Windows Security Log Event ID 5448

5448: A Windows Filtering Platform provider has been changed

On this page

• Description of this event
• Field level details
• Examples
• Discuss this event
• Mini-seminars on this event

This event is logged when a WFP provider is added or there is a change to an existing provider. 

For more information on WFP and providers see 5442.

In my testing this event is logged at startup for non persistent provider WFKMP which no doubt has something to do with Windows Firewall.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 5448

Subject:

The user and logon session that performed the action. 

• Security ID:  The SID of the account.
• Account Name: The account logon name with domain. 

Process Information:

• Process ID is the process ID specified when the executable started as logged in 4688.

Change Information: 

• Change Type: "Add" or "Delete" 

Provider Information: 

• Provider ID: Globally unique identifier of the provider
• Provider Name: name of the provider
• Type:  "Not persistent" or "Persistent"

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

 

Upcoming Webinars Breakdown of a Phishing Attack: Dissecting the Uber and MailChimp Data Breaches Before and After the Inbox

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy