Event ID: 5156

The Windows Filtering Platform has allowed a connection.

The Windows Filtering Platform has allowed a connection.

Application Information:

   Process ID:        %1
   Application Name:  %2

Network Information:

   Direction:           %3
   Source Address:      %4
   Source Port:         %5
   Destination Address: %6
   Destination Port:    %7
   Protocol:            %8

Filter Information:

   Filter Run-Time ID:  %9
   Layer Name:          %10
   Layer Run-Time ID:   %11
Microsoft Documentation

Event ID - 5156



This event generates when Windows Filtering Platform has allowed a connection.

Note: This event has 13 insertion strings but 11 are displayed in general tab.



Name Field Insertion String OS Example
Process ID ProcessID %1 Any 4556
Application Name Application %2 Any \device\harddiskvolume2\documents\listener.exe
Direction Direction %3 Any %%14592
Source Address SourceAddress %4 Any 192.168.0.2
Source Port SourcePort %5 Any 3333
Destination Address DestAddress %6 Any 192.168.0.1
Destination Port DestPort %7 Any 49279
Protocol Protocol %8 Any View Codes
Filter Run-Time ID FilterRTID %9 Any 70201
Layer Name LayerName %10 Any 14610
Layer Run-Time ID LayerRTID %11 Any 44
N/A RemoteUserID %12 Any S-1-0-0
N/A RemoteMachineID %13 Any S-1-0-0


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Filtering Platform Connection"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List