5033 The Windows Firewall Driver has started successfully
Written when the Windows Firewall driver starts successfully. It indicates the core of the filtering functionality has begun running.
Overview
The subcategory is Audit Other System Events. It is generated when the firewall kernel driver starts successfully. Separately from service start 5024, it indicates the driver (the component that does the actual packet filtering) is running.
How it is triggered
- When the firewall driver is loaded and initialized successfully at system startup.
Security review points
- The driver is the substance of filtering. Paired with stop 5034 and start failure 5035, confirm the filtering functionality is running.
- If the driver is not started, filtering may not be in effect even if the service is running.
Notes for log review
- It is a reference event that appears normally at startup. Assess health via pairs with stop/start failure.
Key fields
| Field | Meaning |
|---|---|
Computer / TimeCreated | The host and time of startup |