5156 Show App IP Connections

Disable “Filtering Platform Connection” (Event ID 5156, 5158) Security LoggingWinhelponline

OverView

When you open the Security Event log, the log may contain many “Filtering Platform Connection” events. The event ID of these entries maybe 5156 or 5158. The security log may record close to 100 events per minute, containing the event ID 5156 or 5158. This causes the security event log to become full very quickly.

• Not enabled on default

• Shows program that made connection and associated IP

• Fills up logs quickly, and can be enabled by other programs.

Sample Event ID 5156 entry

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/19/2022 11:27:37 AM
Event ID:      5156
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      OptiPlex-9020
Description:
The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		2592
	Application Name:	\device\harddiskvolume2\program files (x86)\microsoft\edge\application\msedge.exe

Network Information:
	Direction:		Outbound
	Source Address:		192.168.0.101
	Source Port:		63386
	Destination Address:	239.255.255.250
	Destination Port:		1900
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	144025
	Layer Name:		Connect
	Layer Run-Time ID:	48

Sample Event ID 5158 entry

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/19/2022 11:27:51 AM
Event ID:      5158
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      OptiPlex-9020
Description:
The Windows Filtering Platform has permitted a bind to a local port.

Application Information:
	Process ID:		7612
	Application Name:	\device\harddiskvolume2\program files (x86)\google\chrome\application\chrome.exe

Network Information:
	Source Address:		::
	Source Port:		60420
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	145279
	Layer Name:		Resource Assignment
	Layer Run-Time ID:	38

Auditpol

#check if enabled
auditpol /get /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}"