Event ID: 4948
A change was made to the Windows Firewall exception list. A rule was deleted
A change was made to the Windows Firewall exception list. A rule was deleted.
Profile Changed: %1
Deleted Rule:
Rule ID: %2
Rule Name: %3
This event generates when Windows Firewall rule was deleted.
This event doesn't generate when the rule was deleted via Group Policy.
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Profile Changed |
ProfileChanged |
%1 |
Any |
All
|
|
|
Rule ID |
RuleId |
%2 |
Any |
{F2649D59-1355-4E3C-B886-CDD08B683199}
|
|
|
Rule Name |
RuleName |
%3 |
Any |
Allow All Rule
|
The list of profiles to which deleted rule was applied. Examples:
All
Domain,Public
Domain,Private
Private,Public
Public
Domain
Private
The unique identifier for deleted firewall rule.
To see the unique ID of the rule you can to navigate to the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules” registry key and you will see the list of Windows Firewall rule IDs, with the "Name" column containing the rule ID value.
The name of the rule which was deleted.
You can see the name of Windows Firewall rules using "Windows Firewall with Advanced Security" management console (wf.msc), the “Name” column can be used to match the "Rule Name" value from the event.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"
LEFT/RIGHT arrow keys for navigation
Back to List