5156 Show App IP Connections
OverView
When you open the Security Event log, the log may contain many âFiltering Platform Connectionâ events. The event ID of these entries maybe 5156 or 5158. The security log may record close to 100 events per minute, containing the event ID 5156 or 5158. This causes the security event log to become full very quickly.
Not enabled on default
Shows program that made connection and associated IP
Fills up logs quickly, and can be enabled by other programs.
Sample Event ID 5156 entry
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/19/2022 11:27:37 AM
Event ID: 5156
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Success
User: N/A
Computer: OptiPlex-9020
Description:
The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2592
Application Name: \device\harddiskvolume2\program files (x86)\microsoft\edge\application\msedge.exe
Network Information:
Direction: Outbound
Source Address: 192.168.0.101
Source Port: 63386
Destination Address: 239.255.255.250
Destination Port: 1900
Protocol: 17
Filter Information:
Filter Run-Time ID: 144025
Layer Name: Connect
Layer Run-Time ID: 48Sample Event ID 5158 entry
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/19/2022 11:27:51 AM
Event ID: 5158
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Success
User: N/A
Computer: OptiPlex-9020
Description:
The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 7612
Application Name: \device\harddiskvolume2\program files (x86)\google\chrome\application\chrome.exe
Network Information:
Source Address: ::
Source Port: 60420
Protocol: 17
Filter Information:
Filter Run-Time ID: 145279
Layer Name: Resource Assignment
Layer Run-Time ID: 38Auditpol
#check if enabled
auditpol /get /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}"
Last updated