Event ID 5450
A Windows Filtering Platform sub-layer has been changed.A Windows Filtering Platform sub-layer has been changed.
Subject:
Security ID: %2
Account Name: %3
Process Information:
Process ID: %1
Provider Information:
Provider ID: %4
Provider Name: %5
Change Information:
Change Type: %6
Sub-layer Information:
Sub-layer ID: %7
Sub-layer Name: %8
Sub-layer Type: %9
Additional Information:
Weight: %10Event 5450 is logged whenever a WFP sub-layer is added or deleted while the system is running — with full subject context identifying the responsible account and process.
Auditing:
Conditional
Recommended for environments that need to detect: Unexpected persistent sub-layer registrations from unsigned or unknown kernel drivers. Security software tampering. Rootkit or implant activity establishing a new WFP filter bucket for long-term network interception.
Volume:
Low
Expect isolated events only when WFP-aware software (firewall, VPN, EDR) is installed, updated, or removed. On a stable, fully-provisioned system this event may not appear at all for weeks or months at a time.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Filtering Platform Policy Change"
LEFT/RIGHT arrow keys for navigation
Back to List