4944 The policy active when the Windows Firewall started
Records the policy that was active when the Windows Firewall started. It is a reference point for the firewall state at startup.
Overview
The subcategory is Audit MPSSVC Rule-Level Policy Change. The policy settings that were active when the Windows Firewall (service name MPSSVC) started are recorded. It reads as a per-boot snapshot of the firewall configuration.
How it is triggered
- At firewall service startup (system boot, service restart).
Security review points
- You can confirm whether the firewall state at startup is as expected (enabled, default policy). If it started with the firewall disabled or loosened by an attacker, it indicates a defensive gap.
- Together with the rule listing 4945 and rule changes 4946 to 4948, track the startup state and subsequent changes.
Notes for log review
- It is a reference event that appears per boot. Look at “whether the firewall is correctly in effect at startup” rather than the count.
- Confirm the enabled state and default behavior of each profile (Domain/Private/Public).
Key fields
| Field | Meaning |
|---|---|
| Profile | The firewall profile in question |
| Policy state | The settings active at startup |