Numerous occurrences involving 5156 and 5152
Numerous occurrences involving 5156 and 5152
You're seeing a high volume of events—around 20,000 per hour for both 5156 and 5152. That's quite intense. It could be normal if your torrent client is generating a lot of data, but it might also indicate excessive logging or misconfigurations. Your firewall, especially TinyWall, may be triggering many alerts due to its strict filtering rules. Check if the events are legitimate or if you can adjust the firewall settings to reduce noise.
From Microsoft ID Message. 5152 The Windows Filtering Platform intercepted a packet. Event 5152 shows a blocked packet at the IP layer. Events 5157 and 5152 relate to general Windows Firewall security checks; examine the blocked connection details to determine if it should be permitted. 5156 The Windows Filtering Platform has granted a connection. This log records each instance where WFP permits a program to link with another process (on the same or distant machine) via TCP or UDP port. The provided scenario illustrates WFP enabling a DNS Server service to connect with its client on the same system.
I understand what you're referring to. Just wanted to confirm if they were meant to be there. In the meantime, I tried running Windows on a VM and those events didn't appear, suggesting they weren't intended for auditing. It's likely they were added by a Comodo firewall long ago. When I executed "auditpol /clear" in the command prompt, the issue resolved, and my firewall appears to be functioning properly.
They are meant to be present, allowing MS to analyze the data and determine how to exploit it in future updates. On a perfect day, we can do both!
It seems you're questioning the functionality of the "auditpol /clear" command. It actually disables recording rather than resetting it, which might explain why you didn't notice any changes. I wonder how often the event viewer has assisted you in the past?