The Windows Filtering Platform has blocked a bind to a local port.
I recently came across this problem while reviewing auditing logs on a Server 2008 SP2 machine - but to my surprise this was a false alarm.
The Windows Filtering Platform has blocked a bind to a local port.Application Information: Process ID:Â Â 976 Application Name:Â \device\harddiskvolume1\windows\system32\svchost.exeNetwork Information: Source Address:Â Â fe80::58b4:5ea5:fc97:b422 Source Port:Â Â 546 Protocol:Â Â 17Filter Information: Filter Run-Time ID:Â 0 Layer Name:Â Â Resource Assignment Layer Run-Time ID:Â 38
As you can see, Filter Run-Time ID is equal to 0. Also, the layer name is Resource Assignment.
According to Biao Wang over on MSDN, this is a bug discovered in Windows Filtering Platform:
http://social.msdn.microsoft.com/Forums/en-US/wfp/thread/774026e6-a771-418a-b531-22183ef399f8/
Also this KB article details the symptoms, as well as a hotfix:
http://support.microsoft.com/kb/969257
The root cause is the Windows Filtering Platform is still used by other parts of the OS, like IPSec, even when the firewall service is disabled. Furthermore, firewall filtering rules will still be in effect.
Many of us are accustomed to disabling the Windows Firewall service to disable the firewall, rather than going through firewall.cpl.
The easiest way to resolve this in our environment was to re-enable the Windows Firewall service, and this run firewall.cpl and select Turn Windows Firewall on or off and click "Off (Not Recommended)".
Leave a comment