How to reproduce Event 5155: The Windows Filtering Platform has blocked an application or service from listening on a port
We are currently evaluating the new Windows Firewall events. Our goal is to reproduce all the possible events and create a custom OpsMgr Management Pack for WF monitoring. We found the list of all the IDs in KB article "Description of security events in Windows Vista and in Windows Server 2008" (http://support.microsoft.com/kb/947226). As far as we can understand, event ID 5155(The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections) is the equivalent of event ID 861 (The Windows Firewall has detected an application listening for incoming traffic) in Windows Server 2003. Thequestionis how we can reproduce Event 5155? We'd like to test it live and see if we can correctly process it in OpsMgr. If we run some program wich attempts to listen for incoming traffic we get another event ID 5031 (The Windows Firewall Service blocked an application from accepting incoming connections on the network).
April 28th, 2008 12:00pm

Hello, By default Windows firewall won't prevent a port from being listened by an application. Effective state is that the application doesnt receive because of the inbound rules. As you mentioned, Event 5031 that indicates that the application failed to receive will be logged. This should be by design. In the other word, Windows system will not generate Event 5155 by itself. You can add your own filters using the WFP APIs to block listen to reproduce this event. http://msdn.microsoft.com/en-us/library/aa364947(VS.85).aspx hope it helps.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2008 12:58pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics