none
The Windows Filtering Platform has blocked a bind to a local port

    Question

  •  

    I tried looking but could not find anything listed in the forms to help me here so I am starting newe. I am running into a problem with Windows Vista WFP. Not sure why it is blocking this program. I use this to login into my netowrk PCs all the time when I was on Windows XP. Now I am testing Windows Vista Business to see what issues I will have before upgrading. So far all program and hardware problems have been solved except this. This one has me stumped. The comptuer is running Windows Vista Business with SP1. Every 1 out of 10 attempts to use this program I am able to connect to the remote computer. The other 9 times I get this error popping up in the security event log.

     

    Log Name:      Security

    Source:        Microsoft-Windows-Security-Auditing

    Date:          10/9/2008 3:23:30 PM

    Event ID:      5159

    Task Category: Filtering Platform Connection

    Level:         Information

    Keywords:      Audit Failure

    User:          N/A

    Description:

    The Windows Filtering Platform has blocked a bind to a local port.

     

    Application Information:

                Process ID:                  4732

                Application Name:      \device\harddiskvolume1\program files\desktop delivery\rcmngs.exe

     

    Network Information:

                Source Address:                      0.0.0.0

                Source Port:                1024

                Protocol:                      17

     

    Filter Information:

                Filter Run-Time ID:    0

                Layer Name:               Resource Assignment

                Layer Run-Time ID:   36

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />

        <EventID>5159</EventID>

        <Version>0</Version>

        <Level>0</Level>

        <Task>12810</Task>

        <Opcode>0</Opcode>

        <Keywords>0x8010000000000000</Keywords>

        <TimeCreated SystemTime="2008-10-09T20:23:30.256Z" />

        <EventRecordID>16966</EventRecordID>

        <Correlation />

        <Execution ProcessID="4" ThreadID="48" />

        <Channel>Security</Channel>

            <Security />

      </System>

      <EventData>

        <Data Name="ProcessId">4732</Data>

        <Data Name="Application">\device\harddiskvolume1\program files\desktop delivery\rcmngs.exe</Data>

        <Data Name="SourceAddress">0.0.0.0</Data>

        <Data Name="SourcePort">1024</Data>

        <Data Name="Protocol">17</Data>

        <Data Name="FilterRTID">0</Data>

        <Data Name="LayerName">%%14608</Data>

        <Data Name="LayerRTID">36</Data>

      </EventData>

    </Event>

     

    Thursday, October 23, 2008 2:30 PM

Answers

  • Hi All,

    We recently discovered a bug in WFP which erroneously spews out audits about  blocking "bind to a local port" while the bind() call are in fact permitted.

    The symptom is that, as some of you observed, the "FilterRTID" field is 0. The bug manifests when there is no filter registered at WFP ALE_RESOURCE_ASSIGNMENT layers.

    We are fixing this issue in Windows 7. For Vista, you can ignore the audit entry if FilterRTID is 0 for ALE_RESOURCE_ASSIGNMENT layers block audit events.

    Thanks,
    Biao.W.
    Monday, February 02, 2009 10:16 PM
    Owner

All replies

  •  

    Are you using Windows Firewall?  do you have multiple firewalls?  In any case, this is indicating there is a filtering rule (put in place by a firewall (or like) product) that is blocking UDP port 1024 traffic from app rcmngs. exe.

     

    You will need to go into your firewall product and remove the offending rule.

    Thursday, November 06, 2008 6:27 PM
    Moderator
  • I am getting the same error. The windows 2008 firewall is off. I am using NTsyslog to write to a syslog damon on another server.  How do I turn this off?

    Tuesday, November 18, 2008 3:50 PM
  •  

    For troubleshooting purposes (I would highly recommend against this config in a production environment) you can turn off the BFE service.  This has the implication of disabling IPsec and many firewall / filtering products.  Your better option is to configure whatever firewall product is on the system that is causing the block.

    Wednesday, November 19, 2008 7:08 PM
    Moderator
  • BUMP.  Sorry to hijack this thread, but I receive this same message on a Windows Server 2008 box, which does not have Windows Firewall turned on.  I would like to know how to configure the filtering rules if Windows Firewall is turned off.  I have no other applications which are capable of using BFE.

     

    The machine affected has the following software installed:

    • Microsoft Windows Server 2008 Enterprise Edition
      • Web Server Role
    • Microsoft Team Foundation Server 2008
    • Microsoft SQL Server 2005 Reporting Services

    The machine has auto-updates turned on, and receives it's updates from a local WSUS server. Using the Winfows Firewall connection rules, I receive this error when I try to run SQL Reporting Services, particularly when I try to create a new database (on a remote server).  

     

    If I turn off Windows Firewall, I receive the same error.  If I turn off the Base Filtering Engine, I still cannot connect to the database server, but there are no audit failures logged.  My installation requires IPsec, so this is not a option anyway.

     

    I have this error on many other Windows Server 2008 machines, but this particular machine has the smallest footprint.  The error does not occur for a Windows Server 2003 machine, which has a similar specification (and the task occurs using the same user account).  Group Policy ensures that the calling user has access to all required privledges.

     

    I am a developer and will do almost anything to the machine to remove this error (short of writing a new UI to configure WFP to remove someone's overzealous filtering rules).  I will happily write code in C++ or C#, if it's less than 300 lines (I have other things to do, besides this).

     

    P.S. I would like to rename this feature to the "Productivity Filtering Platform".  Someone has gone to great pains to make sure that every journalist on earth has published a intro article on Windows Filtering Platform, which makes the signal to noise ratio very high.  Searching the internet for "Windows Filtering Platform" results in a non-stop list of introductions and nothing even half technical.  There are ALOT of people posting questions on this topic, and so far I have not seen a single answer.  Dusty Harper's recommendation to turn off BFE is the closest I've seen (but I want IPsec, so it's unworkable).

     

    Tuesday, January 13, 2009 6:57 AM
  • Another question:  Does the Windows Filtering Platform enforce Windows Firewall outbound rules, when Windows Firewall is off?  Ie, do I need to configure them if I don't want WF?

    Tuesday, January 13, 2009 7:00 AM
  • I also see these errors on W2008 and wonder if they are related to a SSRS 2005 uninstall problem I'm having.  I went the extra step of disabling the firewall using netsh before stopping and disabling the MpsSvc service. 


    netsh firewall set opmode mode = disable profile = ALL

     

    Perhaps the old way of disabling the firewall is no longer valid?  Does the MpsSvc service need to be enabled for the OS to work correctly?  Do I need to leave it enabled and disable the firewall for interfaces?  (If so, I could use an example.) 

     

    If global policy is causing this, how does one figure out what the problem really is?  The machine is in an OU that blocks domain policy, but I don't know what might have been the case when the OS was installed and the image made. 

     

    If this is a bug, then I would like to know that so I can go on to other things while waiting for a patch. 

     

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          1/12/2009 4:57:51 PM
    Event ID:      5159
    Task Category: Filtering Platform Connection
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      xxx

    Description:
    The Windows Filtering Platform has blocked a bind to a local port.

    Application Information:
     Process ID:  2008
     Application Name: \device\harddiskvolume1\windows\system32\taskeng.exe

    Network Information:
     Source Address:  127.0.0.1
     Source Port:  53066
     Protocol:  17

    Filter Information:
     Filter Run-Time ID: 0
     Layer Name:  Resource Assignment
     Layer Run-Time ID: 36
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
        <EventID>5159</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12810</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2009-01-13T00:57:51.523Z" />
        <EventRecordID>281173</EventRecordID>
        <Correlation />
        <Execution ProcessID="4" ThreadID="80" />
        <Channel>Security</Channel>
        <Computer>xxxx</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="ProcessId">2008</Data>
        <Data Name="Application">\device\harddiskvolume1\windows\system32\taskeng.exe</Data>
        <Data Name="SourceAddress">127.0.0.1</Data>
        <Data Name="SourcePort">53066</Data>
        <Data Name="Protocol">17</Data>
        <Data Name="FilterRTID">0</Data>
        <Data Name="LayerName">%%14608</Data>
        <Data Name="LayerRTID">36</Data>
      </EventData>
    </Event>

    Tuesday, January 13, 2009 4:49 PM
  •  

    If you decide to turn off the Windows Firewall, you need to make sure you disable it  in the proper manner, otherwise you will have persistent filters affecting your traffic.  In the Windows Firewall control panel (firewall.cpl), make sure you select 'Turn Windows Firewall on or off' and select 'Off (Not Recommended)'.  Alternatively you can use netsh.exe and run

    'Netsh.exe AdvFirewall Set CurrentProfile State Off'.

     

    MPSSvc is a required service for IPsec Policy to continue to function.  It also just happens to house Windows Firewall functionality as well.  If using IPsec, do not turn off this service.  Additionally if you do not turn off Windows Firewall, and just stop this service, you will be hit with Windows Firewall's persistent policy (hence the reason to disable the firewall as stated above).

     

    Not also that there is a period of time when you start your machine and TCPIP.sys is loaded until the BFE service successfully starts.  This is known as boottime.  This period of time will enforce any boottime filters on the box, but will stop enforcing them when BFE starts successfully.

     

    You can programmatically add filters to Windows Firewall to explicitly allow the traffic you are seeing blocked.

    http://msdn.microsoft.com/en-us/library/aa366453.aspx is a good place to start for this.

     

    I hope this helps.

     

    • Proposed as answer by egrylls Monday, September 19, 2011 9:26 PM
    Wednesday, January 14, 2009 9:30 PM
    Moderator
  • Dusty,

     

    I think you just wrote your first KB article and the title should be, "The Windows Filtering Platform has blocked a bind to a local port".

     

    Symptoms:

    • Windows Firewall is off
    • Packets are still dropped

    This is a huge issue for just about everyone who uses Windows Server 2008 behind a firewall.  It's common practice to disable internal firewalls when you have a good perimeter in place.  Most people would expect that a firewall drops packets when it's on and stops dropping packets when the service is off.  It's obvious that has changed now, but there are a number of people who are not aware of the change - I was one of them until I read this post.

     

    If you google the topic of this post, you will see the extent of this issue.  It's huge and most people think it's a bug when it isn't.  It's not good for selling copies of Windows Server 2008.

     

    Personally, I think there should be special functionality so that a Administrator running a signed application from a trusted publisher should have rights to do anything they wish.  The default rights for the system allow this, including changing the firewall policy. 

     

    If the system were compromised at a Administrator level, the firewall rules could be easily changed by the attacker allowing the traffic to pass.  Therefore it's not protection, it's just a minor inconvenience for any would-be attacker.  For the unaware administrator, it results in a productivity loss.  I'm a fan of stringent security, but only if it actually works.  Given the conditions above it's not security.

     

    The downside to this is that if they then do something dumb to their own systems, the system should allow that too.  I guess that would be the IT version of natural selection. 

     

    Thanks for the info - it will be a great help to many

     

     

    Matt.

     

     

    Friday, January 16, 2009 4:48 AM
  • Hi All,

    We recently discovered a bug in WFP which erroneously spews out audits about  blocking "bind to a local port" while the bind() call are in fact permitted.

    The symptom is that, as some of you observed, the "FilterRTID" field is 0. The bug manifests when there is no filter registered at WFP ALE_RESOURCE_ASSIGNMENT layers.

    We are fixing this issue in Windows 7. For Vista, you can ignore the audit entry if FilterRTID is 0 for ALE_RESOURCE_ASSIGNMENT layers block audit events.

    Thanks,
    Biao.W.
    Monday, February 02, 2009 10:16 PM
    Owner
  • Biao,

    I've spent hours trying to track this message down.  Please post your answer to Vista knowledge base.  Also, I don't understand why Microsoft would fix it in a beta product and not the current production version -- Vista.
    Thursday, February 26, 2009 2:54 PM
  • Hotfix: http://support.microsoft.com/kb/969257

    Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
    Do you still have Exchange 2000?  Looking to upgrade to Exchange 2010?  Read how.

    Friday, August 28, 2009 3:06 PM
  • Evidently this issue did NOT get fixed in Windows 7, and that's what I am running, and the erroneous messages are still generated. 

     

    My solution:  Do NOT use Windows firewall or security services.  Turn them off, disable the BFE service and, if you feel the need to run a firewall product, get a third party product that gives you control over what to block.

     

    Thanks

    Friday, June 11, 2010 2:30 PM
  • I am still seeing this in Windows 7.  Is there a hot fix on the way for Windows 7?
    Friday, July 23, 2010 9:41 PM
  • Can you verify that the FilterID associated with the FilterRTId is 0?

     <Data Name="FilterRTID">0</Data>

    Thanks


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, July 27, 2010 4:21 PM
    Moderator
  • Hi,

    I can confirm this

     

    Log Name:   Security
    Source:    Microsoft-Windows-Security-Auditing
    Date:     8/23/2010 9:32:06 AM
    Event ID:   5159
    Task Category: Filtering Platform Connection
    Level:     Information
    Keywords:   Audit Failure
    User:     N/A
    Computer:   xxxxxx.xx.xxx.xx
    Description:
    The Windows Filtering Platform has blocked a bind to a local port.
    
    Application Information:
    	Process ID:		2500
    	Application Name:	\device\harddiskvolume1\windows\system32\cpqmgmt\cqmghost\cqmghost.exe
    
    Network Information:
    	Source Address:		0.0.0.0
    	Source Port:		52151
    	Protocol:		17
    
    Filter Information:
    	Filter Run-Time ID:	0
    	Layer Name:		Resource Assignment
    	Layer Run-Time ID:	36
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
     <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
      <EventID>5159</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12810</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2010-08-22T23:32:06.072Z" />
      <EventRecordID>960995</EventRecordID>
      <Correlation />
      <Execution ProcessID="4" ThreadID="92" />
      <Channel>Security</Channel>
      <Computer>xxxx.xx.xxx.xx.xx</Computer>
      <Security />
     </System>
     <EventData>
      <Data Name="ProcessId">2500</Data>
      <Data Name="Application">\device\harddiskvolume1\windows\system32\cpqmgmt\cqmghost\cqmghost.exe</Data>
      <Data Name="SourceAddress">0.0.0.0</Data>
      <Data Name="SourcePort">52151</Data>
      <Data Name="Protocol">17</Data>
      <Data Name="FilterRTID">0</Data>
      <Data Name="LayerName">%%14608</Data>
      <Data Name="LayerRTID">36</Data>
     </EventData>
    </Event>

     

    The firewall is disabled.

    This is software from HP for hardware configuration / monitoring.

    And interestingly I have the following as well

     

    Log Name:   Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 8/23/2010 9:31:17 AM
    Event ID: 5159
    Task Category: Filtering Platform Connection
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: xxxxx.xx.xxxx.xxx.xx
    Description:
    The Windows Filtering Platform has blocked a bind to a local port.

    Application Information:
    Process ID: 648
    Application Name: \device\harddiskvolume1\windows\system32\lsass.exe

    Network Information:
    Source Address: 0.0.0.0
    Source Port: 52146
    Protocol: 17

    Filter Information:
    Filter Run-Time ID: 0
    Layer Name: Resource Assignment
    Layer Run-Time ID: 36
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>5159</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12810</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2010-08-22T23:31:17.516Z" />
    <EventRecordID>960985</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="72" />
    <Channel>Security</Channel>
    <Computer>xxxxx.xx.xxxx.xxx.xx</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="ProcessId">648</Data>
    <Data Name="Application">\device\harddiskvolume1\windows\system32\lsass.exe</Data>
    <Data Name="SourceAddress">0.0.0.0</Data>
    <Data Name="SourcePort">52146</Data>
    <Data Name="Protocol">17</Data>
    <Data Name="FilterRTID">0</Data>
    <Data Name="LayerName">%%14608</Data>
    <Data Name="LayerRTID">36</Data>
    </EventData>
    </Event>

    Any ideas?

     

    Thank you and have a good day

     

    Monday, August 23, 2010 12:09 AM
  • All - I am having a similar issue except it is Event ID 5157 "The Windows Filtering Platform has blocked a connection". The Windows Firewall is OFF and the Filter Run-Time ID is 0. Does the hotfix http://support.microsoft.com/kb/969257 apply to this scenario as well?

    Tuesday, August 31, 2010 3:39 PM
  • Have the same issue on Windows 2008 R2 Server with Event ID 5157 "The Windows Filtering Platform has blocked a connection". Tried to install kb969257 but it even didn't install cause don't support 2008 Server platform.
    Thursday, November 18, 2010 11:58 AM
  • Win2008R2 LDAP is trying to talk to itself on localhost and 192.168.10.60, but is blocked.  Thought for sure, there would be an answer by now.  About the only thing i can think of now is to install the Symantec Endpoint Protection and maybe that will fix the blockages.

    Firewall is off.

    Source    Microsoft Windows Security

    EventID  5152

    Level      Information

    Task Category:              Filtering Platform Packet Drop

    Keywords Audit Failure

     


      Direction %%14593   // OUTBOUND
      SourceAddress 192.168.10.60
      SourcePort 60212
      DestAddress 192.168.10.70
      DestPort 389
      Protocol 6
      FilterRTID 69196
      LayerName %%14611   // CONNECT
      LayerRTID 48

     

     

    Saturday, January 01, 2011 4:35 AM
  • Firewall is supposed to be configurable. I'd like to see a workaround. For me, it keeps the SSRS on one box from accessing SQL on another. (Error 5159) The Windows Filtering Platform has blocked a bind to a local port.
    Tuesday, January 11, 2011 1:50 PM
  • I ran into a similar issue as well using a website which required domain authentication. I would put in my credentials, and it would continually keep prompting me for them over and over. My account wasn't locked out, and the password wasn't expired.

    So, the computer has Sophos Endpoint Security and Control. I opened up the configuration tool:

    'Configure anti-virus and HIPS' > 'Authorization' and in just about every 'Known Application' column, was firefox.exe (the browser I was getting the issues with). I clicked the exe and then the button to 'Add' to authorized applications. Restarted, and the issue went away.

    Somehow firefox lost trust with Sophos and so the authorization filter was preventing it from authenticating on the domain.

    Monday, February 28, 2011 5:46 PM
  • It is kind of strange - why will the WFP register an event at all? and one more thing - is there a fix for this?

    Have the same issue here!!!


    • Edited by Asaf.Meir Monday, September 05, 2011 3:46 PM
    Monday, September 05, 2011 3:46 PM
  •  

    If you decide to turn off the Windows Firewall, you need to make sure you disable it  in the proper manner, otherwise you will have persistent filters affecting your traffic.  In the Windows Firewall control panel (firewall.cpl), make sure you select 'Turn Windows Firewall on or off' and select 'Off (Not Recommended)'.  Alternatively you can use netsh.exe and run

    'Netsh.exe AdvFirewall Set CurrentProfile State Off'.

     

    MPSSvc is a required service for IPsec Policy to continue to function.  It also just happens to house Windows Firewall functionality as well.  If using IPsec, do not turn off this service.  Additionally if you do not turn off Windows Firewall, and just stop this service, you will be hit with Windows Firewall's persistent policy (hence the reason to disable the firewall as stated above).

     

    Not also that there is a period of time when you start your machine and TCPIP.sys is loaded until the BFE service successfully starts.  This is known as boottime.  This period of time will enforce any boottime filters on the box, but will stop enforcing them when BFE starts successfully.

     

    You can programmatically add filters to Windows Firewall to explicitly allow the traffic you are seeing blocked.

    http://msdn.microsoft.com/en-us/library/aa366453.aspx is a good place to start for this.

     

    I hope this helps.

     


    Multiple windows 2008R2 servers with error "The Windows Filtering Platform has blocked a connection..." in the security log.  These were 2008R2 boxes fully patched with Symantec Endpoint Protection installed.  Followed your instructions and this fixed the problems we were having.  Our new policy on SEP enabled boxes is to configure the Windows firewall as described in your article.
    Monday, September 19, 2011 9:26 PM
  • Likewise here. This is at least TWO YEARS later than some of these posts, and this still is happening!

    I have Windows Server 2008 Standard, 32-bit, SP2, full install, fully patched, but still have these, even BOGUS AUDIT FAILURES on

    1) "A handle to an object was requested." Shows as an "Audit Failure" and yet the MMC ran just fine - so it was NOT a failure, and I see

    A handle to an object was requested.

    Subject:
     Security ID:  mydom\administrator
     Account Name:  administrator
     Account Domain:  mydom
     Logon ID:  nnnnnnnnn

    Object:
     Object Server:  Security
     Object Type:  File
     Object Name:  C:\Windows\System32\eventvwr.msc
     Handle ID:  0x0

    Process Information:
     Process ID:  0x240
     Process Name:  C:\Windows\System32\mmc.exe

    Access Request Information:
     Transaction ID:  {00000000-0000-0000-0000-000000000000}
     Accesses:  READ_CONTROL
       SYNCHRONIZE
       WriteData (or AddFile)
       AppendData (or AddSubdirectory or CreatePipeInstance)
       WriteEA
       ReadAttributes
       WriteAttributes
       
     Access Mask:  0x120196
     Privileges Used for Access Check: -
     Restricted SID Count: 0

    2) Those same "BFE/WFP" filter errors as well.


    Application Information:
     Process ID:  1160
     Application Name: \device\harddiskvolume2\windows\system32\svchost.exe

    Network Information:
     Source Address:  0.0.0.0
     Source Port:  54980
     Protocol:  17

    Filter Information:
     Filter Run-Time ID: 0
     Layer Name:  Resource Assignment
     Layer Run-Time ID: 36

    Anyway, IF f/w is turned OFF by policy - which it is, in our case, we should NEVER see such errors as the 'blocked port' error. I have had cases on other systems, where I had to go into f/w config and specifically set rules for such nonsense. F/w OFF means "DON'T BLOCK, DON'T FILTER; LEAVE MY SYSTEM ALONE" ;-) So, I suppose, to me, BFE = Pure BS.

    Again, this is in Windows Server 2008 - not Windows 7.

    And then, to have 'Audit Failures' when the actual function (going into MMC) 'SUCCEEDS!' Wow - how can that happen?

    Please let me know if this is fixed in a patch I missed or, maybe it's fixed in Windows Server 2008 R2?

    Thanks for any insight!

    [fyi, we have no other firewall or av product directly on this specific server - it is a Test/DMZ server]


    tnjman


    • Edited by TNJMAN Thursday, March 01, 2012 7:15 PM update 3rd party f/w info
    Thursday, March 01, 2012 7:14 PM
  • Hi All,

    We recently discovered a bug in WFP which erroneously spews out audits about  blocking "bind to a local port" while the bind() call are in fact permitted.

    The symptom is that, as some of you observed, the "FilterRTID" field is 0. The bug manifests when there is no filter registered at WFP ALE_RESOURCE_ASSIGNMENT layers.

    We are fixing this issue in Windows 7. For Vista, you can ignore the audit entry if FilterRTID is 0 for ALE_RESOURCE_ASSIGNMENT layers block audit events.

    Thanks,
    Biao.W.
    What is the KB for the Windows 7 hotfix?   http://support.microsoft.com/kb/2654852  only applies to Windows 2008R2.
    Wednesday, December 04, 2013 5:29 PM