Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, June 21, 2018 11:46 AM
Hi Team,
In my windows 10 machine, i could see that the security log is getting filled with Event ID 5447. Could you please help in figuring out why this log is getting generated and how to resolve it. This log file is getting generated in only one machine in the environment.
The Various logs generated are based on the below filter information:
Allow incoming WSD to PeerDistSvc
Allow outgoing WSD from PeerDistSvc
Security Log:
06/21/2018 06:27:17 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5447
EventType=0
Type=Information
ComputerName=
TaskCategory=Other Policy Change Events
OpCode=Info
RecordNumber=3418247710
Keywords=Audit Success
Message=A Windows Filtering Platform filter has been changed.
Subject:
Security ID: NT AUTHORITY\LOCAL SERVICE
Account Name: NT AUTHORITY\LOCAL SERVICE
Process Information:
Process ID: 1560
Provider Information:
ID: {4B153735-1049-4480-AAB4-D1B9BDC03710}
Name: Microsoft Corporation
Change Information:
Change Type: Add
Filter Information:
ID: {BEBED435-A399-4A79-BB51-0BB8A9ECAA63}
Name: Allow incoming WSD to PeerDistSvc
Type: Not persistent
Run-Time ID: 157222438
Layer Information:
ID: {E1CD9FE7-F4B5-4273-96C0-592E487B8650}
Name: ALE Receive/Accept v4 Layer
Run-Time ID: 44
Callout Information:
ID: {00000000-0000-0000-0000-000000000000}
Name: -
Additional Information:
Weight: 74169515625152512
Conditions:
Condition ID: {d78e1e87-8644-4ea5-9437-d809ecefc971}
Match value: Equal to
Condition value:
00000000 5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00 \d.e.v.i.c.e.\
00000010 68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 h.a.r.d.d.i.s.k.
00000020 76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00 v.o.l.u.m.e.2.\
00000030 77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00 w.i.n.d.o.w.s.\
00000040 73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00 s.y.s.t.e.m.3.2.
00000050 5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00 \s.v.c.h.o.s.t.
00000060 2e 00 65 00 78 00 65 00-00 00 ..e.x.e...
Condition ID: {af043a0a-b34d-4f86-979c-c90371af6e66}
Match value: Equal to
Condition value:
O:SYG:SYD:(A;;CCRC;;;S-1-5-80-3124040864-3101396827-3094488734-3028845762-1939139329)
Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b}
Match value: Equal to
Condition value: 0x0e76
Condition ID: {b235ae9a-1d64-49b8-a44c-5ff3d9095045}
Match value: In range
Condition value: 0xe0000000 - 0xefffffff
Condition ID: {72b1a111-987b-4720-99dd-c7c576fa2d4c}
Match value: Equal to
Condition value: 0x00000000
Condition ID: {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}
Match value: Equal to
Condition value: 0x11
Condition ID: {632ce23b-5167-435c-86d7-e903684aa80c}
Match value: All flags set
Condition value: 0x00000004
Filter Action: Permit
Regards
Sathish
All replies (7)
Thursday, June 21, 2018 1:10 PM
Check the below earlier discussed thread have suggested solution may help you to fix this issue:
Thanks,
Thursday, June 21, 2018 2:47 PM
Thanks, I can go ahead and disable the mentioned event in the policy. Any idea on why the below log is getting generated
Subject:
Security ID: NT AUTHORITY\LOCAL SERVICE
Account Name: NT AUTHORITY\LOCAL SERVICE
Process Information:
Process ID: 1560
Provider Information:
ID: {4B153735-1049-4480-AAB4-D1B9BDC03710}
Name: Microsoft Corporation
Change Information:
Change Type: Add
Filter Information:
ID: {BEBED435-A399-4A79-BB51-0BB8A9ECAA63}
Name: Allow incoming WSD to PeerDistSvc
Type: Not persistent
Run-Time ID: 157222438
Regards
Sathish
Friday, June 22, 2018 5:35 AM
Hi,
The event 5447 generates every time a Windows Filtering Platform filter has been changed.
It typically generates during Group Policy update procedures, including
Allow outgoing TCP from PeerDistSvc
Allow outgoing TCP from PeerDistSvc
Allow outgoing WSD from PeerDistSvc
Allow PNRP to send to port 3540
WSH Default Inbound Block
WSH Default Outbound Block
DhcpFirewallPolicy and so on.
This event mainly used for Windows Filtering Platform troubleshooting and typically has little to no security relevance. From the event you provide, it is a success auditing. If you need to monitor changes in Boot Configuration Data or Central Access Policies, then enable sccess auditing. Otherwise, you don't have to enable success auditing, enable fail auditing is enough.
Use the command:
auditpol /set /subcategory:"other policy change events" /success:disable
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, June 22, 2018 5:48 AM
Audit Other Policy Change Events:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772640(v=ws.10)
Monday, June 25, 2018 1:48 AM
Hi,
What is going on?
If you have any problems, please feel free to let me know.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, June 29, 2018 12:40 PM
Thanks for your reply.
However we have enabled the audit logs through the domain level group policy and this is the only machine which is generating multiple number of logs with the filter information as "Allow incoming WSD to PeerDistSvc". It would help to figure our why this message is getting generated every few minutes in this machine alone.
Regards
Sathish
Monday, July 2, 2018 1:30 AM
Hi,
Which policy did you configure?
It is suggested that you can use the command to make sure the success auditing is disabled. If it works, then create a batch file contain the command, deploy to this machine.
auditpol /set /subcategory:"other policy change events" /success:disable
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].