Windows Security Log Event ID 5449
5449: A Windows Filtering Platform provider context has been changed
On this page
A provider context is a blob used by a WFP provider to store its state information. For more information on WFP and providers see 5442.
This event is logged whenever a provider context is added or deleted.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name with domain.
Process Information:
- Process ID is the process ID specified when the executable started as logged in 4688.
Provider Information:
- Provider ID: Globally unique identifier of the provider
- Provider Name: name of the provider
Change Information:
- Change Type: "Add" or "Delete"
Provider Context:
- ID: Globally unique identifier of the context
- Name: name of the context
- Type: "Not persistent" or "Persistent"
Setup PowerShell Audit Log Forwarding in 4 Minutes
A Windows Filtering Platform provider context has been changed.
Subject:
Security ID: LOCAL SERVICE
Account Name: NT AUTHORITY\LOCAL SERVICE
Process Information:
Process ID: 1364
Provider Information:
Provider ID: {decc16ca-3f33-4346-be1e-8fb4ae0f3d62}
Provider Name: Windows Firewall
Change Information:
Change Type: Delete
Provider Context:
ID: {4abf47d5-0662-48fa-9be2-56bdef7df1e4}
Name: State Management Provider Context
Type: Not persistent
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection