Event ID 4945
A rule was listed when the Windows Firewall started
A rule was listed when the Windows Firewall started.
Profile used: %1
Rule:
Rule ID: %2
Rule Name: %3
This event generates every time Windows Firewall service starts.
This event shows the inbound and/or outbound rule which was listed when the Windows Firewall started and applied for the “Public” profile. Unfortunately this event only ever shows rules for the Public profile.
This event generates per rule.
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Profile used |
ProfileUsed |
%1 |
Any |
Public
|
|
|
Rule ID |
RuleId |
%2 |
Any |
NPS-NPSSvc-In-RPC
|
|
|
Rule Name |
RuleName |
%3 |
Any |
Network Policy Server (RPC)
|
The name of the profile that the rule belongs to. It always has the value “Public”, because this event shows rules only for the “Public” profile.
The unique firewall rule identifier.
To see the unique ID of the rule you can to navigate to the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules” registry key and you will see the list of Windows Firewall rule IDs, with the "Name" column containing the rule ID value.
The name of the rule which was listed when the Windows Firewall started. You can see the name of Windows Firewall rules using "Windows Firewall with Advanced Security" management console (wf.msc), the “Name” column can be used to match the "Rule Name" value from the event.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"
LEFT/RIGHT arrow keys for navigation
Back to List