security log event ID 5157 5152 4656 failures?

Saran 26 Reputation points
2022-12-24T03:52:56.01+00:00

Hi All,

My server details windows 2019 STD and it is workgroup not in domain. I am seeing the following event ID in the security log after enabling auditing via gpedit.

Is this ignorable? Looks like last two are blocked by windows firewall, which I have done. 4656 is not sure.

4656
5152
5157

4656

==================

A handle to an object was requested.

Subject:
Security ID: Computer\login123
Account Name: login123
Account Domain: ComputerName
Logon ID: 0xxxxxxxx

Object:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: LSM
Handle ID: 0x0
Resource Attributes: -

Process Information:
Process ID: 0x2d0
Process Name: C:\Windows\System32\services.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: Query service configuration information
Query status of service
Query information from service

Access Reasons:		-  
Access Mask:		0x85  
Privileges Used for Access Check:	-  
Restricted SID Count:	0  

5152

==================

The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID: 0
Application Name: -

Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17

Filter Information:
Filter Run-Time ID: 67894
Layer Name: Transport
Layer Run-Time ID: 13

5157

==================

The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID: 1988
Application Name: \device\harddiskvolume2\windows\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address: 137.59.54.84
Source Port: 62505
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17

Filter Information:
Filter Run-Time ID: 67252
Layer Name: Receive/Accept
Layer Run-Time ID: 44

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,928 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,701 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sedat SALMAN 12,985 Reputation points
    2023-03-19T20:19:49.2933333+00:00

    Event ID 4656 indicates that a handle to an object was requested, in this case the "LSM" service object. This event is normal and expected behavior, and can generally be ignored.

    Event ID 5152 indicates that a packet was blocked by the Windows Filtering Platform (WFP). In this case, it looks like a DHCP client on the network is trying to communicate with the server on port 67, but the WFP is blocking it. This could be due to the server not being configured as a DHCP server, or the client being configured incorrectly. If you are not using DHCP on the network, this event can be ignored.

    Event ID 5157 also indicates that a connection was blocked by the WFP. In this case, it looks like an inbound connection from IP address 137.59.54.84 to port 5355 is being blocked by the WFP. This port is typically used for multicast DNS (mDNS) and is used by some devices for network discovery. If you do not require mDNS on your network, you can safely ignore this event.

    0 comments No comments