Event ID 2011 — Firewall Service Block Notifications

  • Article

Applies To: Windows Server 2008 R2

Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future. This notification is turned on by default in Windows Vista, and turned off by default in Windows Server 2008.

When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports when applications are blocked by the firewall.

Event Details

Product: Windows Operating System
ID: 2011
Source: Microsoft-Windows-Windows Firewall with Advanced Security
Version: 6.1
Symbolic Name: WFUnableToShowQueryUserNotificationEvent
Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Reason:%t%t%1
Application Path:%t%2
IP Version:%t%3
Protocol:%t%4
Port:%t%t%5
Process Id:%t%6
User:%t%t%7

Resolve

Check your network applications to ensure proper operation

The presence of this event at or near the start of the computer or for non-interactive system processes is normal, and typically does not indicate an error condition. Many network services run as non-interactive processes that cannot access the user session, and therefore cannot display the block notification.

The message in the event includes a Reason code. Refer to the following list for the possible values.

  1. The application that was blocked is a system service.
  2. The application that was blocked is running in a non-interactive process.
  3. The firewall is off, and the application is allowed.
  4. The application is block listed.
  5. The session is inactive.
  6. An unknown error occurred.
  7. All inbound connections are disallowed.
  8. Inbound notifications are not enabled.
  9. All inbound connections are disallowed and inbound notifications are not enabled

If you turn inbound notifications off, Windows no longer automatically creates firewall rules after notifying you and getting permission. This means that you must manually enable or create firewall rules for all applications that require inbound unsolicited network traffic.

To turn off block notifications by using the Firewall Microsoft Management Console (MMC) snap-in:

  1. Click Start, type wf.msc in the Start Search box, and then press ENTER.
  2. If the User Account Control dialog box appears, make sure that it is for an action you want, and then click Continue.
  3. In the navigation pane of the snap-in, right-click Windows Firewall with Advanced Security on Local Computer, and then click Properties.
  4. In the Properties dialog box, click the Domain, Private, or Public tab for the network location type that you want to modify.
  5. In the Settings section, click Customize.
  6. In the Firewall settings section, next to Display a notification, the current setting is displayed.
  7. Click No, and then click OK to close the dialog box.
  8. Close the MMC snap-in.

If you need to re-enable notifications, follow the same steps, but select Yes in step 7.

To turn off block notifications by using the netsh advfirewall command-line tool:

  • At a command prompt with administrator permissions, type the command:

    netsh advfirewall setprofile settings inboundusernotification disable

    where profile is one of the following values: allprofiles, currentprofile, domainprofile, privateprofile, or publicprofile.

If you need to re-enable notifications, follow the same step, but change disable to enable.

Verify

By default, on Windows Server 2008, user notifications about blocked applications are disabled, and all notifications are made by using the security audit events only.

By default, on Windows Vista, Windows Firewall is configured to notify the user that an application has been blocked, and it prompts the user to take one of the following actions: "Keep Blocking," "Allow," or "Ask me later." The "Ask me later" option continues blocking the application, but causes the user prompt to display again the next time the application starts.

To verify the setting by using the Firewall Microsoft Management Console (MMC) snap-in:

  1. Click Start, type wf.msc in the Start Search box, and then press ENTER.
  2. If the User Account Control dialog box appears, make sure that it is for an action you want, and then click Continue.
  3. In the navigation pane of the snap-in, right-click Windows Firewall with Advanced Security on Local Computer, and then click Properties.
  4. In the Properties dialog box, click the Domain, Private, or Public tab for the network location type that you want to modify.
  5. In the Settings section, click Customize.
  6. In the Firewall settings section, next to Display a notification, the current setting is displayed.
  7. If you need to change the setting, click the button, select either Yes (default) or No, and then click OK to close the dialog box.

To verify the setting by using the netsh advfirewall command-line tool:

  1. At a command prompt with administrator permissions, type the command:

    netsh advfirewall show allprofiles settings

  2. In the output section of each profile, look for the InboundUserNotification value. It will say Enable or Disable.

  3. If you need to change the setting, type the following command:

    netsh advfirewall set profile settings inboundusernotification value

    where profile is one of the following values: allprofiles, currentprofile, domainprofile, privateprofile, or publicprofile, and value is either enable or disable.

For more information

Firewall Service Block Notifications

Windows Firewall with Advanced Security