Windows Server: Troubleshoot Event ID 5032 — Firewall Service Block Notifications

Windows Server: Troubleshoot Event ID 5032 — Firewall Service Block Notifications



Event ID 5032 — Firewall Service Block Notifications

Applies To

Windows Server 2008, Windows Server 2008 R2

((This wiki page is part of a pilot program to remove topics such as this one from the TechNet and MSDN libraries and move them to the wiki.We plan to do a better job of helping customers than the repeated instructions to go to the forums seen in the thread history at the end of this article.)  

Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future. This notification is turned on by default in Windows Vista, and turned off by default in Windows Server 2008.

When appropriate auditing events are enabled (http://go.microsoft.com/fwlink/?linkid=92666), Windows reports when applications are blocked by the firewall.

Event Details

Product

Windows Operating System

Event ID

5032

Source

Microsoft-Windows-Security-Auditing 

Version

6.0

Symbolic Name

SE_AUDITID_ETW_FIREWALL_UPCALL_NOTIFICATION_ERROR

Message

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.


Error Code:%t%1


Resolve

Evaluate your network applications to ensure proper operation

The presence of this event at or near the start of the computer or for non-interactive system processes is normal, and typically does not indicate an error condition.

  • Many network services run as non-interactive processes that cannot access the user session, and therefore cannot display the block notification.
  • Some network services start before the firewall service is ready to process notifications. If the event occurred later, after the firewall service had started and was ready to process notifications, Windows would have generated event 5031 instead.

If you want to determine which process triggered the event, you can perform the following procedure.

To determine the process that caused the event

  1. In Event Viewer, find event 5032 in the Security log. Note: You can only investigate events for processes that are still running with the same process ID number as when the event was logged. If the computer or the process has been restarted since the event was logged then the process ID number is likely different.
  2. In the details pane, click the Details tab, and then expand the System node.
  3. Expand the Execution node, and note the value for Process ID.
  4. Open Task Manager by pressing CTRL+SHIFT+ESC.
  5. Select the Processes tab.
  6. Click View, and then click Select Columns.
  7. Check PID (Process Identifier), and then click OK.
  8. Click the PID column header to sort the entries by that value.
  9. If the PID that you identified in step 3 does not appear, then the process is either no longer running, or it is a system process, or a process owned by another user.
  10. To see processes from other users, click Show processes from all users.
  11. If the User Account Control dialog box appears, make sure that it is for an action you want, and then click Continue.
  12. If the process now appears (and did not in step 9), then it is most likely a system process, and the event does not indicate an error condition. For example, the LSASS.exe process is a common entry. You can ignore this event if it is generated by a system, non-interactive service such as LSASS.exe.

If you turn notifications off, these messages no longer appear in the event log. However, doing so means that Windows no longer automatically creates firewall rules after notifying you and getting permission. This means that you must manually enable or create firewall rules for all applications that require inbound unsolicited network traffic.

To turn off block notifications by using the Firewall Microsoft Management Console (MMC) snap-in:

  1. Click Start, type wf.msc in the Start Search box, and then press ENTER.
  2. If the User Account Control dialog box appears, make sure that it is for an action you want, and then click Continue.
  3. In the navigation pane of the snap-in, right-click Windows Firewall with Advanced Security on Local Computer, and then click Properties.
  4. In the Properties dialog box, click the Domain, Private, or Public tab for the network location type that you want to modify.
  5. In the Settings section, click Customize.
  6. In the Firewall settings section, next to Display a notification, the current setting is displayed.
  7. Click No, and then click OK to close the dialog box.
  8. Close the MMC snap-in.

If you need to re-enable notifications, follow the same steps, but select Yes in step 7.

To turn off block notifications by using the netsh advfirewall command-line tool:

  • At a command prompt with administrator permissions, type the command:

    netsh advfirewall setprofile settings inboundusernotification disable

    where profile is one of the following values: allprofiles, currentprofile, domainprofile, privateprofile, or publicprofile.

If you need to re-enable notifications, follow the same step, but change disable to enable.

Other possible causes

In rare situations, such as when memory resources are extremely low, Windows cannot display the notification, and you therefore cannot instruct the firewall to allow the program in the future. This failure is not considered a security risk because the firewall continues to block the program, but it might prevent a needed program from operating correctly. If memory resources are low, then you must reduce the memory load on your computer by closing programs that are not needed. If the problem occurs frequently, you might need to add memory to the computer to avoid the low resource situation.

Verify

By default, on Windows Server 2008, user notifications about blocked applications are disabled, and all notifications are made by using the security audit events only.

By default, on Windows Vista, Windows Firewall is configured to notify the user that an application has been blocked, and it prompts the user to take one of the following actions: "Keep Blocking," "Allow," or "Ask me later." The "Ask me later" option continues blocking the application, but causes the user prompt to display again the next time the application starts.

To verify the setting by using the Firewall Microsoft Management Console (MMC) snap-in:

  1. Click Start, type wf.msc in the Start Search box, and then press ENTER.
  2. If the User Account Control dialog box appears, make sure that it is for an action you want, and then click Continue.
  3. In the navigation pane of the snap-in, right-click Windows Firewall with Advanced Security on Local Computer, and then click Properties.
  4. In the Properties dialog box, click the Domain, Private, or Public tab for the network location type that you want to modify.
  5. In the Settings section, click Customize.
  6. In the Firewall settings section, next to Display a notification, the current setting is displayed.
  7. If you need to change the setting, click the button, select either Yes (default) or No, and then click OK to close the dialog box.

To verify the setting by using the netsh advfirewall command-line tool:

  1. At a command prompt with administrator permissions, type the command:

    netsh advfirewall show allprofiles settings

  2. In the output section of each profile, look for the InboundUserNotification value. It will say Enable or Disable.
  3. If you need to change the setting, type the following command:

    netsh advfirewall set profile settings inboundusernotification value

    where profile is one of the following values: allprofiles, currentprofile, domainprofile, privateprofile, or publicprofile, and value is either enable or disable.

For more information

Related Management Information

Firewall Service Block Notifications (TechNet Library)

Windows Firewall with Advanced Security (TechNet Library)

Sort by: Published Date | Most Recent | Most Useful
Comments
  • "We plan to do a better job "  For 38 years,  Never,  though I'd here those words FROM Microsoft.  Whatever happens,  Thank you for wanting to do a reasonably good job.

    Michael Vallino  mvallino@hotmail.com

  • If I have a disk volume mounted as a directory by using the following command:

    mountvol "C:\Applications\" \\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxx}\

    and then disable the access to the volume by its own drive letter:

    mountvol D:\ /d

    ("\\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxx}\" is drive D:'s volume name)

    Then, any program in the mounted directory that attempts to listen for incoming network traffic won't trigger the firewall notification, and there's no way to configure the firewall to make such a program work properly, unless the firewall is entirely disabled.

    How to resolve this problem?

Page 1 of 1 (2 items)