Object Access Event: 5158

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Object Access » Object Access Event: 5158

Event ID 5158 – The Windows Filtering Platform has permitted a bind to a local port.

Event ID 5158
Category Object Access: Filtering Platform Connection
Type Success Audit

If an application or service has been permitted to bind to a local port by the WFP, then event ID 5158 is logged. This marks the first step of TCP/UDP communications. This event is generally followed by the events 5154 and 5031.

This event log contains the following information:

  • Process ID
  • Application Name
  • Source Address
  • Source Port
  • Protocol
  • Filter Run-Time ID
  • Layer Name
  • Layer Run-Time

Why does event ID 5158 need to be monitored?

  • To ensure specific applications do not perform certain operations
  • To monitor restricted applications
  • To ensure that the source address is preferably from the same computer
  • To monitor whether the destination address is an IP address from the Internet
  • To ensure only whitelisted IP addresses are connected to
  • To check the protocol that is being used by certain applications

Event 5158 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10