Event ID: 5158

The Windows Filtering Platform has permitted a bind to a local port.

The Windows Filtering Platform has permitted a bind to a local port.

Application Information:

   Process ID:        %1
   Application Name:  %2

Network Information:

   Source Address:  %3
   Source Port:     %4
   Protocol:        %5

Filter Information:

   Filter Run-Time ID:  %6
   Layer Name:          %7
   Layer Run-Time ID:   %8
Microsoft Documentation

Event ID - 5158


Recommended Auditing
It's only recommended to audit this event if every time an application binds to a local port, generally servers in security sensitive environments.

Volume
This event is logged every time a process binds to a local port. The volume depends on system activity and will likely be higher on workstations than servers.


This event generates every time Windows Filtering Platform permits an application or service to bind to a local port.



Name Field Insertion String OS Example
Process ID ProcessId %1 Any 4556
Application Name Application %2 Any \device\harddiskvolume2\documents\listener.exe
Source Address SourceAddress %3 Any 0.0.0.0
Source Port SourcePort %4 Any 3333
Protocol Protocol %5 Any View Codes
Filter Run-Time ID FilterRTID %6 Any 0
Layer Name LayerName %7 Any %%14608
Layer Run-Time ID LayerRTID %8 Any 36


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Filtering Platform Connection"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List