Event ID 4947
A change was made to the Windows Firewall exception list. A rule was modified
A change was made to the Windows Firewall exception list. A rule was modified.
Profile Changed: %1
Modified Rule:
Rule ID: %2
Rule Name: %3
This event generates when Windows Firewall rule was modified.
This event doesn't generate when Firewall rule was modified via Group Policy.
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Profile Changed |
ProfileChanged |
%1 |
Any |
All
|
|
|
Rule ID |
RuleId |
%2 |
Any |
{F2649D59-1355-4E3C-B886-CDD08B683199}
|
|
|
Rule Name |
RuleName |
%3 |
Any |
Allow All Rule
|
The list of profiles to which changed rule is applied. Examples:
All
Domain,Public
Domain,Private
Private,Public
Public
Domain
Private
The unique firewall rule identifier.
To see the unique ID of the rule you can to navigate to the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules” registry key and you will see the list of Windows Firewall rule IDs, with the "Name" column containing the rule ID value.
The name of the rule that was modified.
You can see the name of Windows Firewall rules using "Windows Firewall with Advanced Security" management console (wf.msc), the “Name” column can be used to match the "Rule Name" value from the event.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"
LEFT/RIGHT arrow keys for navigation
Back to List