expert

WFP & BFE (deep dive)

How filters are stored, enforced, and hooked into the packet path.

What you should already know

This topic is marked expert. Skim these first if any of them feel unfamiliar.

TCP/IP stack Filtering & firewalling Services & background infrastructure

Related labs

Hands-on exercises for this area — in the browser or on a Windows machine.

DNS resolution lab

Resolve names from the browser (DNS-over-HTTPS) and compare with how the Windows DNS client behaves.

Open lab

View all labs

Guided paths in this branch

Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.

Networking stack tour

Follow a connection from Winsock and DNS through TCP/IP, filtering (WFP/BFE), down to NDIS and the NIC.

Step 6 of 7 in this path

1. Networking 2. Name resolution & DNS Client 3. Winsock, AFD, and kernel boundaries 4. TCP/IP stack 5. Filtering & firewalling 6. WFP & BFE (deep dive)7. NDIS and network adapters

Follow this path

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

WFP architecture

learn.microsoft.com

Microsoft Learn

WFP operation (layers, filters, shims, callouts)

learn.microsoft.com

Microsoft Learn

Object management (BFE-managed filter objects)

learn.microsoft.com

Why it matters

Modern Windows firewalls and endpoint security build on WFP. Understanding BFE explains persistent policies, boot-time filtering, and callout registration.

Mental model

WFP is a set of layers + a filter engine; BFE is the user-mode service that coordinates configuration, storage, and security of that filtering system.

How it works

1Kernel shims hand packets/streams to the filter engine at specific layers.
2Filters are matched and actions are chosen; callouts can run for deep inspection/modification.
3BFE manages filter objects (persistent/dynamic/boot-time) and plumbs configuration to kernel components.

Key terms

BFE: Base Filtering Engine service coordinating WFP configuration and security.
Layer: A WFP classification point in the networking stack.
Filter: A rule attached to a layer, possibly invoking callouts or permitting/blocking.

Why some filtering works before logon

WFP supports boot-time filtering in kernel mode until BFE starts and persistent policy is fully plumbed.

Common misconception

People assume firewall rules are only user-mode settings. They are enforced in the kernel packet path via WFP layers and callouts.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

intermediate

NDIS and network adapters

The driver model that bridges protocol stacks and NIC hardware.

Next step in your guided path

intermediate

Filtering & firewalling

Where Windows observes and controls traffic with filtering layers.

Service Control Manager

The boot-time and runtime orchestrator for services and drivers.

WFP & BFE (deep dive)

What you should already know

Related labs

Guided paths in this branch

Networking stack tour

Official Microsoft docs

Why it matters

Mental model

How it works

Key terms

Why some filtering works before logon

Common misconception

You should read next

NDIS and network adapters

Filtering & firewalling

Service Control Manager

Related topics

Filtering & firewalling

Service Control Manager

Security descriptors & ACLs