Event ID: 4946

A change was made to the Windows Firewall exception list. A rule was added 

A change was made to the Windows Firewall exception list. A rule was added.

Profile Changed:   %1

Added Rule:
    Rule ID:   %2
    Rule Name: %3
Microsoft Documentation

Event ID - 4946



This event generates when new rule was locally added to Windows Firewall.

This event doesn't generate when new rule was added via Group Policy.



Name Field Insertion String OS Example
Profile Changed ProfileChanged %1 Any All
Rule ID RuleId %2 Any {F2649D59-1355-4E3C-B886-CDD08B683199}
Rule Name RuleName %3 Any Allow All Rule

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"
How to enable Windows Auditing

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019

Audit Category:
Policy Change

Audit Subcategory:
MPSSVC Rule-Level Policy Change
Legacy Events:
851 852

LEFT/RIGHT arrow keys for navigation

Back to List