Event ID 5449

A Windows Filtering Platform provider context has been changed. 

A Windows Filtering Platform provider context has been changed.

Subject:
    Security ID:        %2
    Account Name:       %3

Process Information:
    Process ID: %1

Provider Information:
    Provider ID:    %4
    Provider Name:  %5

Change Information:
    Change Type:    %6

Provider Context:
    ID: %7
    Name:   %8
    Type:   %9


Gets logged whenever a WFP provider context is added, modified, or deleted from the Base Filtering Engine. The most common trigger is system startup, when WFP-based components (Windows Firewall, IPsec, VPN clients, third-party security software) register their non-persistent contexts. It also fires when such software initializes or shuts down mid-session, or when IPsec/firewall policy changes at runtime.

Auditing:     Rarely

Generally only useful for troubleshooting WFP configuration issues, has little value for routine security monitoring or compliance.


Volume:     Low Medium

Volume usually depends on how many WFP-aware applications are installed and how actively they interact with the BFE. Volume tends to be lower on servers and potentially higher on workstations.




Name Field Insertion String OS Example
Process ID ProcessId %1 Any 858
Security ID UserSid %2 Any SYSTEM
Account Name Username %3 Any NT AUTHORITY\SYSTEM
ID ProviderKey %4 Any {4f57a550-3b1e-4c8a-8887-35c9b1ff1b8f}
Name ProviderName %5 Any Microsoft Corporation
Change Type ChangeType %6 Any Add
ID ProviderContextKey %8 Any {4f57a550-3b1e-4c8a-8887-35c9b1ff1b8f}
Name ProviderContextName %9 Any MPSSVC
Type ProviderContextType %10 Any Not Persistent

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Filtering Platform Policy Change"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022 Windows 2025

Audit Category:
Policy Change

Audit Subcategory:
Filtering Platform Policy Change
Correlated Events:
5448 5446 5450 5441 5442 5443 5444 4688

LEFT/RIGHT arrow keys for navigation

Back to List