Firewall Service and Driver Initialization
Applies To: Windows Server 2008 R2
The Windows Firewall service (MpsSvc) and its supporting driver must be running to provide the core firewall functionality and to manage the firewall and connection security rules that define how the firewall operates. When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports successes and failures in starting the required software components, or when the components stop operating due to a failure.
Note: Because the Windows Firewall services applies Windows service hardening rules to standard Windows Networking services, Microsoft does not support stopping the Windows Firewall service. If you do not want to use Windows Firewall, turn the firewall features off without stopping the service.
Events
| Event ID | Source | Message |
|---|---|---|
Microsoft-Windows-Windows Firewall with Advanced Security |
The following settings were applied to the Windows Firewall at startup %tCurrent Profile:%t%1 %tIPsec SA Idle time:%t%2 %tIPsec preshared key encoding:%t%3 %tIPsec Exempt:%t%4 %tIPsec CRL Check:%t%5 %tIPsec Through NAT:%t%6 %tPolicy Version Supported:%t%7 %tPolicy Version:%t%8 %tBinary Version Supported:%t%9 %tStateful FTP:%t%10 %tGroup Policy Applied:%t%11 %tRemote Machine Authorization List:%t%12 %tRemote User Authorization List:%t%13 |
|
Microsoft-Windows-Windows Firewall with Advanced Security |
The following per profile settings were applied by Windows Firewall %tProfile:%t%1 %tOperational Mode:%t%2 %tStealth Mode:%t%3 %tBlock all Incoming Connections:%t%4 %tUnicast response to multicast broadcast:%t%5 %tLog dropped packets:%t%6 %tLog successful connections:%t%7 %tLog ignored rules:%t%8 %tInbound Notifications:%t%9 %tAllow Local Policy Merge:%t%12 %tAllow Local IPsec Policy Merge:%t%13 %tDefault Outbound Action:%t%14 %tDefault Inbound Action:%t%15 %tRemote Administration:%t%16 %tMaximum Log file size:%t%17 %tLog File path:%t%18 %tAllow User preferred merge of Authorized Applications:%t%10 %tAllow User preferred merge of Globally open ports:%t%11 |
|
Microsoft-Windows-Windows Firewall with Advanced Security |
A rule has been listed when the Windows Firewall started. Added Rule: %tRule ID:%t%1 %tRuleName:%t%2 %tOrigin:%t%3 %tActive:%t%18 %tDirection:%t%6 %tProfiles:%t%11 %tAction:%t%10 %tApplication Path:%t%4 %tService Name:%t%5 %tProtocol:%t%7 %tSecurity Options:%t%21 %tEdge Traversal:%t%19 %tModifying User:%t%22 %tModifying Application:%t%23" |
|
Microsoft-Windows-Security-Auditing |
The following policy was active when the Windows Firewall started. Group Policy Applied:%t%1 Profile Used:%t%2 Operational mode:%t%3 Allow Remote Administration:%t%4 Allow Unicast Responses to Multicast/Broadcast Traffic:%t%5 Security Logging: %tLog Dropped Packets:%t%6 %tLog Successful Connections:%t%7 |
|
Microsoft-Windows-Security-Auditing |
A rule was listed when the Windows Firewall started. %t Profile used:%t%1 Rule: %tRule ID:%t%2 %tRule Name:%t%3 |
|
Microsoft-Windows-Security-Auditing |
The Windows Firewall Service has started successfully. | |
Microsoft-Windows-Security-Auditing |
The Windows Firewall Service has been stopped. | |
Microsoft-Windows-Security-Auditing |
The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. Error Code:%t%1 |
|
Microsoft-Windows-Security-Auditing |
The Windows Firewall Service failed to start. Error Code:%t%1 |
|
Microsoft-Windows-Security-Auditing |
The Windows Firewall Driver has started successfully. | |
Microsoft-Windows-Security-Auditing |
The Windows Firewall Driver has been stopped. | |
Microsoft-Windows-Security-Auditing |
The Windows Firewall Driver failed to start. Error Code:%t%1 |
|
Microsoft-Windows-Security-Auditing |
The Windows Firewall Driver detected critical runtime error. Terminating. Error Code:%t%1 |