Windows Security Log Event ID 5449

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Policy Change
 • Filtering Platform Policy Change
Type Success
Corresponding events
in Windows 2003
and before
 

5449: A Windows Filtering Platform provider context has been changed

On this page

A provider context is a blob used by a WFP provider to store its state information.  For more information on WFP and providers see 5442.

This event is logged whenever a provider context is added or deleted.

Free Security Log Resources by Randy

Description Fields in 5449

Subject:

The user and logon session that performed the action. 

  • Security ID:  The SID of the account.
  • Account Name: The account logon name with domain. 

Process Information:

  • Process ID is the process ID specified when the executable started as logged in 4688. 

Provider Information:

  • Provider ID: Globally unique identifier of the provider
  • Provider Name: name of the provider

Change Information: 

  • Change Type: "Add" or "Delete" 

Provider Context:

  • ID: Globally unique identifier of the context
  • Name: name of the context
  • Type:  "Not persistent" or "Persistent"

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 5449

A Windows Filtering Platform provider context has been changed.

Subject:

   Security ID:  LOCAL SERVICE
   Account Name:  NT AUTHORITY\LOCAL SERVICE

Process Information:

   Process ID: 1364

Provider Information:

   Provider ID: {decc16ca-3f33-4346-be1e-8fb4ae0f3d62}
   Provider Name: Windows Firewall

Change Information:

   Change Type: Delete

Provider Context:

   ID: {4abf47d5-0662-48fa-9be2-56bdef7df1e4}
   Name: State Management Provider Context
   Type: Not persistent

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources