deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-23 02:37:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/device-security/auditing/event-4945.md
Brian Lich 33c3fb2e74 New TOC for docs.microsoft.com
2017-04-19 14:12:47 -07:00

3.5 KiB
Raw Blame History

title, description, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author
title description ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author
4945(S) A rule was listed when the Windows Firewall started. (Windows 10) Describes security event 4945(S) A rule was listed when the Windows Firewall started. security w10 deploy library Mir0sh

4945(S): A rule was listed when the Windows Firewall started.

Applies to

  • Windows 10
  • Windows Server 2016
Event 4945 illustration

Subcategory: Audit MPSSVC Rule-Level Policy Change

Event Description:

This event generates every time Windows Firewall service starts.

This event shows the inbound and/or outbound rule which was listed when the Windows Firewall started and applied for “Public” profile.

This event generates per rule.

Note

  For recommendations, see Security Monitoring Recommendations for this event.


Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4945</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>13571</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8020000000000000</Keywords> 
 <TimeCreated SystemTime="2015-10-02T23:48:27.535295100Z" /> 
 <EventRecordID>1049946</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="500" ThreadID="4744" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="ProfileUsed">Public</Data> 
 <Data Name="RuleId">NPS-NPSSvc-In-RPC</Data> 
 <Data Name="RuleName">Network Policy Server (RPC)</Data> 
 </EventData>
 </Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Field Descriptions:

Profile used [Type = UnicodeString]: the name of the profile that the rule belongs to. It always has value “Public”, because this event shows rules only for “Public” profile.

Rule:

  • Rule ID [Type = UnicodeString]: the unique firewall rule identifier.

    To see the unique ID of the rule you need to navigate to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules” registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:

Registry Editor FirewallRules key illustration
  • Rule Name [Type = UnicodeString]: the name of the rule which was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (wf.msc), check “Name” column:
Windows Firewall with Advanced Security illustration

Security Monitoring Recommendations

For 4945(S): A rule was listed when the Windows Firewall started.

  • Typically this event has an informational purpose.

  • Unfortunately this event shows rules only for Public profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration is not the same.