Windows Security Log Event ID 5441

Operating Systems	Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022
Category • Subcategory	Policy Change • Filtering Platform Policy Change
Type	Success
Corresponding events in Windows 2003 and before

5441: The following filter was present when the Windows Filtering Platform Base Filtering Engine started

On this page

Description of this event
Field level details
Examples

This event is logged for each filter of each WFP provider at startup. For more information on WFP and providers see 5442.

The fields in this event provide all the details about the filter and serves to document the provider's entire policy at the time of startup.

For more information on sublayers see event 5444.

This event does not indicate a change - it just documents the policy at the time of startup.

Free Security Log Resources by Randy

Description Fields in 5441

Provider Information:

ID: Globally unique identifier of the provider
Name: Name of the provider

Filter Information:

For detailed information on these event fields, see the FWPM_FILTER_ENUM_TEMPLATE0 structure in MSDN.

Layer Information:

For more information on sublayers see event 5444.

Additional Information:

The list of filter conditions comprising this filter. For information on these fields see the FWPM_FILTER_CONDITION0 structure in MSDN.

Setup PowerShell Audit Log Forwarding in 4 Minutes

Examples of 5441

The following filter was present when the Windows Filtering Platform Base Filtering Engine started.

Provider Information:

ID: {decc16ca-3f33-4346-be1e-8fb4ae0f3d62}
Name: Windows Firewall

Filter Information:

   ID: {790018f5-8e05-4a78-88ac-ebc35a2e5ee5}
   Name: Port Scanning Prevention Filter
   Type: Boot-time
   Run-Time ID: 65638

Layer Information:

   ID: {7fb03b60-7b8d-4dfa-badd-980176fc4e12}
   Name: Outbound ICMP Error v6 Layer
   Run-Time ID: 34
   Weight: 18446744073709551615

Additional Information:

   Conditions:
   Condition ID: {632ce23b-5167-435c-86d7-e903684aa80c}
   Match value: No flags set
   Condition value: 0x00000001

   Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b}
   Match value: Equal to
   Condition value: 0x0004

   Condition ID: {c35a604d-d22b-4e1a-91b4-68f674ee674b}
   Match value: In range
   Condition value: 0x0000 - 0x0002

   Filter Action: Block
   Callout ID: {00000000-0000-0000-0000-000000000000}
   Callout Name: -

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

July 2025 Patch Tuesday	"Patch Tuesday - A Large Number of Patches but Only One Zero-Day " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.