Windows Security Log Event ID 4944

Operating Systems	Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022
Category • Subcategory	Policy Change • MPSSVC Rule-Level Policy Change
Type	Success
Corresponding events in Windows 2003 and before	848

4944: The following policy was active when the Windows Firewall started

On this page

Description of this event
Field level details
Examples
Discuss this event
Mini-seminars on this event

This event is logged once each time Windows Firewall start which is usually at boot up. This event documents the high level policy settings in effect at the time of startup.

Free Security Log Resources by Randy

Description Fields in 4944

Group Policy Applied: should indicate whether Windows Firewall was getting its settings from Group Policy or the system's local policy but this appears to always say "No"
Profile Used: "Public" or "Domain". Windows Firewall seems to always start in Public and then switch to Domain shortly after if appropriate.
Operational mode: Whether Windows Firewall was enabled or not. Should usually say "On"
Allow Remote Administration: Disabled/Enabled
Allow Unicast Responses to Multicast/Broadcast Traffic: Enabled/Disabled

Security Logging:

The logging referred to here has nothing to do with the Security event log; instead it's referring to the C:\Windows\system32\LogFiles\Firewall\pfirewall.log log.

These fields corresponds to the check box in the Customize Loggin Settings for the Public/Domain Profile dialog in Windows Firewall with Advanced Security MMC console.

Log Dropped Packets: Disabled/Enabled
Log Successful Connections: Disabled/Enabled

Supercharger Free Edition

Your entire Windows Event Collection environment on a single pane of glass.

Free.

Examples of 4944

The following policy was active when the Windows Firewall started.

Group Policy Applied: No
Profile Used: Public
Operational mode: On
Allow Remote Administration: Disabled
Allow Unicast Responses to Multicast/Broadcast Traffic: Enabled

Security Logging:

Log Dropped Packets: Disabled
Log Successful Connections: Disabled

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 4944

Top 3 Workstation Logs to Monitor for Early Detection of Attacks: Security Log, PowerShell, Sysmon

Upcoming Webinars

Why SIEM is Difficult

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

September 2023 Patch Monday	"Patch Tuesday - Two Zero Days; Five Critical " - sponsored by LOGbinder

Home

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2023 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.