ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer with network filtering logs and firewall activity
Event ID 5152InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 5152 – Windows Filtering Platform: Network Packet Blocked by Firewall

Event ID 5152 indicates Windows Filtering Platform blocked a network packet. This security audit event helps track firewall activity and identify blocked connection attempts on Windows systems.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 5152Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 5152 represents a fundamental component of Windows network security auditing. The Windows Filtering Platform operates at multiple network layers, intercepting packets before they reach their destination. When a packet matches a blocking rule, WFP generates this audit event with comprehensive details about the blocked traffic.

The event structure includes critical fields such as the Process ID of the application attempting the connection, the full executable path, network protocol details, source and destination IP addresses, port numbers, and the specific filter ID that caused the block. This information enables administrators to correlate blocked traffic with specific applications and firewall rules.

In enterprise environments, Event ID 5152 serves multiple purposes. Security teams use it for threat detection and incident response, identifying potential malware communication attempts or unauthorized network access. Network administrators leverage these events for troubleshooting connectivity issues and validating firewall rule effectiveness. The event also supports compliance requirements by providing detailed audit trails of blocked network activity.

The frequency of 5152 events varies significantly based on firewall configuration and network activity. Systems with restrictive firewall policies or those exposed to internet traffic may generate thousands of these events daily. Proper log management and filtering strategies become essential for maintaining system performance while preserving security visibility.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Windows Firewall rules blocking outbound or inbound connections
  • Third-party firewall software intercepting network traffic
  • Group Policy firewall settings preventing application communication
  • Windows Defender Firewall with Advanced Security blocking specific protocols
  • Network isolation policies in enterprise environments
  • Malware attempting unauthorized network connections
  • Applications trying to communicate through blocked ports
  • IPSec policies restricting network traffic
  • Windows Filtering Platform callout drivers blocking packets
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the specific details of Event ID 5152 to understand what traffic was blocked:

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 5152 using the Filter Current Log option
  4. Double-click a recent 5152 event to view details
  5. Note the following key fields:
    • Process ID and Application path
    • Source Address and Source Port
    • Destination Address and Destination Port
    • Protocol (TCP/UDP)
    • Filter Run-Time ID

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5152} -MaxEvents 50 | Select-Object TimeCreated, @{Name='Application';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Application*'}).Split(':')[1].Trim()}}, @{Name='SourceIP';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Source Address*'}).Split(':')[1].Trim()}}
02

Check Windows Firewall Rules

Identify which firewall rule is blocking the traffic by examining Windows Defender Firewall configuration:

  1. Open Windows Defender Firewall with Advanced Security from Administrative Tools
  2. Check both Inbound Rules and Outbound Rules for blocking rules
  3. Look for rules with Action: Block that match the application or port from the 5152 event
  4. Use PowerShell to list all blocking rules:
Get-NetFirewallRule | Where-Object {$_.Action -eq 'Block' -and $_.Enabled -eq 'True'} | Select-Object DisplayName, Direction, Action, Program | Format-Table -AutoSize

To find rules affecting a specific application:

$AppPath = 'C:\Program Files\YourApp\app.exe'
Get-NetFirewallRule | Where-Object {$_.Program -eq $AppPath} | Get-NetFirewallPortFilter
Pro tip: Cross-reference the Filter Run-Time ID from the 5152 event with firewall rule GUIDs to identify the exact blocking rule.
03

Investigate Application Network Requirements

Determine if the blocked traffic represents legitimate application communication:

  1. Identify the application from the 5152 event details
  2. Check the application's documentation for required network ports and protocols
  3. Use Resource Monitor to observe the application's network activity:
    • Press Win + R, type resmon.exe
    • Go to the Network tab
    • Monitor the application's connection attempts
  4. Verify the destination IP addresses and ports against known services
  5. Use netstat to check active connections:
netstat -ano | findstr :443
Get-Process -Id [PID_FROM_NETSTAT]

For deeper analysis, use Process Monitor to track file and network access:

# Download and run Process Monitor (ProcMon) from Microsoft Sysinternals
# Filter by Process Name matching the blocked application
# Look for network-related operations that fail
Warning: Always verify that blocked applications are legitimate before creating firewall exceptions. Malware often generates 5152 events when attempting unauthorized network access.
04

Configure Firewall Exceptions and Monitoring

Create appropriate firewall rules to allow legitimate traffic while maintaining security:

  1. Create a new inbound or outbound rule in Windows Defender Firewall with Advanced Security
  2. Specify the application path, ports, and protocols identified in previous steps
  3. Use PowerShell to create firewall rules programmatically:
# Create outbound rule for specific application
New-NetFirewallRule -DisplayName 'Allow MyApp Outbound' -Direction Outbound -Program 'C:\Program Files\MyApp\myapp.exe' -Action Allow -Protocol TCP -RemotePort 443

# Create inbound rule for specific port
New-NetFirewallRule -DisplayName 'Allow Inbound Port 8080' -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow

Enable connection security auditing to monitor the new rule:

# Enable object access auditing
auditpol /set /subcategory:'Filtering Platform Connection' /success:enable /failure:enable

# Verify auditing is enabled
auditpol /get /subcategory:'Filtering Platform Connection'

Monitor the effectiveness of new rules by checking for Event ID 5156 (allowed connections):

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5156} -MaxEvents 20 | Where-Object {$_.Message -like '*MyApp*'}
05

Advanced WFP Analysis and Troubleshooting

Perform deep analysis of Windows Filtering Platform behavior for complex scenarios:

  1. Use WFP diagnostic tools to trace packet filtering decisions:
# Start WFP trace (requires elevated privileges)
netsh wfp capture start
# Reproduce the blocked connection
netsh wfp capture stop
# Analyze the capture file with netsh or WPA
  1. Examine WFP filters and callouts using netsh commands:
# List all WFP filters
netsh wfp show filters

# Show specific filter by ID (from 5152 event)
netsh wfp show filters filterid=[FILTER_ID]

# Display WFP state information
netsh wfp show state
  1. Check for conflicting security software or Group Policy settings:
# Review Group Policy firewall settings
Get-ItemProperty -Path 'HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\*' -Recurse

# Check for third-party firewall services
Get-Service | Where-Object {$_.DisplayName -like '*firewall*' -or $_.DisplayName -like '*security*'}
  1. Use Windows Performance Toolkit for advanced analysis:
# Create custom ETW trace for network events
wpr -start GeneralProfile -start Network
# Reproduce the issue
wpr -stop NetworkTrace.etl
Pro tip: In Windows 11 2026 updates, use the enhanced Network troubleshooter that can automatically correlate 5152 events with application requirements and suggest appropriate firewall rules.

Overview

Event ID 5152 fires when the Windows Filtering Platform (WFP) blocks a network packet based on firewall rules. This audit event appears in the Security log when packet filtering auditing is enabled. The event captures detailed information about blocked network traffic including source and destination addresses, ports, protocols, and the specific filter that triggered the block.

This event is crucial for network security monitoring and troubleshooting connectivity issues. Unlike Event ID 5156 which logs permitted connections, 5152 specifically tracks denied traffic. The event provides forensic data for security investigations and helps administrators understand which firewall rules are actively blocking traffic.

Windows generates this event through the Base Filtering Engine (BFE) service when WFP callout drivers process network packets. The event includes the Process ID, application path, and network layer information that triggered the filtering decision. This granular data makes 5152 invaluable for both security auditing and network troubleshooting scenarios.

Frequently Asked Questions

What does Windows Event ID 5152 mean and why should I care about it?+
Event ID 5152 indicates that Windows Filtering Platform blocked a network packet based on firewall rules. This event is crucial for security monitoring because it shows when applications or processes attempt network connections that your firewall policies deny. Each 5152 event contains detailed information about the blocked traffic including the source application, destination address, port numbers, and the specific firewall rule that caused the block. Security administrators use these events to detect potential malware communication attempts, troubleshoot legitimate application connectivity issues, and validate that firewall rules are working as intended.
How can I determine which firewall rule is causing Event ID 5152?+
The 5152 event contains a 'Filter Run-Time ID' field that corresponds to a specific Windows Filtering Platform filter. You can correlate this ID with firewall rules using the netsh command: 'netsh wfp show filters filterid=[ID]'. Additionally, examine the application path, destination port, and protocol in the event details, then check Windows Defender Firewall with Advanced Security for rules that match these criteria. Use PowerShell command 'Get-NetFirewallRule | Where-Object {$_.Action -eq 'Block'}' to list all blocking rules and compare them against the event details to identify the responsible rule.
Is Event ID 5152 always a security concern or can it indicate normal firewall operation?+
Event ID 5152 can indicate both normal firewall operation and potential security issues. Normal scenarios include legitimate applications being blocked by overly restrictive firewall rules, automatic Windows updates being blocked by corporate policies, or background services attempting connections through blocked ports. Security concerns arise when unknown applications attempt network access, when blocked traffic targets suspicious IP addresses or ports commonly used by malware, or when the frequency of blocks from a specific application suddenly increases. Always investigate the application path, destination addresses, and timing patterns to distinguish between normal operations and potential threats.
How do I stop getting too many Event ID 5152 entries without compromising security?+
To reduce excessive 5152 events while maintaining security, first analyze the most frequent blocked applications and destinations using PowerShell queries. Create specific firewall rules for legitimate applications rather than broad allow rules. Configure audit policy to log only failures for critical applications while reducing logging for known safe traffic. Use Event Log subscriptions to forward only relevant 5152 events to your SIEM system. Consider implementing firewall rule optimization by consolidating similar rules and removing redundant blocking rules. In Windows 11 2026, use the enhanced filtering options in Advanced Audit Policy Configuration to selectively audit only high-priority network filtering events.
Can Event ID 5152 help me detect malware or unauthorized network activity?+
Yes, Event ID 5152 is valuable for malware detection and security monitoring. Malware often generates distinctive 5152 patterns such as attempts to contact command-and-control servers, connections to suspicious IP addresses or domains, unusual port usage, or network activity from unexpected application paths. Look for applications running from temporary directories, system processes attempting external connections, or repeated connection attempts to the same external addresses. Correlate 5152 events with process creation events (4688) and file access events to build a complete picture of potentially malicious activity. Establish baselines of normal 5152 activity to identify anomalies that may indicate compromise or unauthorized software installation.
Documentation

References (2)

1
Microsoft Learn - Windows Filtering Platform ArchitectureComprehensive documentation of Windows Filtering Platform architecture and packet processinghttps://learn.microsoft.com/en-us/windows-hardware/drivers/network/windows-filtering-platform-architecture-overview
2
Microsoft Security Auditing Events ReferenceOfficial reference for Windows security audit events including network filtering eventshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5152#windows-firewall#network-security

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...