Windows Security Log Event ID 5156

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Object Access
 • Filtering Platform Connection
Type Success
Corresponding events
in Windows 2003
and before
Discussions on Event ID 5156
Source versus Destination in event 5156
5156 Showing up in 2003 Event Logs
Event Code 5156 Filling Event Logs - How to turn off

5156: The Windows Filtering Platform has allowed a connection

On this page

This event documents each time WFP allows a program to connect to another process (on the same or a remote computer) on a TCP or UDP port.

The above example is of WFP allowing the DNS Server service to connect to the DNS client on the same computer.

Application Information:

  • Process ID:  process ID specified when the executable started as logged in 4688
  • Application Name: the program executable on this computer's side of the packet transmission

Free Security Log Resources by Randy

Description Fields in 5156

Application Information:

  •  Process ID:  %1
  •  Application Name: %2

Network Information:

  •  Direction:  %3
  •  Source Address:  %4
  •  Source Port:  %5
  •  Destination Address: %6
  •  Destination Port:  %7
  •  Protocol:  %8

Filter Information:

  •  Filter Run-Time ID: %9
  •  Layer Name:  %10
  •  Layer Run-Time ID: %11

Setup PowerShell Audit Log Forwarding in 4 Minutes


Examples of 5156

The Windows Filtering Platform has allowed a connection.

Application Information:

   Process ID:  1752
   Application Name: \device\harddiskvolume1\windows\system32\dns.exe

Network Information:

   Direction:  Inbound
   Source Address:
   Source Port:  53
   Destination Address:
   Destination Port:  50146
   Protocol:  17

Filter Information:

   Filter Run-Time ID: 5
   Layer Name:  Receive/Accept
   Layer Run-Time ID: 44

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources