5034(S): The Windows Firewall Driver was stopped.

Subcategory: Audit Other System Events

Event Description:

This event generates when Windows Firewall driver (Windows Firewall Authorization Driver service) was stopped.

This event is NOT logged during the operating system shutdown process.

Note  For recommendations, see Security Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>5034</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>12292</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8020000000000000</Keywords> 
 <TimeCreated SystemTime="2015-10-13T23:40:55.482270000Z" /> 
 <EventRecordID>1101856</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="4" ThreadID="140" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
 <EventData /> 
 </Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Security Monitoring Recommendations

For 5034(S): The Windows Firewall Driver was stopped.

• This event is NOT logged during the operating system shutdown process.

• You should not see this event during normal operating system operations, so we recommend that when it occurs, you investigate why the Windows Firewall driver was stopped.