5037 The Windows Firewall Driver detected a critical runtime error and is terminating
Written when the Windows Firewall driver detects a critical runtime error and terminates. It indicates filtering stopped abnormally.
Overview
The subcategory is Audit Other System Events. It is generated when the firewall kernel driver detects a critical error during execution and terminates itself.
How it is triggered
- An abnormal termination due to a critical internal error or memory corruption during driver execution.
Security review points
- Abnormal termination of the driver means filtering stops. Like stop 5034, it creates an interval where defenses are inactive, so investigate the cause.
- A kernel-level fault can indicate an attack on or destruction of the driver, or a serious system malfunction. Investigate together with surrounding system events.
Notes for log review
- It is rare but serious. When it occurs, check the state of the driver and kernel and the defensive gap during that time.
- Check whether recovery via successful start 5033 occurred.
Key fields
| Field | Meaning |
|---|---|
Error information | The nature of the critical error |