Error Id 5152
Contents |
(עברית)المملكة العربية السعودية (العربية)ไทย (ไทย)대한민국 (한국어)中华人民共和国 (中文)台灣 (中文)日本 (日本語) HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums Ask a question Quick access Forums home Browse forums users FAQ Search related threads Remove From event id 5152 windows filtering platform My Forums Answered by: Getting alot of Event ID 5152 Windows event id 5152 and 5157 Server > Security Question 0 Sign in to vote I just happen to check the security
Event Id 5157
logs on my Exchange 2010 server and noticed a lot of these event logs coming up. I'm getting them for other servers and user computers. What's causing
Port Scanning Prevention Filter
this? Monday, May 09, 2011 8:30 PM Reply | Quote Answers 1 Sign in to vote Hi, What is the operating system version on this server? Did you see the event 5157 at the same time in the Security log? ID Message 5152 The Windows Filtering Platform blocked a packet. filter runtime id Event 5152 indicates that a packet (IP layer) is blocked. Event 5157 and Event 5152 are general Windows Firewall security audit, you should look into the event detail of the blocked connection attempt to decide whether that attempt should be allowed. If the connection attempt is malicious or not necessary in your environment, you can safely ignore it. Please try to check the detail to identify. Just for your information, if you want to disable the security audit from Windows Firewall, run the following command: auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /successisable /failureisable For more information, please refer to the following link: Enable IPsec and Windows Firewall Audit Events http://technet.microsoft.com/en-us/library/cc754714(WS.10).aspx Best Regards, Nina Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com. Please remember to click
Windows 2003 and before Discussions on Event ID 5152 • Security_5152_Microsoft-Windows-Security-Auditing • I'am the source of an inbound connection 5152: The Windows Filtering Platform blocked a packet On this page
Filtering Platform Packet Drop
Description of this event Field level details Examples Discuss this event Mini-seminars on the windows filtering platform has blocked a packet. protocol 17 this event This event logs all the particulars about a blocked packet including the filter that caused the block. event id 5156 Application Information: Process ID:process ID specified when the executable started as logged in 4688 Application Name:the program executable on this computer's side of the packet transmission Free Security Log Quick Reference Chart Description https://social.technet.microsoft.com/Forums/windowsserver/en-US/6e0da75c-252c-4fd8-993b-0a4a97a713b3/getting-alot-of-event-id-5152?forum=winserversecurity Fields in 5152 Application Information: Process ID: %1 Application Name: %2 Network Information: Direction: %3 Source Address: %4 Source Port: %5 Destination Address: %6 Destination Port: %7 Protocol: %8 Filter Information: Filter Run-Time ID: %9 Layer Name: %10 Layer Run-Time ID: %11 Top 10 Windows Security Events to Monitor Examples of 5152 The Windows Filtering Platform blocked a packet. Application Information: Process ID: 1132 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5152 Application Name: \device\harddiskvolume1\windows\system32 \svchost.exe Network Information: Direction: Inbound Source Address: 224.0.0.252 Source Port: 5355 Destination Address: 10.42.42.213 Destination Port: 56253 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44 Keep me up-to-date on the Windows Security Log. Email*: Bad email address *We will NOT share this Mini-Seminars Covering Event ID 5152 How to Monitor Network Activity with the Windows Security & Firewall Logs to Detect Inbound and Outbound Attacks Discussions on Event ID 5152 • Security_5152_Microsoft-Windows-Security-Auditing • I'am the source of an inbound connection Upcoming Webinars Leveraging SCCM to Manage the Security of Your Endpoints How to Detect SQL Server Hacking without Crippling Performance or Impacting Availability Understanding Office 365 Unified Audit Logging 14 Group Policy Security Risks and How to Control them Additional Resources Security Log Quick Reference ChartThe Leftovers: A Data Recovery Study Encyclopedia •All Event IDs•Audit Policy Go To Event ID: Must be a 2-5 digit number No such event ID Security Log Quick Reference Chart Download now! Tweet Home > Security Log > Encyclopedia > Event ID 5152 User name: Password: / Forgot? Registe
Question Answer Questions My Profile ShortcutsDiscussion GroupsFeature RequestsHelp and SupportHow-tosIT Service ProvidersMy QuestionsApp CenterRatings and ReviewsRecent ActivityRecent PostsScript CenterSpiceListsSpiceworks BlogVendor PagesWindows Events Event 5152 https://community.spiceworks.com/windows_event/show/452-microsoft-windows-security-auditing-5152 (Failure Audit) Source: Microsoft-Windows-Security-Auditing How important is this event? (8 votes) 1 2 http://www.edugeek.net/forums/windows-server-2008-r2/130733-20k-event-ids-5152-1-hour-2x-winserver-2008-r2.html 3 4 5 not important very important Description Event Type: Failure Audit Event Source: Microsoft-Windows-Security-Auditing Event Category: (12809) Event ID: 5152 Date: 8/31/2009 Time: 10:06:03 AM User: N/A Computer: Description: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14593 event id Source Address: Source Port: 0 Destination Address: Destination Port: 0 Protocol: 1 Filter Information: Filter Run-Time ID: 19 Layer Name: %%14601 Layer Run-Time ID: 32 Event Type: Failure Audit Event Source: Microsoft-Windows-Security-Auditing Event Category: (12809) Event ID: 5152 Date: 8/31/2009 Time: 10:06:03 AM User: N/A Computer: Description: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: event id 5152 - Network Information: Direction: %%14593 Source Address: Source Port: 0 Destination Address: Destination Port: 0 Protocol: 1 Filter Information: Filter Run-Time ID: 19 Layer Name: %%14601 Layer Run-Time ID: 32 Add link Text to display: Where should this link go? Add Cancel × Insert code Language Apache AppleScript Awk BASH Batchfile C C++ C# CSS ERB HTML Java JavaScript Lua ObjectiveC PHP Perl Text Powershell Python R Ruby Sass Scala SQL VB.net Vimscript XML YAML Insert Cancel Save Cancel Associated Messages message string data: 0, -, %%14592, 10.100.25.61, 49815, 255.255.255.255, 2223, 17, 79398, %%14597, 13
Jun 23, 2009 The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14593 Source Address: 192.168.100.158 Source Port: 0 Destination Address: 192.168.100.158 Destination Port: 0 Protocol: 1 Filter Information: Filter Run-Time ID: 70306 Layer Name: %%14601 Layer Run-Time ID: 32 Sep 01, 2009 message string data: 836, \device\harddiskvolume2\windows\system32\svchost.exe, %%14592, 0.0.0.0, 68, 255.255.255.255, 67, 17, 72181, %%14610, 44 Mar 29, 2010 message string data: 0, -, %%14592, 192.168.125.114, 65451, 192.168.125.181, 5800, 6, 65712, %%14597, 13 Apr 06, 2010 messageWindows Server 2008 R2 20K+ Event IDs 5152 in 1 Hour on 2x WinServer 2008 R2 + Post New Thread Results 1 to 7 of 7 Windows Server 2008 R2 Thread, 20K+ Event IDs 5152 in 1 Hour on 2x WinServer 2008 R2 in Technical; Hello All, I've got 2x Win 2008 R2 servers on our school network, during the working day, both servers get ... LinkBack LinkBack URL About LinkBacks Bookmark & Share Digg this Thread!Add Thread to del.icio.usBookmark in TechnoratiTweet this threadShare on Facebook!Reddit! Thread Tools Search Thread Advanced Search 24th January 2014,04:05 PM #1 Daryn Join Date May 2009 Location Holsworthy Posts 7 Thank Post 0 Thanked 1 Time in 1 Post Rep Power 0 20K+ Event IDs 5152 in 1 Hour on 2x WinServer 2008 R2 Hello All, I've got 2x Win 2008 R2 servers on our school network, during the working day, both servers get flooded with at least 20 thousand Event ID 5152s each in a single hour! The IP address: 10.3.126.114 belongs to a staff laptop running Win7 Pro 64bit, and its last McAfee VirusScan 8.8 Patch 2 has come up negative for anything untoward. I've Googled around the following; Getting alot of Event ID 5152 Security Event ID 5152 by the thousands - Microsoft Community Stuff I figured out.: Windows Auditing can be annoying. (Shut up already) Notes on MS Integration, Administration, and Management: Resolve issue with multiple Event ID 5152 and 5157 appearing in the security event log and some forums say its a MS server 2008 bug that requires a hotfix, some say it's packets coming from Dropbox or Bonjour of the origin computer. The port numbers don't clearly point to any specific program. Lots of forums say, its harmless, and instruct to mute and ignore them. I'd rather not mute them as it would mask any other problems. None of these sites are giving a solid solution to the problem. Anyone else come across this and wish to share their wisdom? Am I making a mountain out of a mole hill? or is this something