Windows Security Log Event ID 5156

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Object Access
 • Filtering Platform Connection
Type Success
Corresponding events
in Windows 2003
and before

5156: The Windows Filtering Platform has allowed a connection

On this page

This event documents each time WFP allows a program to connect to another process (on the same or a remote computer) on a TCP or UDP port.

The above example is of WFP allowing the DNS Server service to connect to the DNS client on the same computer.

Application Information:

  • Process ID:  process ID specified when the executable started as logged in 4688
  • Application Name: the program executable on this computer's side of the packet transmission

Free Security Log Resources by Randy

Description Fields in 5156

Application Information:

  •  Process ID:  %1
  •  Application Name: %2

Network Information:

  •  Direction:  %3
  •  Source Address:  %4
  •  Source Port:  %5
  •  Destination Address: %6
  •  Destination Port:  %7
  •  Protocol:  %8

Filter Information:

  •  Filter Run-Time ID: %9
  •  Layer Name:  %10
  •  Layer Run-Time ID: %11

Supercharger Enterprise

Load Balancing for Windows Event Collection


Examples of 5156

The Windows Filtering Platform has allowed a connection.

Application Information:

   Process ID:  1752
   Application Name: \device\harddiskvolume1\windows\system32\dns.exe

Network Information:

   Direction:  Inbound
   Source Address:
   Source Port:  53
   Destination Address:
   Destination Port:  50146
   Protocol:  17

Filter Information:

   Filter Run-Time ID: 5
   Layer Name:  Receive/Accept
   Layer Run-Time ID: 44

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources