Event ID: 5152

The Windows Filtering Platform has blocked a packet.

The Windows Filtering Platform has blocked a packet.

Application Information:
    Process ID:     %1
    Application Name:   %2

Network Information:
    Direction:      %3
    Source Address:     %4
    Source Port:        %5
    Destination Address:    %6
    Destination Port:       %7
    Protocol:       %8

Filter Information:
    Filter Run-Time ID: %9
    Layer Name:     %10
    Layer Run-Time ID:  %11

This event generates when Windows Filtering Platform has blocked a network packet.

This event is generated for every received network packet.

Auditing: Rarely

Auditing this event is generally only recommended short-term for troubleshooting or security reasons.

Volume: High Very High

The volume is potentially very high since this event is logged for every network packet that is being blocked.

Microsoft Documentation

Event ID - 5152

Name		Field	Insertion String	OS	Example
	Protocol	Protocol	%8	Any	View Codes

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"Filtering Platform Packet Drop"

How to enable Windows Auditing

Recommended Audit Policy

Operating Systems:

Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:

Audit Failure

Audit Category:

Object Access

Audit Subcategory:

Filtering Platform Packet Drop

LEFT/RIGHT arrow keys for navigation

Back to List