Event ID: 4946

A change was made to the Windows Firewall exception list. A rule was added 

A change was made to the Windows Firewall exception list. A rule was added.

Profile Changed:   %1

Added Rule:
    Rule ID:   %2
    Rule Name: %3


This event generates when new rule was locally added to Windows Firewall.

This event doesn't generate when new rule was added via Group Policy.

Auditing:     Always


Volume:     Low


Microsoft Documentation

Event ID - 4946



Name Field Insertion String OS Example
Profile Changed ProfileChanged %1 Any All
Rule ID RuleId %2 Any {F2649D59-1355-4E3C-B886-CDD08B683199}
Rule Name RuleName %3 Any Allow All Rule

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019

Tags:
Audit Success
Audit Category:
Policy Change

Audit Subcategory:
MPSSVC Rule-Level Policy Change
Legacy Events:
851 852

LEFT/RIGHT arrow keys for navigation

Back to List