Windows Security Log Event ID 5444

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Policy Change
 • Filtering Platform Policy Change
Type Success
Corresponding events
in Windows 2003
and before
 

5444: The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started

On this page

This event is logged for sub-layer of each WFP provider at startup.  For more information on WFP and providers see 5442.

A sublayer is a collection of filters assigned to a layer within WFP.  For more information on the sub-layer fields of this event see the FWPM_SUBLAYER0 structure in MSDN.

This event does not indicate a change - it just documents the providers present at the time of startup.

Free Security Log Resources by Randy

Description Fields in 5444

  • Provider ID: Globally unique identifier of the provider.
  • Provider Name: Name of the provider.
  • Sub-layer ID: GUID of sub-layer.
  • Sub-layer Name:
  • Sub-layer Type: Usually "Persistent" or "Not Persistent".
  • Weight:  Relative weight for filter arbitration.

Supercharger Enterprise


Load Balancing for Windows Event Collection

 

Examples of 5444

The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.

Provider ID:    {4b153735-1049-4480-aab4-d1b9bdc03710}
Provider Name:  Windows Firewall
Sub-layer ID:   {b3cdd441-af90-41ba-a745-7c6008ff2300}
Sub-layer Name: Windows Firewall
Sub-layer Type: Persistent
Weight:         3

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources