Event ID 5446

A Windows Filtering Platform callout has been changed. 

A Windows Filtering Platform callout has been changed.

Subject:
    Security ID:        %2
    Account Name:       %3

Process Information:
    Process ID: %1

Provider Information:
    ID:     %4
    Name:       %5

Change Information:
    Change Type:    %6

Callout Information:
    ID:     %7
    Name:       %8
    Type:       %9
    Run-Time ID:    %10

Layer Information:
    ID:     %11
    Name:       %12
    Run-Time ID:    %13


A WFP callout is a set of functions in a driver used for specialized filtering. Callouts can block, permit, modify, and secure network traffic.

Auditing:     Conditional

More actionable than the 5440–5444 startup events because it captures runtime changes with full subject context. Recommended for environments that need to detect: Unexpected callout registrations by unsigned kernel drivers. Malicious rootkit or implant activity using WFP for network interception. Unauthorized removal of security software callouts. Baseline deviation from expected callout inventory.


Volume:     Low

This event is logged whenever a callout is added or deleted. On a stable system this happens infrequently — primarily during service starts and stops. Expect a small burst at system startup and shutdown, and isolated events when security software services are cycled.




Name Field Insertion String OS Example
Process ID ProcessId %1 Any 1364
Security ID UserSid %2 Any S-1-5-19
Account Name UserName %3 Any NT AUTHORITY\...
Provider ID ProviderKey %4 Any {9250A3DB-5929-...}
Provider Name ProviderName %5 Any WFKMP
Change Type ChangeType %6 Any %%385
Callout ID CalloutKey %7 Any {C3DBED20-0BB6-...}
Callout Name CalloutName %8 Any Windows Firewall
Callout Type CalloutType %9 Any %%390
Callout Run-Time ID CalloutId %10 Any 279
Layer ID LayerKey %11 Any {FA45FE2F-3CBA-...}
Layer Name LayerName %12 Any Datagram Data v6

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Filtering Platform Policy Change"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 2022 Windows 2025

Audit Category:
Policy Change

Audit Subcategory:
Filtering Platform Policy Change

LEFT/RIGHT arrow keys for navigation

Back to List