Event ID 5441

The following filter was present when the Windows Filtering Platform Base Filtering Engine started. 

The following filter was present when the Windows Filtering Platform Base Filtering Engine started.

Provider Information:   
    ID:     %1
    Name:       %2

Filter Information:
    ID:     %3
    Name:       %4
    Type:       %5
    Run-Time ID:    %6

Layer Information:
    ID:     %7
    Name:       %8
    Run-Time ID:    %9
    Weight:     %10

Additional Information:
    Conditions: %11
    Filter Action:  %12
    Callout ID: %13
    Callout Name:   %14


This is a Success Audit event that is generated exclusively during the system boot sequence. It provides a point-in-time inventory of every persistent filter currently registered within the Base Filtering Engine (BFE).

Auditing:     Rarely

This event is logged for each filter of each WFP provider at startup. Enable only if you need a full WFP filter baseline at boot for forensic comparison or to detect unauthorized persistent filters added by malware or rogue drivers.


Volume:     Low Medium

A single WFP provider can register dozens of filters. On servers running AV, EDR, or VPN software with complex WFP rulesets the count can reach several hundred per boot.




Name Field Insertion String OS Example
Provider ID ProviderKey %1 Any {DECC16CA-3F33-...}
Provider Name ProviderName %2 Any Microsoft Corporation
Filter ID FilterKey %3 Any {91334E6D-FFAB-...}
Filter Name FilterName %4 Any Port Scanning Filter
Filter Type FilterType %5 Any %%388
Filter Run-Time ID FilterId %6 Any 78276
Layer ID LayerKey %7 Any {E1CD9FE7-F4B5-...}
Layer Name LayerName %8 Any ALE Receive/Accept
Layer Run-Time ID LayerId %9 Any 44
Weight Weight %10 Any 2111886959050752
Conditions Conditions %11 Any (multi-line)
Filter Action FilterAction %12 Any %%14609
Callout ID CalloutKey %13 Any -
Callout Name CalloutName %14 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Filtering Platform Policy Change"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022 Windows 2025

Audit Category:
Policy Change

Audit Subcategory:
Filtering Platform Policy Change

LEFT/RIGHT arrow keys for navigation

Back to List