Port Scanning Prevention Filter behavior in Windows

Gäller för: Windows Server 2008 StandardWindows Server 2008 EnterpriseWindows Server 2008 Datacenter


Consider the following scenario:
  • You have a custom networking application installed on your server.
  • The application captures lots of traffic on the wire.
  • The server may be using a DHCP-assigned IP address.
In this scenario, a large volume of disk I/O may be generated when writes are made to the C:\Windows\System32\wfp\wfpdiag.etl log.


This behavior is by design. When the Port Scanning Prevention Filter is triggered, this typically means that there is no process listening on the port. (For security reasons, WFP blocks process listening.) When a connection is tried on a port where there is no listener, WFP recognizes the packet as if it were coming from a port scanner and therefore silently drops the connection.

If there had been a listener, and the communication was instead blocked because of either malformed packets or authentication, the dropped event would be listed as “DROP” (not silent), and WFP logging would indicate a different filter ID and name.

This filter is built in to the Windows Firewall and Advanced Security (WFAS). It is included in Windows Vista, Windows Server 2008, and later versions of Windows.


To work around this issue, disable WFP logging in the registry: 
  1. Start Registry Editor.
  2. Locate the following registry subkey:
  3. Right-click the subkey, click New, and then create a DWORD (32-bit) registry value.
  4. Type CollectNetEvents as the registry value name.
  5. Leave the value data as 0.
  6. Restart the server.

Note By disabling WFP logging, this only stops the logging of WFP activity in wfpdiag.etl. The Port Scanning Prevention Filter continues to work normally.

More Information