Windows Security Log Event ID 5156
Operating Systems Windows Vista
Windows Server 2008
Category
 • Subcategory
Object Access
 • Filtering Platform Connection
Type Success
Corresponding events
in Windows 2003
and before
 
Discussions on Event ID 5156
Source versus Destination in event 5156
5156 Showing up in 2003 Event Logs
Event Code 5156 Filling Event Logs - How to turn off

5156: The Windows Filtering Platform has allowed a connection

On this page

This event documents each time WFP allows a program to connect to another process (on the same or a remote computer) on a TCP or UDP port.

The above example is of WFP allowing the DNS Server service to connect to the DNS client on the same computer.

Application Information:

  • Process ID:  process ID specified when the executable started as logged in 4688
  • Application Name: the program executable on this computer's side of the packet transmission

Application Information:

  •  Process ID:  %1
  •  Application Name: %2

Network Information:

  •  Direction:  %3
  •  Source Address:  %4
  •  Source Port:  %5
  •  Destination Address: %6
  •  Destination Port:  %7
  •  Protocol:  %8

Filter Information:

  •  Filter Run-Time ID: %9
  •  Layer Name:  %10
  •  Layer Run-Time ID: %11

Top 10 Windows Security Events to Monitor

The Windows Filtering Platform has allowed a connection.

Application Information:

   Process ID:  1752
   Application Name: \device\harddiskvolume1\windows\system32\dns.exe

Network Information:

   Direction:  Inbound
   Source Address:  10.45.45.103
   Source Port:  53
   Destination Address: 10.45.45.103
   Destination Port:  50146
   Protocol:  17

Filter Information:

   Filter Run-Time ID: 5
   Layer Name:  Receive/Accept
   Layer Run-Time ID: 44

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this



Training for the Windows Security Log