none
Weird Audit Policy behaviour RRS feed

  • Question

  • Hi,

    I noticed my Event Log was recording many (several per second) 5156 events - The Windows Filtering Platform has permitted a connection. I'm running Windows 10 Pro and it's not connected to a Domain.

    After a bit of Googling I landed on using:

    Auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
    Then to check the setting had been changed, I ran:
    Auditpol /get /subcategory:"Filtering Platform Connection"

    which gave:

    System audit policy
    Category/Subcategory                      Setting
    Object Access
      Filtering Platform Connection           No Auditing

    Unfortunately, after a few seconds, re-running the command gives:

    System audit policy

    Category/Subcategory Setting Object Access Filtering Platform Connection Success and Failure

    No matter how many times I issue the Set command, after a few seconds the audit settings revert to auditing all Object access.

    Can anyone explain why?

    Thanks.

    Friday, March 18, 2016 1:10 PM

Answers

  • Finally found the problem. I had installed Sphinx Software's Windows 10 Firewall Control. In order to operate it seems to need the events generated by Filtering Platform Connection and hence overrides any attempt to switch off logging of those events.
    • Marked as answer by bob55 Sunday, March 20, 2016 10:50 AM
    Sunday, March 20, 2016 10:50 AM

All replies

  • I can add that the Event Log records the following two events following the Auditpol /set command and SYSTEM reverting the setting. (I'm logged in as Bob.)

    System audit policy was changed.
    
    Subject:
    	Security ID:		GERBIL\bob
    	Account Name:		bob
    	Account Domain:		GERBIL
    	Logon ID:		0x8B168
    
    Audit Policy Change:
    	Category:		Object Access
    	Subcategory:		Filtering Platform Connection
    	Subcategory GUID:	{0cce9226-69ae-11d9-bed3-505054503030}
    	Changes:		Success removed, Failure removed
    Recorded 3s later:
    System audit policy was changed.
    
    Subject:
    	Security ID:		SYSTEM
    	Account Name:		GERBIL$
    	Account Domain:		WORKGROUP
    	Logon ID:		0x3E7
    
    Audit Policy Change:
    	Category:		Object Access
    	Subcategory:		Filtering Platform Connection
    	Subcategory GUID:	{0cce9226-69ae-11d9-bed3-505054503030}
    	Changes:		Success Added, Failure added

    Saturday, March 19, 2016 10:48 AM
  • Just to add to the info, other policy settings seem to behave as you would expect. For example, I can set "Filtering Platform Packet Drop" to enable or disable, and the setting sticks. It's just "Filtering Platform Connection" that is causing the problem. There must be something that is overriding this one setting.

    Sunday, March 20, 2016 10:07 AM
  • Finally found the problem. I had installed Sphinx Software's Windows 10 Firewall Control. In order to operate it seems to need the events generated by Filtering Platform Connection and hence overrides any attempt to switch off logging of those events.
    • Marked as answer by bob55 Sunday, March 20, 2016 10:50 AM
    Sunday, March 20, 2016 10:50 AM
  • Hi Bob,

    Thanks for your sharing on this issue.

    To check the weird issue, the first thing is to make your computer startup clean enough like in Clean boot to avoid 3rd part conflict.

    Just like this issue, 3rd party software caused it, and I also learned from you.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, March 21, 2016 6:15 AM
    Owner