Event ID 5447

A Windows Filtering Platform filter has been changed. 

A Windows Filtering Platform filter has been changed.

Subject:
    Security ID:   %2
    Account Name:  %3

Process Information:
    Process ID:    %1

Provider Information:
    ID:            %4
    Name:          %5

Change Information:
    Change Type:   %6

Filter Information:
    ID:            %7
    Name:          %8
    Type:          %9
    Run-Time ID:   %10

Layer Information:
    ID:            %11
    Name:          %12
    Run-Time ID:   %13

Callout Information:
    ID:            %17
    Name:          %18

Additional Information:
    Weight:        %14  
    Conditions:    %15
    Filter Action: %16


This event generates every time a Windows Filtering Platform filter has been changed. It typically generates during Group Policy update procedures.

Auditing:     Rarely

This event is mainly used for Windows Filtering Platform troubleshooting and typically has little to no security relevance.


Volume:     High

On a Windows Server, this event can produce 40–50 occurrences every 2–3 minutes as Windows Firewall dynamically adds and deletes non-persistent ALE layer filters in response to services binding and releasing ports. Unlike the other WFP events which are bounded to boot, 5447 is a continuous stream on any active system.


Microsoft Documentation

Event ID - 5447



Name Field Insertion String OS Example
Process ID ProcessId %1 Any 284
Security ID UserSid %2 Any S-1-5-19
Account Name UserName %3 Any NT AUTHORITY\LOCAL SERVICE
Provider ID ProviderKey %4 Any {DECC16CA-3F33-...}
Provider Name ProviderName %5 Any Microsoft Corporation
Change Type ChangeType %6 Any %%16385
Filter ID FilterKey %7 Any {91334E6D-FFAB-...}
Filter Name FilterName %8 Any Port Scanning Prevention Filter
Filter Type FilterType %9 Any %%16388
Filter Run-Time ID FilterId %10 Any 100100
Layer ID LayerKey %11 Any {AC4A9833-F69D-...}
Layer Name LayerName %12 Any Inbound Transport v4 Layer
Layer Run-Time ID LayerId %13 Any 13
Weight Weight %14 Any 13835058055315718144
Conditions Conditions %15 Any (multi-line)
Filter Action Action %16 Any %%16391
Callout ID CalloutKey %17 Any {EDA08606-2494-...}
Callout Name CalloutName %18 Any WFP Built-in Silent Drop Transport

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Other Policy Change Events"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022 Windows 2025

Tags:
Audit Success
Audit Category:
Policy Change

Audit Subcategory:
Other Policy Change Events

LEFT/RIGHT arrow keys for navigation

Back to List