Object Access Event: 5159

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Object Access » Object Access Event: 5159

Event ID 5159 – The Windows Filtering Platform has blocked a bind to a local port.

Event ID 5159
Category Object Access: Filtering Platform Connection
Type Failure Audit

Whenever a client or server application is prevented from binding to a port by the WFP, event ID 5159 is logged. This hinders further TCP/UDP communications.

An example of 5159 event log:

The Windows Filtering Platform has blocked a bind to a local port.

Application Information:

Process ID:%1

Application Name:%2

Network Information:

Source Address:%3

Source Port:%4

Protocol:%5

Filter Information:

Filter Run-Time ID:%6

Layer Name:%7

Why does event ID 5159 need to be monitored?

  • To ensure specific applications do not perform certain operations
  • To monitor restricted applications
  • To ensure that the source address is preferably from the same computer
  • To monitor whether the destination address is an IP address from the Internet
  • To ensure only whitelisted IP addresses are connected to
  • To check the protocol that is being used by certain applications

Event 5159 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10