Event ID: 5158

The Windows Filtering Platform has permitted a bind to a local port.

The Windows Filtering Platform has permitted a bind to a local port.

Application Information:

   Process ID:        %1
   Application Name:  %2

Network Information:

   Source Address:  %3
   Source Port:     %4
   Protocol:        %5

Filter Information:

   Filter Run-Time ID:  %6
   Layer Name:          %7
   Layer Run-Time ID:   %8


This event generates every time Windows Filtering Platform permits an application or service to bind to a local port.

Auditing:     Rarely

It's only recommended to audit this event if every time an application binds to a local port, generally servers in security sensitive environments.


Volume:     Medium High

This event is logged every time a process binds to a local port. The volume depends on system activity and will likely be higher on workstations than servers.


Microsoft Documentation

Event ID - 5158



Name Field Insertion String OS Example
Process ID ProcessId %1 Any 4556
Application Name Application %2 Any \device\harddiskvolume2\documents\listener.exe
Source Address SourceAddress %3 Any 0.0.0.0
Source Port SourcePort %4 Any 3333
Protocol Protocol %5 Any View Codes
Filter Run-Time ID FilterRTID %6 Any 0
Layer Name LayerName %7 Any %%14608
Layer Run-Time ID LayerRTID %8 Any 36


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Filtering Platform Connection"



LEFT/RIGHT arrow keys for navigation

Back to List