Windows Security Log Event ID 5441

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Policy Change
 • Filtering Platform Policy Change
Type Success
Corresponding events
in Windows 2003
and before
 
Discussions on Event ID 5441
Ask a question about this event

5441: The following filter was present when the Windows Filtering Platform Base Filtering Engine started

On this page

This event is logged for each filter of each WFP provider at startup.  For more information on WFP and providers see 5442.

The fields in this event provide all the details about the filter and serves to document the provider's entire policy at the time of startup. 

For more information on sublayers see event 5444.

This event does not indicate a change - it just documents the policy at the time of startup.

Free Security Log Resources by Randy

Description Fields in 5441

Provider Information: 

  • ID: Globally unique identifier of the provider
  • Name: Name of the provider

Filter Information:

For detailed information on these event fields, see the FWPM_FILTER_ENUM_TEMPLATE0 structure in MSDN.

Layer Information:

For more information on sublayers see event 5444.

Additional Information:

The list of filter conditions comprising this filter.  For information on these fields see the FWPM_FILTER_CONDITION0 structure in MSDN.

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 5441

The following filter was present when the Windows Filtering Platform Base Filtering Engine started.

Provider Information:

   ID:  {decc16ca-3f33-4346-be1e-8fb4ae0f3d62}
   Name:  Windows Firewall

Filter Information:

   ID:  {790018f5-8e05-4a78-88ac-ebc35a2e5ee5}
   Name:  Port Scanning Prevention Filter
   Type:  Boot-time
   Run-Time ID: 65638

Layer Information:

   ID:  {7fb03b60-7b8d-4dfa-badd-980176fc4e12}
   Name:  Outbound ICMP Error v6 Layer
   Run-Time ID: 34
   Weight:  18446744073709551615

Additional Information:

   Conditions:
   Condition ID: {632ce23b-5167-435c-86d7-e903684aa80c}
   Match value: No flags set
   Condition value: 0x00000001

   Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b}
   Match value: Equal to
   Condition value: 0x0004
 
   Condition ID: {c35a604d-d22b-4e1a-91b4-68f674ee674b}
   Match value: In range
   Condition value: 0x0000 - 0x0002

   Filter Action: Block
   Callout ID: {00000000-0000-0000-0000-000000000000}
   Callout Name: -

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources