The Windows Filtering Platform has blocked a connection.
Process ID: <PID>
Application Name: \device\harddiskvolume2\windows\system32\tssdis.exe
Source Address: <some IP>
Source Port: <some port>
Destination Address: <some IP>
Destination Port: 1434
To check for Event 5157 in the Security event logs, you may have to enable auditing for Windows Filtering Platform (WFP). To check the current auditing status and to set the correct auditing for Object Access, use the following command:
auditpol /get /subcategory:"Filtering Platform Connection"
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
If you use a netsh wfp show filters command to inspect WFP filters, the Filter.xml file shows the following active filter:
<description>Blocks all outbound traffic for services who have been network hardened</description>
Article ID: 3020474 - Last Review: Jun 23, 2015 - Revision: 1