Port Scanning Prevention Filter behavior in Windows
This article describes the functionality of the Port Scanning Prevention Filter in Windows Server 2008 and later versions of Windows. It also includes a workaround for the by-design behavior that generates lots of disk I/O when there's activity in the wfpdiag.etl log.
Applies to: Windows Server 2012 R2
Original KB number: 3044882
Symptoms
Consider the following scenario:
- You have a custom networking application installed on your server.
- The application captures lots of traffic on the wire.
- The server may be using a DHCP-assigned IP address.
In this scenario, a large volume of disk I/O may be generated when writes are made to the C:\Windows\System32\wfp\wfpdiag.etl log.
Cause
This behavior is by design. When the Port Scanning Prevention Filter is triggered, this typically means that there's no process listening on the port. (For security reasons, WFP blocks process listening.) When a connection is tried on a port where there's no listener, WFP recognizes the packet as if it was coming from a port scanner and therefore silently drops the connection.
If there had been a listener, and the communication was instead blocked because of either malformed packets or authentication, the dropped event would be listed as "DROP" (not silent), and WFP logging would indicate a different filter ID and name.
This filter is built in to the Windows Firewall and Advanced Security (WFAS). It's included in Windows Vista, Windows Server 2008, and later versions of Windows.
Workaround
To work around this issue, disable WFP logging by using one of the following methods:
Disable WFP logging by running the following Netsh command from an elevated command prompt:
netsh wfp set options netevents=offDisable WFP logging in the registry. To do this, follow these steps:
- Start Registry Editor.
- Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Options - Right-click the subkey, click New, and then create a DWORD (32-bit) registry value.
- Type CollectNetEvents as the registry value name.
- Leave the value data as 0.
- Restart the server.
Note
By disabling WFP logging, this only stops the logging of WFP activity in wfpdiag.etl. The Port Scanning Prevention Filter continues to work normally.
More information
For more information, see Stealth mode in Windows Firewall with Advanced Security.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for