Windows Security Log Event ID 5448
5448: A Windows Filtering Platform provider has been changed
On this page
This event is logged when a WFP provider is added or there is a change to an existing provider.
For more information on WFP and providers see 5442.
In my testing this event is logged at startup for non persistent provider WFKMP which no doubt has something to do with Windows Firewall.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name with domain.
Process Information:
- Process ID is the process ID specified when the executable started as logged in 4688.
Change Information:
- Change Type: "Add" or "Delete"
Provider Information:
- Provider ID: Globally unique identifier of the provider
- Provider Name: name of the provider
- Type: "Not persistent" or "Persistent"
Supercharger Enterprise
A Windows Filtering Platform provider has been changed.
Subject:
Security ID: LOCAL SERVICE
Account Name: NT AUTHORITY\LOCAL SERVICE
Process Information:
Process ID: 1364
Change Information:
Change Type: Add
Provider Information:
ID: {9250a3db-5929-4952-b834-e88709b0a35e}
Name: WFKMP
Type: Not persistent
Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection