Event ID: 5156

The Windows Filtering Platform has allowed a connection.

The Windows Filtering Platform has allowed a connection.

Application Information:

   Process ID:        %1
   Application Name:  %2

Network Information:

   Direction:           %3
   Source Address:      %4
   Source Port:         %5
   Destination Address: %6
   Destination Port:    %7
   Protocol:            %8

Filter Information:

   Filter Run-Time ID:  %9
   Layer Name:          %10
   Layer Run-Time ID:   %11

This event generates when Windows Filtering Platform has allowed a connection.

Note: This event has 13 insertion strings but only 11 are displayed on the general tab.

Auditing:     Rarely

It's only recommended to audit this event if every network connection of a process needs to be tracked.

Volume:     High Very High

This event is logged for every network connection that is associated with a process, as such the volume of events is generally very high.

Microsoft Documentation

Event ID - 5156

Name Field Insertion String OS Example
Process ID ProcessID %1 Any 4556
Application Name Application %2 Any \device\harddiskvolume2\documents\listener.exe
Direction Direction %3 Any %%14592
Source Address SourceAddress %4 Any
Source Port SourcePort %5 Any 3333
Destination Address DestAddress %6 Any
Destination Port DestPort %7 Any 49279
Protocol Protocol %8 Any View Codes
Filter Run-Time ID FilterRTID %9 Any 70201
Layer Name LayerName %10 Any 14610
Layer Run-Time ID LayerRTID %11 Any 44
N/A RemoteUserID %12 Any S-1-0-0
N/A RemoteMachineID %13 Any S-1-0-0

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Filtering Platform Connection"

LEFT/RIGHT arrow keys for navigation

Back to List