Article ID: 927823
Article Last Modified on 8/15/2007
APPLIES TO
- Windows Vista Ultimate
- Windows Vista Ultimate 64-bit Edition
- Windows Vista Enterprise
- Windows Vista Enterprise 64-bit Edition
- Windows Vista Business
- Windows Vista Business 64-bit Edition
- Windows Vista Home Premium
- Windows Vista Home Premium 64-bit Edition
- Windows Vista Home Basic
- Windows Vista Home Basic 64-bit Edition
SYMPTOMS
In Windows Vista, the Windows Filtering Platform (WFP) includes a Performance Monitor counter that displays how many network filtering policy providers are registered on the computer. However, this counter displays is more than the number of audits that you find in Event Viewer.
CAUSE
This behavior occurs because WFP includes hard-coded providers that cannot be removed. The services of these providers cannot be disabled or configured never to use WFP. Therefore, to save space in the audit trail, these providers are not audited.
STATUS
This behavior is by design.
MORE INFORMATION
The following providers are not audited in Windows Vista:
- TCP chimney offload
This provider is used for advanced filtering for TCP connections interacting with chimney offload cards.
- IKE and AuthIP Ipsec Keying Modules (IKEEXT)
This provider is used for Internet Protocol security (IPsec) policies.
Steps to reproduce this behavior
- Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
- In the User Account Control dialog box, click Allow.
- Type the following command, and then press ENTER:
auditpol /set /subcategory:"filtering platform policy change" /success:enable
- Restart the computer.
- Click Start, click All Programs, click Accessories, click Run, type eventvwr, and then click OK.
- In the User Account Control dialog box, click Continue.
- Expand Windows Logs, and then click Security.
- Search for Event ID 5448, and then note the number of audits for added providers and for deleted providers.
- Click Start, click All Programs, click Accessories, click Run, type perfmon, and then click OK.
- In the User Account Control dialog box, click Continue.
- Expand Monitoring Tools, click Performance Monitor, and then click the Add button.
- Expand WFP, click Provider Count, click Add, and then click OK.
The number of providers exposed by the counter is more than the number of audits that you found in step 8.
Keywords: kbinfo kbtshoot kbprb kbpubtypekc KB927823