Windows Security Log Event ID 5448

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory		Policy Change
 • Filtering Platform Policy Change
Type Success
Corresponding events
in Windows 2003
and before		  

5448: A Windows Filtering Platform provider has been changed

On this page

This event is logged when a WFP provider is added or there is a change to an existing provider. 

For more information on WFP and providers see 5442.

In my testing this event is logged at startup for non persistent provider WFKMP which no doubt has something to do with Windows Firewall.

Free Security Log Resources by Randy

Description Fields in 5448

Subject:

The user and logon session that performed the action. 

  • Security ID:  The SID of the account.
  • Account Name: The account logon name with domain. 

Process Information:

  • Process ID is the process ID specified when the executable started as logged in 4688.

Change Information: 

  • Change Type: "Add" or "Delete" 

Provider Information: 

  • Provider ID: Globally unique identifier of the provider
  • Provider Name: name of the provider
  • Type:  "Not persistent" or "Persistent"

Supercharger Free Edition


Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 5448

A Windows Filtering Platform provider has been changed.

Subject:

   Security ID:  LOCAL SERVICE
   Account Name:  NT AUTHORITY\LOCAL SERVICE

Process Information:

   Process ID: 1364

Change Information:

   Change Type: Add

Provider Information:

   ID:  {9250a3db-5929-4952-b834-e88709b0a35e}
   Name:  WFKMP
   Type:  Not persistent

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
Additional Resources