4947(S): A change has been made to Windows Firewall exception list. A rule was modified.

  • Article
Event 4947 illustration

Subcategory: Audit MPSSVC Rule-Level Policy Change

Event Description:

This event generates when Windows Firewall rule was modified.

This event doesn't generate when Firewall rule was modified via Group Policy.

Note  For recommendations, see Security Monitoring Recommendations for this event.


Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4947</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>13571</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8020000000000000</Keywords> 
 <TimeCreated SystemTime="2015-10-03T20:27:22.485152000Z" /> 
 <EventRecordID>1050908</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="500" ThreadID="3796" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="ProfileChanged">All</Data> 
 <Data Name="RuleId">{F2649D59-1355-4E3C-B886-CDD08B683199}</Data> 
 <Data Name="RuleName">Allow All Rule</Data> 
 </EventData>
 </Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Field Descriptions:

Profile Changed [Type = UnicodeString]: the list of profiles to which changed rule is applied. Examples:

  • All

  • Domain,Public

  • Domain,Private

  • Private,Public

  • Public

  • Domain

  • Private

Modified Rule:

  • Rule ID [Type = UnicodeString]: the unique identifier for modified firewall rule.

    To see the unique ID of the rule, navigate to the“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules” registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:

Registry Editor FirewallRules key illustration
  • Rule Name [Type = UnicodeString]: the name of the rule that was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (wf.msc), check “Name” column:
Windows Firewall with Advanced Security illustration

Security Monitoring Recommendations

For 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.

  • This event can be helpful in case you want to monitor all Firewall rules modifications that were done locally.