This article includes alist of references,related reading, orexternal links,but its sources remain unclear because it lacksinline citations. Please helpimprove this article byintroducing more precise citations.(March 2025) (Learn how and when to remove this message)

Windows Filtering Platform (WFP) is a set ofsystem services inWindows Vista and later that allows Windows software to process and filter network traffic. Microsoft intended WFP for use byfirewalls,antimalware software, andparental controls apps. Additionally, WFP is used to implement NAT and to store IPSec policy configuration.

WFP relies on Windows Vista'sNext Generation TCP/IP stack. It provides features such as integrated communication and per-application processing logic. Since Windows 8 and Windows Server 2012, WFP allows filtering at the second layer ofTCP/IP suite.

The filtering platform includes the following components:

• Shims, which expose the internal structure of apacket as properties. Different shims exist forprotocols at differentlayers. WFP comes with a set of shims; users can register shims for other protocols using the API. The in-built set of shims includes:
  • Application Layer Enforcement (ALE) shim
  • Transport Layer Module (TLM) shim
  • Network Layer Module (NLM) shim
  • RPC Runtime shim
  • Internet Control Message Protocol (ICMP) shim
  • Stream shim

• Filtering engine, which spans bothkernel-mode anduser-mode, providing basic filtering capabilities. It matches the data within a packet – as exposed by the shims – against filtering rules, and either blocks or permits the packet. Acallout (see below) may implement any other action as required. The filters operate on a per-application basis. To mitigate conflicts between filters, they are givenweights (priorities) and grouped intosublayers, which also have weights. Filters and callouts may be associated toproviders which may be given a name and description and are essentially associated to a particular application or service.
• Base filtering engine, the module that manages the filtering engine. It accepts filtering rules and enforces the security model of the application. It also maintains statistics for the WFP and logs its state.
• Callout, acallback function exposed by a filtering driver. The filtering drivers provide filtering capabilities other than the default block/allow. Administrators specify a callout function during registration of a filter rule. When the filter matches, the system invokes the callout, which handles a specified action.

Starting withWindows 7, thenetsh command can diagnose of the internal state of WFP.

Microsoft released three out-of-band hotfixes for WFP in Windows Vista and Windows 7 to address issues that could cause a memory leak, loss of connectivity during aRemote Desktop Connection session, or ablue screen of death. Later, these hotfixes were rolled up into one package.^[1]

• Kresten, Proteus Valre (May 2012).Windows Filtering Platform. VolutPress.ISBN 978-620-1-65842-4. Retrieved25 March 2025.

• Windows Filtering Platform Architecture Overview

• Windows communication and services
• Windows Vista
• Windows Server 2008

• Articles lacking in-text citations from March 2025
• All articles lacking in-text citations
• Articles with short description
• Short description is different from Wikidata