Hi,
Thank you for writing to Microsoft Community Forums.
As the issue is related to event logs on Windows Firewall Exception list, please post your question in “TechNet”.
Hope it helps.
Aaron Summith
Microsoft Community - Moderator
[SOLVED] Windows Firewall exception list (?) Is this for real?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
===== SOLUTION =====
1st (to remove any confusion), the "exceptions" I cite, though they are from Event Viewer, are not code execution exceptions (such as memory bounds violations or stack violations or illegal operands). "Exception" is simply the word Event Viewer is using to refer to firewall rules.
2nd, "Windows Defender Firewall exception list" appears to simply be bad wording. The word "exception" implies that it counteracts or countermands some previously established rule, but such is simply not the case -- especially, the rule-creation shown below has nothing to do with a rule Override. (Note: What exactly a rule Override is, is not known, and since the Windows Firewall is undocumented, I suppose it never will be known.)
===== BEGIN ORIGINAL THREAD =====
From the Event Viewer, 'Applications and Services Logs', 'Microsoft', 'Windows', 'Windows Firewall With Advanced Security' event below, it appears that, in addition to the Inbound & Outbound Rules of which some of us (me) are familiar, there's also such a thing as a Windows Firewall exception list (note "Description", in the event, below). How can I learn more about this exception list?
Log Name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Source: Microsoft-Windows-Windows Firewall With Advanced Security
Date: 18/10/14 16:07:58
Event ID: 2004
Task Category: None
Level: Information
Keywords: (2199023255552)
User: LOCAL SERVICE
Computer: LAPTOP-FGMHQKQ8
Description:
A rule has been added to the Windows Defender Firewall exception list.
Added Rule:
Rule ID: {1533CB76-A11F-43B1-A55E-B565513255AA}
Rule Name: WinDefend Outbound for TCP
Origin: Local
Active: Yes
Direction: Outbound
Profiles: Private,Domain, Public
Action: Allow
Application Path: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MsMpEng.exe
Service Name: WinDefend
Protocol: TCP
Security Options: None
Edge Traversal: None
Modifying User: SYSTEM
Modifying Application: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\MsMpEng.exe
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Windows Firewall With Advanced Security" Guid="{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}" />
<EventID>2004</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000020000000000</Keywords>
<TimeCreated SystemTime="2018-10-14T20:07:58.277793900Z" />
<EventRecordID>6888</EventRecordID>
<Correlation />
<Execution ProcessID="2056" ThreadID="4740" />
<Channel>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</Channel>
<Computer>LAPTOP-FGMHQKQ8</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="RuleId">{1533CB76-A11F-43B1-A55E-B565513255AA}</Data>
<Data Name="RuleName">WinDefend Outbound for TCP</Data>
<Data Name="Origin">1</Data>
<Data Name="ApplicationPath">C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MsMpEng.exe</Data>
<Data Name="ServiceName">WinDefend</Data>
<Data Name="Direction">2</Data>
<Data Name="Protocol">6</Data>
<Data Name="LocalPorts">*</Data>
<Data Name="RemotePorts">*</Data>
<Data Name="Action">3</Data>
<Data Name="Profiles">2147483647</Data>
<Data Name="LocalAddresses">*</Data>
<Data Name="RemoteAddresses">*</Data>
<Data Name="RemoteMachineAuthorizationList">
</Data>
<Data Name="RemoteUserAuthorizationList">
</Data>
<Data Name="EmbeddedContext">
</Data>
<Data Name="Flags">1</Data>
<Data Name="Active">1</Data>
<Data Name="EdgeTraversal">0</Data>
<Data Name="LooseSourceMapped">0</Data>
<Data Name="SecurityOptions">0</Data>
<Data Name="ModifyingUser">S-1-5-18</Data>
<Data Name="ModifyingApplication">C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\MsMpEng.exe</Data>
<Data Name="SchemaVersion">540</Data>
<Data Name="RuleStatus">65536</Data>
<Data Name="LocalOnlyMapped">0</Data>
</EventData>
</Event>
Windows for home | Windows 10 | Security and privacy
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
Answer accepted by question author
Anonymous
9 additional answers
Sort by: Most helpful
-
Anonymous
2018-10-16T02:42:20+00:00 Well, a Windows log file is being written...
BINGO!
'C:\Windows\System32\LogFiles\Firewall\pfirewall.log' is being written every 13 seconds, as 2 writes with less than a millisecond between them.
So, the system is completely closing the firewall for less than a millisecond every 13 seconds. What do you conjecture it's doing. I'm at a loss.
PS: Actually, the interval is EXACTLY 13 seconds (100 nanosecond resolution), and the action is usually 2 'pfirewall.log' writes, but sometimes it's as many as 7 writes, and every once in a while, just a single write.
PPS: Even in the 7-writes scenario, they are completed in about 700 microseconds!
-
Anonymous
2018-10-15T16:57:16+00:00 Hi Aaron,
Kindly answer this for me: What sort of questions are best asked here, and what sort of questions are best asked in Technet?
Is there a demarcation between Community and Technet?
Of course, links to guidelines are welcome.
-
Anonymous
2018-10-15T20:24:29+00:00 Howdy, RA!
... FWIW I don't have that one ...
Oh, I believe you do. If you investigate, you'll find you have all sorts of mystery events. You seem a fairly technical guy...
***** Do you know how I can capture the calling arguments to 'svchost.exe' when it provoked the 2 events below?
Here are the 2 events.
Date: 18/10/14 21:32:21
Event ID: 2004
Task Category: None
User: LOCAL SERVICE
Description: A rule has been added to the Windows Defender Firewall exception list.
Added Rule:
Rule ID: {8C132C3C-D217-4ADD-BDA5-486FC8FAD2E9}
Rule Name: WARP_JIT_a1422270-4157-4ea3-8fdb-99e6c1be63c6
Origin: Local
Active: Yes
Direction: Outbound
Profiles: Private,Domain, Public
Action: Block
Application Path:
Service Name:
Protocol: Any
Security Options: None
Edge Traversal: None
Modifying User: NT SERVICE\mpssvc
Modifying Application: C:\WINDOWS\System32\svchost.exe
Date: 18/10/14 21:32:21
Event ID: 2006
Task Category: None
User: LOCAL SERVICE
Description: A rule has been deleted in the Windows Defender Firewall exception list.
Deleted Rule:
Rule ID: {8C132C3C-D217-4ADD-BDA5-486FC8FAD2E9}
Rule Name: WARP_JIT_a1422270-4157-4ea3-8fdb-99e6c1be63c6
Modifying User: NT SERVICE\mpssvc
Modifying Application: C:\WINDOWS\System32\svchost.exe
Note that, for simplicity, I've removed the 'Event Xml' entry fields and a few other fields. Note that the 'WARP_JIT_a1422270-4157-4ea3-8fdb-99e6c1be63c6' rule is a blocker!!! And note that it's blocking everything!!! Hmmm... a momentary block of everything that's outbound. And there's also an inbound blocker!!!
The sequence is:
Block everything inbound
Block everything outbound
(do ...something...)
Unblock everything outbound
Unblock everything inbound
What do you suppose the process that launches 'svchost.exe' to make these momentary firewall changes is doing?
I conducted an experiement: I created a firewall rule that blocked 'svchost.exe' from making firewall rules.
The result: My networking died a few minutes later.
***** Do you know how I can capture the calling arguments to 'svchost.exe' when it provoked the 2 events above?
I do know how to use Sysinternals Process Explorer to capture things, but the 'WARP_JIT_a1422270-4157-4ea3-8fdb-99e6c1be63c6' rule above exists for less than a second, so capturing the 'svchost.exe' command line with Process Explorer would be nigh impossible. I could use Task Scheduler with a clever trigger that fires on a 2006 event, but I can't come up with a task action that would capture the process # or the process command line (with calling arguments).
Do you have any ideas?
-
Anonymous
2018-10-15T17:42:00+00:00 How can I learn more about this exception list?
Try using PowerShell.
Show-NetFirewallRule |? Name -match "{1533CB76-A11F-43B1-A55E-B565513255AA}" | fl *
FWIW I don't have that one and I don't know where to find out about exceptions but since you do have one which supposedly is an exception that one's detailed list of properties presumably could give you a better clue about it.
Here's something that would make me think that "exceptions" may be a deprecated concept, in which case you would want to be looking for something similar or just with a different name
(BING search for
net-firewallrule exception
)
Notice that the only instance of the search term occurs under the "Old Command" syntax?
Good luck
Robert Aldwinckle