A lot of 5156 and 5152 events

[WannaMurderMicrosoft]

I run a torrent client and a firewall (a Windows firewall mod named TinyWall) and I have around 20 thousand of 5156 and 5152 events per hour on event viewer.

Is that normal? How many do you got?

Does my firewall needs those events?

Or they are there just to flood my event log and I should stop audit them?

[Thomas4]

From  Microsoft

ID Message. 5152 The Windows Filtering Platform blocked a packet. Event 5152 indicates that a packet (IP layer) is blocked. Event 5157 and Event 5152 are general Windows Firewall security audit, you should look into the event detail of the blocked connection attempt to decide whether that attempt should be allowed.

 

5156: The Windows Filtering Platform has allowed a connection. This event documents each time WFP allows a program to connect to another process (on the same or a remote computer) on a TCP or UDP port. The above example is of WFP allowing the DNS Server service to connect to the DNS client on the same computer.

[WannaMurderMicrosoft]

21 minutes ago, Thomas4 said:

From  Microsoft

ID Message. 5152 The Windows Filtering Platform blocked a packet. Event 5152 indicates that a packet (IP layer) is blocked. Event 5157 and Event 5152 are general Windows Firewall security audit, you should look into the event detail of the blocked connection attempt to decide whether that attempt should be allowed.

 

5156: The Windows Filtering Platform has allowed a connection. This event documents each time WFP allows a program to connect to another process (on the same or a remote computer) on a TCP or UDP port. The above example is of WFP allowing the DNS Server service to connect to the DNS client on the same computer.

I know what they are I just wanted to know if they were supposed to be there.

 

Anyway meanwhile I ran Windows on VM (kinda) and those events were not there, so my guess is that they are not supposed to be audited. Probably they were putted there by Comodo firewall centuries ago.

I run "auditpol /clear" on command prompt and the problem seems fixed. My firewall seems to be OK.

[Thomas4]

They are SUPPOSED to be there, this way MS can use the info to figure out how they FU'd this time so that in their next update figure out how to FU somewhere else or make the situation even worse.and on a very good day, do both!

[WannaMurderMicrosoft]

On 10/27/2022 at 3:27 AM, Thomas4 said:

They are SUPPOSED to be there, this way MS can use the info to figure out how they FU'd this time so that in their next update figure out how to FU somewhere else or make the situation even worse.and on a very good day, do both!

Yeah you are probably right.

They are supposed to be there, but looks like you was the only one to be able to open your event viewer to check.

What the "auditpol /clear" does is to just stop recording everything, it doesn't reset it as I thought.

Which I guess it's fine, I might even save some CPU power, when was the last time the event viewer helped me anyway?