Share via

WFP evaluation order with same weight

L Giordani 20 Reputation points
2026-04-27T09:09:49.33+00:00

Hi,

I'm trying to understand how filters are evaluated in Windows filtering platforms. The documentation states that filters within a sublayer are evaluated in descending order of their weight. However, upon observation, some filters may have the same weight within the same sublayer and layer. So my question is: what is the evaluation order in this case?

An example from a wfpstate.xml :


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<wfpstate>
	<layers numItems="103">
        <item>
            <layer>
                <layerKey>FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4</layerKey>
                <displayData>
                    <name>ALE Resource Assignment v4 Layer</name>
                    <description/>
                </displayData>
                [...]
            </layer>
            <filters numItems="36">
                <item>
					<filterKey>{f1696866-333c-4c39-bf31-0b819bbddcf1}</filterKey>
					<displayData>
						<name>Delivery Optimization (UDP-In)</name>
						<description>Inbound rule to allow Delivery Optimization to connect to remote endpoints</description>
					</displayData>
					<flags/>
					<providerKey>FWPM_PROVIDER_MPSSVC_WF</providerKey>
					<providerData>
						<data>2f01000000000000</data>
						<asString>/.......</asString>
					</providerData>
					<layerKey>FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4</layerKey>
					<subLayerKey>FWPM_SUBLAYER_MPSSVC_WF</subLayerKey>
					<weight>
						<type>FWP_UINT8</type>
						<uint8>9</uint8>
					</weight>
					<filterCondition numItems="4">
						<item>
							<fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
							<matchType>FWP_MATCH_EQUAL</matchType>
							<conditionValue>
								<type>FWP_BYTE_BLOB_TYPE</type>
								<byteBlob>
									<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650032005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
									<asString>\device\harddiskvolume2\windows\system32\svchost.exe</asString>
								</byteBlob>
							</conditionValue>
						</item>
						<item>
							<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
							<matchType>FWP_MATCH_EQUAL</matchType>
							<conditionValue>
								<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
								<sd>O:SYG:SYD:(A;;CCRC;;;S-1-5-80-3055155277-3816794035-3994065555-2874236192-2193176987)</sd>
							</conditionValue>
						</item>
						<item>
							<fieldKey>FWPM_CONDITION_IP_LOCAL_PORT</fieldKey>
							<matchType>FWP_MATCH_EQUAL</matchType>
							<conditionValue>
								<type>FWP_UINT16</type>
								<uint16>7680</uint16>
							</conditionValue>
						</item>
						<item>
							<fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey>
							<matchType>FWP_MATCH_EQUAL</matchType>
							<conditionValue>
								<type>FWP_UINT8</type>
								<uint8>17</uint8>
							</conditionValue>
						</item>
					</filterCondition>
					<action>
						<type>FWP_ACTION_PERMIT</type>
						<filterType/>
					</action>
					<rawContext>0</rawContext>
					<reserved/>
					<filterId>67938</filterId>
					<effectiveWeight>
						<type>FWP_UINT64</type>
						<uint64>11528792764883927040</uint64>
					</effectiveWeight>
				</item>
                <item>
					<filterKey>{4cba4569-9f32-4d14-a555-9ddc84c80f1e}</filterKey>
					<displayData>
						<name>Network Discovery (LLMNR-UDP-In)</name>
						<description>Inbound rule for Network Discovery to allow Link Local Multicast Name Resolution. [UDP 5355]</description>
					</displayData>
					<flags/>
					<providerKey>FWPM_PROVIDER_MPSSVC_WF</providerKey>
					<providerData>
						<data>e601000000000000</data>
						<asString>........</asString>
					</providerData>
					<layerKey>FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4</layerKey>
					<subLayerKey>FWPM_SUBLAYER_MPSSVC_WF</subLayerKey>
					<weight>
						<type>FWP_UINT8</type>
						<uint8>9</uint8>
					</weight>
					<filterCondition numItems="4">
						<item>
							<fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
							<matchType>FWP_MATCH_EQUAL</matchType>
							<conditionValue>
								<type>FWP_BYTE_BLOB_TYPE</type>
								<byteBlob>
									<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650032005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
									<asString>\device\harddiskvolume2\windows\system32\svchost.exe</asString>
								</byteBlob>
							</conditionValue>
						</item>
						<item>
							<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
							<matchType>FWP_MATCH_EQUAL</matchType>
							<conditionValue>
								<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
								<sd>O:SYG:SYD:(A;;CCRC;;;S-1-5-80-859482183-879914841-863379149-1145462774-2388618682)</sd>
							</conditionValue>
						</item>
						<item>
							<fieldKey>FWPM_CONDITION_IP_LOCAL_PORT</fieldKey>
							<matchType>FWP_MATCH_EQUAL</matchType>
							<conditionValue>
								<type>FWP_UINT16</type>
								<uint16>5355</uint16>
							</conditionValue>
						</item>
						<item>
							<fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey>
							<matchType>FWP_MATCH_EQUAL</matchType>
							<conditionValue>
								<type>FWP_UINT8</type>
								<uint8>17</uint8>
							</conditionValue>
						</item>
					</filterCondition>
					<action>
						<type>FWP_ACTION_PERMIT</type>
						<filterType/>
					</action>
					<rawContext>0</rawContext>
					<reserved/>
					<filterId>68848</filterId>
					<effectiveWeight>
						<type>FWP_UINT64</type>
						<uint64>11528792764883927040</uint64>
					</effectiveWeight>
				</item>
            </filters>
        </item>
    </layers>
</wfpstate>

The two filters share the same effective weight at the same sublayers.

Thanks.

Windows development | Windows API - Win32
0 comments

Answer accepted by question author

Michael Le (WICLOUD CORPORATION) 11,325 Reputation points Microsoft External Staff Moderator
2026-04-27T10:56:13.1633333+00:00

Hello @L Giordani ,

I would not treat the order in wfpstate.xml as a supported priority rule.

The documented ordering stops at “highest weight to lowest weight” and I do not see a documented secondary rule for filters that have the same effective weight in the same sublayer in the Filter Arbitration documentation.

In your case, the two example filters appear to match different traffic, since one is for UDP local port 7680 and the other is for UDP local port 5355. So they would not normally compete for the same packet.

That said, if you have two filters that can match the same traffic and their effective weight is the same within the same sublayer, I would avoid relying on whichever one appears first in the XML output, the filter ID, or creation order.

I would suggest making the priority explicit instead: assign distinct filter weights when both filters must stay in the same sublayer, or place the filters in different sublayers when you need stronger control over evaluation priority.

I hope this clarifies. If you found this informative, please consider leaving feedback through this guide.

Thank you.

Was this answer helpful?

1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-04-27T09:10:03.7666667+00:00

    Within a sub-layer, Windows Filtering Platform (WFP) defines the evaluation order as:

    1. Build the list of matching filters ordered by weight from highest to lowest.
    2. Evaluate matching filters in that order until a filter returns Permit or Block (or the list is exhausted).

    The documentation explicitly states ordering only by weight. It does not define any secondary, deterministic ordering rule for filters that share the same weight within the same sub-layer. Therefore, for filters that:

    • are in the same layer,
    • are in the same sub-layer, and
    • have the same weight (and thus the same effectiveWeight),

    WFP does not guarantee a specific evaluation order between them. They are logically at the same priority, and any of them may be evaluated first among that equal-weight group.

    The only guaranteed way to control relative evaluation order is to ensure that filters which must run earlier or later have distinct weights (or are placed in different sub-layers with different sub-layer priorities). If two filters must have a strict ordering, they should not share the same weight in the same sub-layer.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.