Windows Security Log Event ID 5158

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Object Access
 • Filtering Platform Connection
Type Success
Corresponding events
in Windows 2003
and before

5158: The Windows Filtering Platform has permitted a bind to a local port

On this page

This event is logged every time a client or server application binds to a port.  Binding is the first step in TCP/UDP communications.  For server applications, subsequent to this event you will see 5154 or 5031 when the server attempts to begin listening on the port. 

The example above is the system binding to TCP port 3389 for Remote Desktop connections.

Application Information:

  • Process ID:  process ID specified when the executable started as logged in 4688
  • Application Name: the program executable on this computer's side of the packet transmission

Free Security Log Resources by Randy

Description Fields in 5158

Application Information:

  •  Process ID:  %1
  •  Application Name: %2

Network Information:

  •  Source Address:  %3
  •  Source Port:  %4
  •  Protocol:  %5

Filter Information:

  •  Filter Run-Time ID: %6
  •  Layer Name:  %7
  •  Layer Run-Time ID: %8

Supercharger Free Edition

Centrally manage WEC subscriptions.



Examples of 5158

The Windows Filtering Platform has permitted a bind to a local port.

Application Information:

   Process ID:  4
   Application Name: System

Network Information:

   Source Address:  ::
   Source Port:  3389
   Protocol:  6

Filter Information:

   Filter Run-Time ID: 0
   Layer Name:  Resource Assignment
   Layer Run-Time ID: 38

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Upcoming Webinars
    Additional Resources