Event ID 4944 - The following policy was active when the Windows Firewall started

Event ID: 4944

The following policy was active when the Windows Firewall started

The following policy was active when the Windows Firewall started.

Group Policy Applied:                                   %1
Profile Used:                                           %2
Operational mode:                                       %3
Allow Remote Administration:                            %4
Allow Unicast Responses to Multicast/Broadcast Traffic: %5
Security Logging:
    Log Dropped Packets:        %6
    Log Successful Connections: %7

Microsoft Documentation

Event ID - 4944

This event generates every time Windows Firewall service starts.

This event shows Windows Firewall settings that were in effect when the Windows Firewall service started.

	Field	Insertion String	OS	Example
Group Policy Applied	GroupPolicyApplied	%1	Any	No
Profile Used	Profile	%2	Any	Public
Operational mode	OperationMode	%3	Any	Off
Allow Remote Administration	RemoteAdminEnabled	%4	Any	Disabled
Allow Unicast Responses to Multicast/Broadcast Traffic	MulticastFlowsEnabled	%5	Any	Enabled
Log Dropped Packets	LogDroppedPacketsEnabled	%6	Any	Disabled
Log Successful Connections	LogSuccessfulConnectionsEnabled	%7	Any	Disabled

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"MPSSVC Rule-Level Policy Change"

How to enable Windows Auditing

Operating Systems:

Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019

Audit Category:

Policy Change

Audit Subcategory:

MPSSVC Rule-Level Policy Change

Legacy Events:

848

LEFT/RIGHT arrow keys for navigation

Back to List