Windows-itpro-docs: windows event log 5159 xml example

Created on 18 Apr 2019 · 7Comments · Source: MicrosoftDocs/windows-itpro-docs

i found this page that hasn't example and i tested this event.
below is event's xml content:

<Event
    xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>5159</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12810</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2019-04-18T07:36:55.955388300Z" />
        <EventRecordID>44097</EventRecordID>
        <Correlation />
        <Execution ProcessID="4" ThreadID="6480" />
        <Channel>Security</Channel>
        <Computer>NATHAN-AGENT2</Computer>
        <Security />
    </System>
    <EventData>
        <Data Name="ProcessId">7924</Data>
        <Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
        <Data Name="SourceAddress">0.0.0.0</Data>
        <Data Name="SourcePort">5555</Data>
        <Data Name="Protocol">6</Data>
        <Data Name="FilterRTID">84614</Data>
        <Data Name="LayerName">%%14608</Data>
        <Data Name="LayerRTID">36</Data>
    </EventData>
</Event>

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 15180404-ee89-92c7-908a-f3d7d6802e44
Version Independent ID: 56b2c2ab-d2f6-3085-7eed-755183e6eccb
Content: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10)
Content Source: windows/security/threat-protection/auditing/event-5159.md
Product: w10
Technology: windows
GitHub Login: @Mir0sh
Microsoft Alias: justinha

Source

audi5411

Most helpful comment

According to https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5158
i provide the 5 images if no problem i will provide images for #3292 :

event viewer

event_viewer

application information

taskmanager

application name

application_name

Filter Run-Time ID

filters_edited

Layer Run-Time ID

layer_edited

audi5411 on 19 Apr 2019

🚀1 🎉1 👍1

All 7 comments

Thank you for posting the input, I am sure more users than you would like to see the page expanded with the same amount of information as the completed pages.

I was going to ask if I should open a Pull Request for the change to be made, but I realized that 5 images are needed in addition to the sample XML code block, to make the page as complete as the others. I don't have those images and I might not find the time to produce the images as precise as on the complete pages. Would you be able to provide the images, or is it OK to wait for feedback from the Microsoft Docs team members to get a recommendation of further action?

illfated on 18 Apr 2019

According to https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5158
i provide the 5 images if no problem i will provide images for #3292 :

event viewer

event_viewer

application information

taskmanager

application name

application_name

Filter Run-Time ID

filters_edited

Layer Run-Time ID

layer_edited

audi5411 on 19 Apr 2019

🚀1 🎉1 👍1

Nice, that is very good indeed. I will open a PR and link back to this issue so it is easy to follow. I don't know exactly how soon I will be done, but at least today (unless something unexpected happens).

illfated on 19 Apr 2019

👍1

Thanks again for the images, although I suspect that the Microsoft Docs Team might want to replace them with image versions using names identical to the other examples. Not a big deal. I will open the PR nevertheless, with at least the first image and the correct XML content, then see what they think and what can be done to make it a proper addition to the docs.

illfated on 19 Apr 2019

thanks, maybe event 5150 and 5151 can be fulfilled?
reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5150
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5151

audi5411 on 19 Apr 2019

That would be nice too, but I recommend waiting until the Microsoft Docs Team comments on the existing Pull Request (#3303) to see how much change is needed and what format is requested for the other pages. (This is mostly to make sure that we don't have to do double work in the next Pull Requests.)

illfated on 19 Apr 2019

@audi5411 : As you can see, the PR has been accepted and we can go ahead with your desired plan to add information to the other issues (open a new issue ticket for the pages in need of more info) and only provide the first image + XML for the new page. (You have already created the issue ticket windows event log 5155 xml example #3292 , so you only need to open one each for 5150 & 5151.)

illfated on 20 Apr 2019

Was this page helpful?

0 / 5 - 0 ratings