5034 The Windows Firewall Driver was stopped
Written when the Windows Firewall driver stops. It means the substance of filtering halts, leading to loss of protection.
Overview
The subcategory is Audit Other System Events. It is generated when the firewall kernel driver stops. Paired with start 5033, it captures the filtering functionality’s uptime window.
How it is triggered
- A stop due to shutdown, driver unload, and so on.
Security review points
- Stopping the driver means packet filtering ceases. Like service stop 5025, note it in the defense-evasion context and investigate stops outside business hours or unplanned.
- Check whether a start 5033 follows the stop (recovery), and whether suspicious communication occurred while stopped.
Notes for log review
- It also stops on a normal shutdown. Match the stop time against operational plans.
- Note situations where a stop is not accompanied by a start.
Key fields
| Field | Meaning |
|---|---|
Computer / TimeCreated | The host and time of the stop |