 Windows Security Log Event ID 5449
        Windows Security Log Event ID 5449
        
        
        
         
        
    
    
    
        
	
		| Operating Systems | Windows 2008 R2 and 7 Windows 2012 R2 and 8.1
 Windows 2016 and 10
 Windows Server 2019 and 2022
 
 | 
		| Category • Subcategory
 | Policy Change • Filtering Platform Policy Change
 | 
		| Type | Success 
 | 
		| Corresponding events in Windows
                    2003
 and before
 |  | 
     
    
        5449: A Windows Filtering Platform provider context has been changed
    
    
    
        On this page
    
    
    A provider context is a blob used by a WFP provider to store its state information.  For more information on WFP and providers see 5442.
This event is logged whenever a provider context is added or deleted.
Free Security Log Resources by Randy 
    
    
        
                    Subject:
The user and logon session that performed the action. 
    - Security ID:  The SID of the account.
- Account Name: The account logon name with domain. 
Process Information:
    - Process ID is the process ID specified when the executable started as logged in 4688. 
Provider Information:
    - Provider ID: Globally unique identifier of the provider
- Provider Name: name of the provider
Change Information: 
    - Change Type: "Add" or "Delete" 
Provider Context:
    - ID: Globally unique identifier of the context
- Name: name of the context
- Type:  "Not persistent" or "Persistent"
                Supercharger Enterprise 
                 
                
                
             
        
    
 
    
    
        
        A Windows Filtering Platform provider context has been changed.
Subject:
   Security ID:  LOCAL SERVICE
   Account Name:  NT AUTHORITY\LOCAL SERVICE
Process Information:
   Process ID: 1364
Provider Information:
   Provider ID: {decc16ca-3f33-4346-be1e-8fb4ae0f3d62}
   Provider Name: Windows Firewall
Change Information:
   Change Type: Delete
Provider Context:
   ID: {4abf47d5-0662-48fa-9be2-56bdef7df1e4}
   Name: State Management Provider Context
   Type: Not persistent
        
            Top 10 Windows Security Events to Monitor
        
        
            Free Tool for Windows Event Collection