4945 A rule was listed when the Windows Firewall started
Records each active rule, one at a time, when the Windows Firewall starts. It is a reference event for understanding the rule set at startup.
Overview
The subcategory is Audit MPSSVC Rule-Level Policy Change. At firewall startup, each registered rule is enumerated as this event. It forms a snapshot of the entire rule set at startup.
How it is triggered
- At firewall service startup, generated once per active rule.
Security review points
- From the startup rule listing, you can confirm whether unexpected allow rules (passing suspicious ports or programs) are permanently installed. It is usable to find persistent allow rules planted by an attacker.
- Rule addition 4946 shows the moment of change; 4945 shows the cumulative state at startup. Use both to track “when it was added and whether it remains at startup.”
Notes for log review
- It appears in bulk at startup, one per rule, so the count is high. Match each rule’s content (port, program, allow/block) against the legitimate baseline rule set.
- Note unfamiliar allow rules.
Key fields
| Field | Meaning |
|---|---|
| Rule name / ID | The enumerated rule |
| Port/program/action | The rule’s content (allow/block) |