Event ID 5158
The Windows Filtering Platform has permitted a bind to a local port.The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: %1 Application Name: %2 Network Information: Source Address: %3 Source Port: %4 Protocol: %5 Filter Information: Filter Run-Time ID: %6 Layer Name: %7 Layer Run-Time ID: %8
This event generates every time Windows Filtering Platform permits an application or service to bind to a local port.
Auditing:
Rarely
It's only recommended to audit this event if every time an application binds to a local port, generally servers in security sensitive environments.
Volume:
Medium
High
This event is logged every time a process binds to a local port. The volume depends on system activity and will likely be higher on workstations than servers.
Microsoft Documentation
| Name | Field | Insertion String | OS | Example | ||
|---|---|---|---|---|---|---|
| Process ID | ProcessId | %1 | Any | 4556 | ||
| Application Name | Application | %2 | Any | \device\harddiskvolume2\documents\listener.exe | ||
| Source Address | SourceAddress | %3 | Any | 0.0.0.0 | ||
| Source Port | SourcePort | %4 | Any | 3333 | ||
| Protocol | Protocol | %5 | Any | View Codes | ||
| Filter Run-Time ID | FilterRTID | %6 | Any | 0 | ||
| Layer Name | LayerName | %7 | Any | %%14608 | ||
| Layer Run-Time ID | LayerRTID | %8 | Any | 36 | ||
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Filtering Platform Connection"
Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022Tags:
Audit SuccessCorrelated Events:
5156LEFT/RIGHT arrow keys for navigation
Back to List