5030 The Windows Firewall Service failed to start
Written when the Windows Firewall Service fails to start. It means defenses do not come up, leading to loss of protection.
Overview
The subcategory is Audit Other System Events. It is generated when the firewall service (MPSSVC) fails to start. It is the fault counterpart to successful start 5024.
How it is triggered
- When startup fails due to dependent-service problems, driver initialization failure 5029, configuration corruption, and so on.
Security review points
- A start failure means the firewall is not in effect. Also consider the possibility of an attacker disrupting the firewall’s startup to disable defenses, and investigate the cause.
- If start failures persist, the host can be unprotected during that time. Strengthen monitoring of network access. Separate the cause together with settings-load failures 5027/5028 and driver failure 5029.
Notes for log review
- It is a rare but important fault event. Check for suspicious communication or logons while the start is failing.
- Check whether a successful start 5024 follows (recovery).
Key fields
| Field | Meaning |
|---|---|
Error information | The cause of the start failure |