger-run-program-network-connection-5.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/07\/trigger-run-program-network-connection-5.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/07\/trigger-run-program-network-connection-5.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/26889","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/comments?post=26889"}],"version-history":[{"count":0,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/26889\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/media?parent=26889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/categories?post=26889"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/tags?post=26889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}