Event ID: 4946
A change was made to the Windows Firewall exception list. A rule was added
A change was made to the Windows Firewall exception list. A rule was added.
Profile Changed: %1
Added Rule:
Rule ID: %2
Rule Name: %3
This event generates when new rule was locally added to Windows Firewall.
This event doesn't generate when new rule was added via Group Policy.
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Profile Changed |
ProfileChanged |
%1 |
Any |
All
|
|
|
Rule ID |
RuleId |
%2 |
Any |
{F2649D59-1355-4E3C-B886-CDD08B683199}
|
|
|
Rule Name |
RuleName |
%3 |
Any |
Allow All Rule
|
The list of profiles to which new rule was applied. Examples:
All
Domain,Public
Domain,Private
Private,Public
Public
Domain
Private
The unique firewall rule identifier.
To see the unique ID of the rule you can to navigate to the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules” registry key and you will see the list of Windows Firewall rule IDs, with the "Name" column containing the rule ID value.
The name of the rule which was added.
You can see the name of Windows Firewall rules using "Windows Firewall with Advanced Security" management console (wf.msc), the “Name” column can be used to match the "Rule Name" value from the event.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"
LEFT/RIGHT arrow keys for navigation
Back to List