Windows Security Log Event ID 4944
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | Policy Change
• MPSSVC Rule-Level Policy Change |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
848
|
4944: The following policy was active when the Windows Firewall started
On this page
This event is logged once each time Windows Firewall start which is usually at boot up. This event documents the high level policy settings in effect at the time of startup.
Free Security Log Resources by Randy
- Group Policy Applied: should indicate whether Windows Firewall was getting its settings from Group Policy or the system's local policy but this appears to always say "No"
- Profile Used: "Public" or "Domain". Windows Firewall seems to always start in Public and then switch to Domain shortly after if appropriate.
- Operational mode: Whether Windows Firewall was enabled or not. Should usually say "On"
- Allow Remote Administration: Disabled/Enabled
- Allow Unicast Responses to Multicast/Broadcast Traffic: Enabled/Disabled
Security Logging:
The logging referred to here has nothing to do with the Security event log; instead it's referring to the C:\Windows\system32\LogFiles\Firewall\pfirewall.log log.
These fields corresponds to the check box in the Customize Loggin Settings for the Public/Domain Profile dialog in Windows Firewall with Advanced Security MMC console.
- Log Dropped Packets: Disabled/Enabled
- Log Successful Connections: Disabled/Enabled
Setup PowerShell Audit Log Forwarding in 4 Minutes
The following policy was active when the Windows Firewall started.
Group Policy Applied: No
Profile Used: Public
Operational mode: On
Allow Remote Administration: Disabled
Allow Unicast Responses to Multicast/Broadcast Traffic: Enabled
Security Logging:
Log Dropped Packets: Disabled
Log Successful Connections: Disabled
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection