Windows Security Log Event ID 4944

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Policy Change
 • MPSSVC Rule-Level Policy Change
Type Success
Corresponding events
in Windows 2003
and before
848  
Discussions on Event ID 4944
Ask a question about this event

4944: The following policy was active when the Windows Firewall started

On this page

This event is logged once each time Windows Firewall start which is usually at boot up.  This event documents the high level policy settings in effect at the time of startup.

Free Security Log Resources by Randy

Description Fields in 4944

  • Group Policy Applied: should indicate whether Windows Firewall was getting its settings from Group Policy or the system's local policy but this appears to always say "No"
  • Profile Used: "Public" or "Domain".  Windows Firewall seems to always start in Public and then switch to Domain shortly after if appropriate.
  • Operational mode: Whether Windows Firewall was enabled or not.  Should usually say "On"
  • Allow Remote Administration: Disabled/Enabled
  • Allow Unicast Responses to Multicast/Broadcast Traffic: Enabled/Disabled

Security Logging:

The logging referred to here has nothing to do with the Security event log; instead it's referring to the C:\Windows\system32\LogFiles\Firewall\pfirewall.log log.

These fields corresponds to the check box in the Customize Loggin Settings for the Public/Domain Profile dialog in Windows Firewall with Advanced Security MMC console.

  • Log Dropped Packets: Disabled/Enabled
  • Log Successful Connections: Disabled/Enabled

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 4944

The following policy was active when the Windows Firewall started.

Group Policy Applied: No
Profile Used: Public
Operational mode: On
Allow Remote Administration: Disabled
Allow Unicast Responses to Multicast/Broadcast Traffic: Enabled

Security Logging:

   Log Dropped Packets: Disabled
   Log Successful Connections: Disabled

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources