Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Lots of 5447 Events

Status
Not open for further replies.
WANguy2k

WANguy2k

MIS
Feb 25, 2002
363
US
I'm getting many 5447 events per second every few minutes on a 2008 DC. I looked through the security policies (I didn't set them up) but I don't see what could be causing these. The Windows firewall is off on this machine. Details are below, help is appreciated.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/13/2011 9:39:19 PM
Event ID: 5447
Task Category: Other Policy Change Events
Level: Information
Keywords: Audit Success
User: N/A
Computer: SE-ADDS1.Sheralven.local
Description:
A Windows Filtering Platform filter has been changed.

Subject:
Security ID: LOCAL SERVICE
Account Name: NT AUTHORITY\LOCAL SERVICE

Process Information:
Process ID: 1572

Provider Information:
ID: {4b153735-1049-4480-aab4-d1b9bdc03710}
Name: Microsoft Corporation

Change Information:
Change Type: Delete

Filter Information:
ID: {20fc770e-73bb-4873-a5b5-6000fb8a20a0}
Name: An inbound rule to allow traffic to the IPv6 Dynamic Host Control Protocol Server. [UDP 547]
Type: Not persistent
Run-Time ID: 78276

Layer Information:
ID: {e1cd9fe7-f4b5-4273-96c0-592e487b8650}
Name: ALE Receive/Accept v4 Layer
Run-Time ID: 44

Callout Information:
ID: {00000000-0000-0000-0000-000000000000}
Name: -

Additional Information:
Weight: 2111886959050752
Conditions:
Condition ID: {d78e1e87-8644-4ea5-9437-d809ecefc971}
Match value: Equal to
Condition value:
00000000 5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00 \.d.e.v.i.c.e.\.
00000010 68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 h.a.r.d.d.i.s.k.
00000020 76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00 v.o.l.u.m.e.2.\.
00000030 77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00 w.i.n.d.o.w.s.\.
00000040 73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00 s.y.s.t.e.m.3.2.
00000050 5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00 \.s.v.c.h.o.s.t.
00000060 2e 00 65 00 78 00 65 00-00 00 ..e.x.e...


Condition ID: {af043a0a-b34d-4f86-979c-c90371af6e66}
Match value: Equal to
Condition value:
O:SYG:SYD:(A;;CCRC;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)


Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b}
Match value: Equal to
Condition value: 0x0087

Condition ID: {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}
Match value: Equal to
Condition value: 0x06

Filter Action: Permit
Event Xml:
<Event xmlns=" <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5447</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13573</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2011-02-14T02:39:19.327819700Z" />
<EventRecordID>3762707</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="10308" />
<Channel>Security</Channel>
<Computer>SE-ADDS1.Sheralven.local</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessId">1572</Data>
<Data Name="UserSid">S-1-5-19</Data>
<Data Name="UserName">NT AUTHORITY\LOCAL SERVICE</Data>
<Data Name="ProviderKey">{4B153735-1049-4480-AAB4-D1B9BDC03710}</Data>
<Data Name="ProviderName">Microsoft Corporation</Data>
<Data Name="ChangeType">%%16385</Data>
<Data Name="FilterKey">{20FC770E-73BB-4873-A5B5-6000FB8A20A0}</Data>
<Data Name="FilterName">An inbound rule to allow traffic to the IPv6 Dynamic Host Control Protocol Server. [UDP 547]</Data>
<Data Name="FilterType">%%16388</Data>
<Data Name="FilterId">78276</Data>
<Data Name="LayerKey">{E1CD9FE7-F4B5-4273-96C0-592E487B8650}</Data>
<Data Name="LayerName">ALE Receive/Accept v4 Layer</Data>
<Data Name="LayerId">44</Data>
<Data Name="Weight">2111886959050752</Data>
<Data Name="Conditions">
Condition ID: {d78e1e87-8644-4ea5-9437-d809ecefc971}
Match value: Equal to
Condition value:
00000000 5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00 \.d.e.v.i.c.e.\.
00000010 68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 h.a.r.d.d.i.s.k.
00000020 76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00 v.o.l.u.m.e.2.\.
00000030 77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00 w.i.n.d.o.w.s.\.
00000040 73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00 s.y.s.t.e.m.3.2.
00000050 5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00 \.s.v.c.h.o.s.t.
00000060 2e 00 65 00 78 00 65 00-00 00 ..e.x.e...


Condition ID: {af043a0a-b34d-4f86-979c-c90371af6e66}
Match value: Equal to
Condition value:
O:SYG:SYD:(A;;CCRC;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)


Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b}
Match value: Equal to
Condition value: 0x0087

Condition ID: {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}
Match value: Equal to
Condition value: 0x06
</Data>
<Data Name="Action">%%16390</Data>
<Data Name="CalloutKey">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="CalloutName">-</Data>
</EventData>
</Event>
 
Status
Not open for further replies.

Similar threads

mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
770
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
468
DrB0b
DrB0b
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
159
mikehook
mikehook
Scparks
  • Locked
  • Question
Trouble with setting up a SMTP Relay to Office 365
Replies
0
Views
137
Scparks
Scparks
kurio71
  • Locked
  • Question
Clean Install of 2016 - NTFS permissions
Replies
1
Views
118
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top