5156 Show App IP Connections

OverView

When you open the Security Event log, the log may contain many “Filtering Platform Connection” events. The event ID of these entries maybe 5156 or 5158. The security log may record close to 100 events per minute, containing the event ID 5156 or 5158. This causes the security event log to become full very quickly.

Not enabled on default
Shows program that made connection and associated IP
Fills up logs quickly, and can be enabled by other programs.

Sample Event ID 5156 entry

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/19/2022 11:27:37 AM
Event ID:      5156
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      OptiPlex-9020
Description:
The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		2592
	Application Name:	\device\harddiskvolume2\program files (x86)\microsoft\edge\application\msedge.exe

Network Information:
	Direction:		Outbound
	Source Address:		192.168.0.101
	Source Port:		63386
	Destination Address:	239.255.255.250
	Destination Port:		1900
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	144025
	Layer Name:		Connect
	Layer Run-Time ID:	48

Sample Event ID 5158 entry

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/19/2022 11:27:51 AM
Event ID:      5158
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      OptiPlex-9020
Description:
The Windows Filtering Platform has permitted a bind to a local port.

Application Information:
	Process ID:		7612
	Application Name:	\device\harddiskvolume2\program files (x86)\google\chrome\application\chrome.exe

Network Information:
	Source Address:		::
	Source Port:		60420
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	145279
	Layer Name:		Resource Assignment
	Layer Run-Time ID:	38

Auditpol

#check if enabled
auditpol /get /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}"

Previous4642 Logon NextWindows Defender

Last updated 9 months ago

Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 7/19/2022 11:27:37 AM Event ID: 5156 Task Category: Filtering Platform Connection Level: Information Keywords: Audit Success User: N/A Computer: OptiPlex-9020 Description: The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2592 Application Name: \device\harddiskvolume2\program files (x86)\microsoft\edge\application\msedge.exe Network Information: Direction: Outbound Source Address: 192.168.0.101 Source Port: 63386 Destination Address: 239.255.255.250 Destination Port: 1900 Protocol: 17 Filter Information: Filter Run-Time ID: 144025 Layer Name: Connect Layer Run-Time ID: 48

Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 7/19/2022 11:27:51 AM Event ID: 5158 Task Category: Filtering Platform Connection Level: Information Keywords: Audit Success User: N/A Computer: OptiPlex-9020 Description: The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 7612 Application Name: \device\harddiskvolume2\program files (x86)\google\chrome\application\chrome.exe Network Information: Source Address: :: Source Port: 60420 Protocol: 17 Filter Information: Filter Run-Time ID: 145279 Layer Name: Resource Assignment Layer Run-Time ID: 38