Event ID 5448

A Windows Filtering Platform provider has been changed. 

A Windows Filtering Platform provider has been changed.

Subject:
    Security ID:        %2
    Account Name:       %3

Process Information:
    Process ID: %1

Change Information:
    Change Type:    %4

Provider Information:
    ID:     %5
    Name:       %6
    Type:       %7


This event is generated by the Windows Filtering Platform (WFP). It specifically tracks changes made to a WFP Provider, which is the software component (such as an antivirus, firewall, or VPN client) that manages network filters and callouts.

Whenever a security application registers its presence or updates its identity within the Windows network stack, this event is triggered.

Auditing:     Always

In a standard environment, these events are relatively infrequent and usually occur during software installations or system updates. Monitoring them is useful for ensuring security software health, malware detection, troubleshooting and audit compliance.


Volume:     Low Medium




Name Field Insertion String OS Example
Process ID ProcessId %1 Any 858
Security ID UserSid %2 Any SYSTEM
Account Name Username %3 Any NT AUTHORITY\SYSTEM
Change Type ChangeType %4 Any Add
ID ProviderKey %5 Any {4f57a550-3b1e-4c8a-8887-35c9b1ff1b8f}
Name ProviderName %6 Any Microsoft Corporation
Type ProviderType %7 Any Not persistent

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Filtering Platform Policy Change"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022 Windows 2025

Audit Category:
Policy Change

Audit Subcategory:
Filtering Platform Policy Change
Correlated Events:
5446 5449 5450

LEFT/RIGHT arrow keys for navigation

Back to List