Event ID 5440
The following callout was present when the Windows Filtering Platform Base Filtering Engine started.The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
Provider Information:
ID: %1
Name: %2
Callout Information:
ID: %3
Name: %4
Type: %5
Run-Time ID: %6
Layer Information:
ID: %7
Name: %8
Run-Time ID: %9This event is generated exclusively during system initialization—once for each WFP callout previously registered and persistent within the Base Filtering Engine. It serves as an informational record of the WFP stack’s state at startup and does not signify a configuration change.
Auditing:
Rarely
Enable this event only if a comprehensive inventory of startup callouts is required for baseline comparisons or forensic analysis.
Volume:
Low
On a standard Windows workstation this is typically 10–30 events per reboot. On servers with third-party firewall or network inspection software (AV, EDR, VPN) the count may be higher but still bounded per boot cycle — not a continuous stream.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Filtering Platform Policy Change"
LEFT/RIGHT arrow keys for navigation
Back to List