The IPSec Driver (%SystemDirectory%\drivers\ipsec.sys) is loaded at system startup, regardless of the startup setting for the IPSEC Service (PolicyAgent). The Driver has an OperationMode registry entry (REG_DWORD) under HKLM\SYSTEM\CurrentControlSet\Services\IPSec, which determines how the driver will function until/if the IPSEC Service starts. One of three System events will be logged almost a minute after EventLog's 6009 startup event, depending on the OperationMode setting and startup type for the IPSEC Service. Here's the driver registry settings and resulting System events:
OperationMode 0- Permit(Bypass). Causes Event 4295.
OperationMode 1- Block. Causes Event 4296.
OperationMode 2- (Reserved). Causes Event 4295.
OperationMode 3- Stateful. Causes Event 4297.
Event 4294 will occur once the IPSEC Service starts, about 8 seconds after the event for the Driver if the Service's startup type is Automatic.
Event 4295 (Bypass) will occur if the Service is Disabled, regardless of the OperationMode registry setting.
, and the links to “Understanding IPSec Driver Startup Modes” and “Thread - Error contacting the DC server” for additional information.