Event ID 5156

Hexadecimal Process ID of the process which received the connection.

Full path and the name of the executable for the process.

Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using diskpart utility. The command to get volume numbers using diskpart is “list volume”

Direction of allowed connection.

Inbound – for inbound connections.
Outbound – for outbound connections.

Local IP address on which application received the connection.

IPv4 Address

IPv6 Address

:: - all IP addresses in IPv6 format

0.0.0.0 - all IP addresses in IPv4 format

127.0.0.1 , ::1 - localhost

Port number on which application received the connection.

IP address from which connection was received or initiated.

IPv4 Address

IPv6 Address

:: - all IP addresses in IPv6 format

0.0.0.0 - all IP addresses in IPv4 format

127.0.0.1 , ::1 - localhost

Port number which was used from remote machine to initiate connection.

Number of protocol which was used. See notes for table of list of protocol numbers.

Unique filter ID which allowed the connection.

To find specific Windows Filtering Platform filter by ID you need to execute the following command: [netsh wfp show filters]. As result of this command filters.xml file will be generated. You need to open this file and find specific substring with required filter ID (<filterId>)

Application Layer Enforcement layer name.

Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of this command wfpstate.xml file will be generated. You need to open this file and find specific substring with required layer ID (<layerId>)