Windows Security Log Event ID 5441

Operating Systems	Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10
Category • Subcategory	Policy Change • Filtering Platform Policy Change
Type	Success
Corresponding events in Windows 2003 and before

Discussions on Event ID 5441

Ask a question about this event

5441: The following filter was present when the Windows Filtering Platform Base Filtering Engine started

On this page

Description of this event
Field level details
Examples
Discuss this event
Mini-seminars on this event

This event is logged for each filter of each WFP provider at startup. For more information on WFP and providers see 5442.

The fields in this event provide all the details about the filter and serves to document the provider's entire policy at the time of startup.

For more information on sublayers see event 5444.

This event does not indicate a change - it just documents the policy at the time of startup.

Free Security Log Resources by Randy

Description Fields in 5441

Provider Information:

ID: Globally unique identifier of the provider
Name: Name of the provider

Filter Information:

For detailed information on these event fields, see the FWPM_FILTER_ENUM_TEMPLATE0 structure in MSDN.

Layer Information:

For more information on sublayers see event 5444.

Additional Information:

The list of filter conditions comprising this filter. For information on these fields see the FWPM_FILTER_CONDITION0 structure in MSDN.

Setup PowerShell Audit Log Forwarding in 4 Minutes

Examples of 5441

The following filter was present when the Windows Filtering Platform Base Filtering Engine started.

Provider Information:

ID: {decc16ca-3f33-4346-be1e-8fb4ae0f3d62}
Name: Windows Firewall

Filter Information:

   ID: {790018f5-8e05-4a78-88ac-ebc35a2e5ee5}
   Name: Port Scanning Prevention Filter
   Type: Boot-time
   Run-Time ID: 65638

Layer Information:

   ID: {7fb03b60-7b8d-4dfa-badd-980176fc4e12}
   Name: Outbound ICMP Error v6 Layer
   Run-Time ID: 34
   Weight: 18446744073709551615

Additional Information:

   Conditions:
   Condition ID: {632ce23b-5167-435c-86d7-e903684aa80c}
   Match value: No flags set
   Condition value: 0x00000001

   Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b}
   Match value: Equal to
   Condition value: 0x0004

   Condition ID: {c35a604d-d22b-4e1a-91b4-68f674ee674b}
   Match value: In range
   Condition value: 0x0000 - 0x0002

   Filter Action: Block
   Callout ID: {00000000-0000-0000-0000-000000000000}
   Callout Name: -

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Discussions on Event ID 5441

Ask a question about this event

Upcoming Webinars

Building MITRE ATT&CK Technique Detection into Your Security Monitoring Environment

Additional Resources

Security Log Quick Reference Chart

Encyclopedia

•	All Event IDs
•	Audit Policy

Go To Event ID:

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

December 2018 Patch Tuesday	"Patch Tuesday: Flash and Windows Kernal Vulnerabilities Exploited " - sponsored by LOGbinder

Follow @randyfsmith

Home

Follow @randyfsmith

About | Newsletter | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2018 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.