Windows Security Log Event ID 5448

5448: A Windows Filtering Platform provider has been changed

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

This event is logged when a WFP provider is added or there is a change to an existing provider. 

For more information on WFP and providers see 5442.

In my testing this event is logged at startup for non persistent provider WFKMP which no doubt has something to do with Windows Firewall.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 5448

Subject:

The user and logon session that performed the action. 

• Security ID:  The SID of the account.
• Account Name: The account logon name with domain. 

Process Information:

• Process ID is the process ID specified when the executable started as logged in 4688.

Change Information: 

• Change Type: "Add" or "Delete" 

Provider Information: 

• Provider ID: Globally unique identifier of the provider
• Provider Name: name of the provider
• Type:  "Not persistent" or "Persistent"

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

 

Upcoming Webinars Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy