Event ID 5158 – The Windows Filtering Platform has permitted a bind to a local port.
|Category||Object Access: Filtering Platform Connection|
If an application or service has been permitted to bind to a local port by the WFP, then event ID 5158 is logged. This marks the first step of TCP/UDP communications. This event is generally followed by the events 5154 and 5031.
This event log contains the following information:
- Process ID
- Application Name
- Source Address
- Source Port
- Filter Run-Time ID
- Layer Name
- Layer Run-Time
Why does event ID 5158 need to be monitored?
- To ensure specific applications do not perform certain operations
- To monitor restricted applications
- To ensure that the source address is preferably from the same computer
- To monitor whether the destination address is an IP address from the Internet
- To ensure only whitelisted IP addresses are connected to
- To check the protocol that is being used by certain applications
Event 5158 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10