Event ID 5442

The following provider was present when the Windows Filtering Platform Base Filtering Engine started. 

The following provider was present when the Windows Filtering Platform Base Filtering Engine started.

Provider ID:    %1
Provider Name:  %2
Provider Type:  %3


This event is logged for each Windows Filtering Platform provider present when the Base Filtering Engine starts as part of Windows boot up. The Windows Filtering Platform is a foundation component of Windows that provides an API and base filtering engine upon which other network filtering applications are built, including several Windows networking components and potentially third-party applications.

Auditing:     Rarely

Enable only when you need a full inventory of WFP providers loaded at boot — useful for forensic baseline comparison, detecting rogue or malicious third-party providers injected by malware, or validating that only expected software has registered as a WFP provider.


Volume:     Low

A standard Windows system has only 3–6 built-in providers. Even with third-party security software, total count per reboot is typically fewer than 15 events. Always bounded per boot — never a continuous stream.




Name Field Insertion String OS Example
Provider ID ProviderKey %1 Any {AA6A7D87-7F8F-...}
Provider Name ProviderName %2 Any IPsec Policyagent
Provider Type ProviderType %3 Any %%388

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Filtering Platform Policy Change"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022 Windows 2025

Audit Category:
Policy Change

Audit Subcategory:
Filtering Platform Policy Change

LEFT/RIGHT arrow keys for navigation

Back to List