5155 The Windows Filtering Platform blocked an application from listening on a port

Written when the Windows Filtering Platform (WFP) blocks an application/service from listening on a port. It captures the startup of a non-permitted listener.

Overview

The subcategory is Audit Filtering Platform Connection. It is generated when an app tries to listen on an inbound port and is denied by WFP. It is the block counterpart to the permit 5154. It is similar in intent to the firewall-service-originated 5031.

How it is triggered

When a program with no allow rule tries to listen on a port and is blocked by WFP.

Security review points

A block of an unfamiliar program, or a process that should not normally listen, can be a sign of a backdoor listener starting. Check the path and name of the program.
Note blocked listening by programs in temp folders or non-standard paths, and correlate with process creation 4688. Read it together with permitted listening 5154.

Notes for log review

It also appears for legitimate apps with no allow rule. Baseline the legitimate apps and narrow to blocks of unknown/suspicious programs.

Key fields

Field	Meaning
`Application`	The blocked program
`Source Port` / `Protocol`	The port it tried to listen on

References

Microsoft Learn: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port.