4949 Windows Firewall settings were restored to the default values
Written when Windows Firewall settings are restored to their default values. It is an operation that wipes out custom rules and can lead to loss of defenses.
Overview
The subcategory is Audit MPSSVC Rule-Level Policy Change. It is generated when the firewall settings are reset to the default (factory) state. Custom rules added by the organization are lost in one stroke.
How it is triggered
netsh advfirewall reset, the GUI “Restore Defaults,” or a settings reset via API.
Security review points
- Restoring to defaults wipes out defensive rules the organization added (specific blocks, etc.). It can occur in the context of an attacker erasing custom restrictions, or conversely deleting allow rules to erase traces. Investigate an unexpected restore.
- After the restore the firewall configuration changes greatly, so use the startup rule listing 4945 and individual changes 4946 to 4948 to understand the before/after difference.
Notes for log review
- It is a rare operation. Confirm an unplanned restore at high priority.
- Check the restoring subject and whether reconfiguration followed.
Key fields
| Field | Meaning |
|---|---|
Modifying Application | The process that performed the restore |
Subject\Account Name | The acting subject |