5159 The Windows Filtering Platform has blocked a bind to a local port
Written when the Windows Filtering Platform (WFP) blocks a bind to a local port. Paired with permit 5158, it captures a denied port reservation.
Overview
The subcategory is Audit Filtering Platform Connection. It is generated when a process tries to bind a local port and is denied by WFP.
How it is triggered
- When a process’s port bind is denied by a filter condition.
Security review points
- A blocked port bind can indicate an unfamiliar process trying to reserve a port (setting up a listener, etc.). Check the process and port.
- Together with listen block 5155 and connection block 5157, read the context of blocked network activity.
Notes for log review
- It appears in volume. Aggregate by process and port and narrow to bind attempts by suspicious processes.
- It also appears for legitimate apps with missing rules. Baseline them and keep the unknown.
Key fields
| Field | Meaning |
|---|---|
Application | The process that attempted the bind |
Source Port / Protocol | The port it tried to reserve |