4944: The following policy was active when the Windows Firewall started
This event is logged once each time Windows Firewall start which is usually at boot up. This event documents the high level policy settings in effect at the time of startup.
- Group Policy Applied: should indicate whether Windows Firewall was getting its settings from Group Policy or the system's local policy but this appears to always say "No"
- Profile Used: "Public" or "Domain". Windows Firewall seems to always start in Public and then switch to Domain shortly after if appropriate.
- Operational mode: Whether Windows Firewall was enabled or not. Should usually say "On"
- Allow Remote Administration: Disabled/Enabled
- Allow Unicast Responses to Multicast/Broadcast Traffic: Enabled/Disabled
Security Logging:
The logging referred to here has nothing to do with the Security event log; instead it's referring to the C:\Windows\system32\LogFiles\Firewall\pfirewall.log log.
These fields corresponds to the check box in the Customize Loggin Settings for the Public/Domain Profile dialog in Windows Firewall with Advanced Security MMC console.
- Log Dropped Packets: Disabled/Enabled
- Log Successful Connections: Disabled/Enabled
The following policy was active when the Windows Firewall started.
Group Policy Applied: No
Profile Used: Public
Operational mode: On
Allow Remote Administration: Disabled
Allow Unicast Responses to Multicast/Broadcast Traffic: Enabled
Security Logging:
Log Dropped Packets: Disabled
Log Successful Connections: Disabled
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection