The WFP provider counter displays more providers than expected in Windows Vista

The WFP provider counter displays more providers than expected in Windows Vista

Article ID : 927823
Last Review : August 15, 2007
Revision : 1.1
On This Page

SYMPTOMS

In Windows Vista, the Windows Filtering Platform (WFP) includes a Performance Monitor counter that displays how many network filtering policy providers are registered on the computer. However, this counter displays is more than the number of audits that you find in Event Viewer.

Back to the top

CAUSE

This behavior occurs because WFP includes hard-coded providers that cannot be removed. The services of these providers cannot be disabled or configured never to use WFP. Therefore, to save space in the audit trail, these providers are not audited.

Back to the top

STATUS

This behavior is by design.

Back to the top

MORE INFORMATION

The following providers are not audited in Windows Vista:

• TCP chimney offload
This provider is used for advanced filtering for TCP connections interacting with chimney offload cards.
• IKE and AuthIP Ipsec Keying Modules (IKEEXT)
This provider is used for Internet Protocol security (IPsec) policies.

Back to the top

Steps to reproduce this behavior

1. Click StartStart, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
2. In the User Account Control dialog box, click Allow.
3. Type the following command, and then press ENTER:

auditpol /set /subcategory:filtering platform policy change /success:enable
4. Restart the computer.
5. Click StartStart, click All Programs, click Accessories, click Run, type eventvwr, and then click OK.
6. In the User Account Control dialog box, click Continue.
7. Expand Windows Logs, and then click Security.
8. Search for Event ID 5448, and then note the number of audits for added providers and for deleted providers.
9. Click StartStart, click All Programs, click Accessories, click Run, type perfmon, and then click OK.
10. In the User Account Control dialog box, click Continue.
11. Expand Monitoring Tools, click Performance Monitor, and then click the Add button.
12. Expand WFP, click Provider Count, click Add, and then click OK.

The number of providers exposed by the counter is more than the number of audits that you found in step 8.

Back to the top


APPLIES TO
• Windows Vista Ultimate
• Windows Vista Ultimate 64-bit Edition
• Windows Vista Enterprise
• Windows Vista Enterprise 64-bit Edition
• Windows Vista Business
• Windows Vista Business 64-bit Edition
• Windows Vista Home Premium
• Windows Vista Home Premium 64-bit Edition
• Windows Vista Home Basic
• Windows Vista Home Basic 64-bit Edition

Back to the top

Keywords: 
kbinfo kbtshoot kbprb kbpubtypekc KB927823

Back to the top

 

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image