Windows Security Log Event ID 5449
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Policy Change • Filtering Platform Policy Change |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
|
5449: A Windows Filtering Platform provider context has been changed
On this page
A provider context is a blob used by a WFP provider to store its state information. For more information on WFP and providers see 5442.
This event is logged whenever a provider context is added or deleted.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name with domain.
Process Information:
- Process ID is the process ID specified when the executable started as logged in 4688.
Provider Information:
- Provider ID: Globally unique identifier of the provider
- Provider Name: name of the provider
Change Information:
- Change Type: "Add" or "Delete"
Provider Context:
- ID: Globally unique identifier of the context
- Name: name of the context
- Type: "Not persistent" or "Persistent"
Setup PowerShell Audit Log Forwarding in 4 Minutes
A Windows Filtering Platform provider context has been changed.
Subject:
Security ID: LOCAL SERVICE
Account Name: NT AUTHORITY\LOCAL SERVICE
Process Information:
Process ID: 1364
Provider Information:
Provider ID: {decc16ca-3f33-4346-be1e-8fb4ae0f3d62}
Provider Name: Windows Firewall
Change Information:
Change Type: Delete
Provider Context:
ID: {4abf47d5-0662-48fa-9be2-56bdef7df1e4}
Name: State Management Provider Context
Type: Not persistent
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection