Windows Security Log Event ID 5157

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Object Access
 • Filtering Platform Connection
Type Failure
Corresponding events
in Windows 2003
and before
 
Discussions on Event ID 5157
Typo?
Is this Event ID the same as Blocked Firewall Connection?

5157: The Windows Filtering Platform has blocked a connection

On this page

This event documents each time WFP allows a program to connect to another process (on the same or a remote computer) on a TCP or UDP port.

The above example is of WFP allowing the DNS Server service to connect to the DNS client on the same computer.

Free Security Log Resources by Randy

Description Fields in 5157

Application Information:

  • Process ID:  Process ID specified when the executable started as logged in 4688.
  • Application Name: The program executable on this computer's side of the packet transmission.

Network Information:

  • Direction:
  • Source Address:
  • Source Port:
  • Destination Address:
  • Destination Port:
  • Protocol:

Filter Information:

  • Filter Run-Time ID:
  • Layer Name:
  • Layer Run-Time ID:

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 5157

The Windows Filtering Platform has blocked a connection.

Application Information:

   Process ID:          1224
   Application Name:    \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:

   Direction:           Inbound
   Source Address:      224.0.0.252
   Source Port:         5355
   Destination Address: 10.45.45.102
   Destination Port:    56927
   Protocol:            17

Filter Information:

   Filter Run-Time ID:  0
   Layer Name:          Receive/Accept
   Layer Run-Time ID:   44

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources