Event ID 2073 — A rule has been modified in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A rule has been modified in the Windows Defender Firewall exception list.

Message #

A rule has been modified in the Windows Defender Firewall exception list.

Modified Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23
	Error Code: %27

Fields #

Name	Description
`RuleId` UnicodeString	GUID of the modified firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32	—
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that modified the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that modified the firewall rule
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2073,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2026-03-11T06:32:02.846978+00:00",
    "event_record_id": 1566,
    "correlation": {
      "ActivityID": "BD42C297-A749-4662-942F-72276C54015A"
    },
    "execution": {
      "process_id": 3120,
      "thread_id": 3720
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "WSLCore-SharedAccess-Allow-Rule",
    "RuleName": "WSLCore SharedAccess Allow Rule",
    "Origin": 3,
    "ApplicationPath": "C:\\Windows\\System32\\svchost.exe",
    "ServiceName": "SharedAccess",
    "Direction": 1,
    "Protocol": 17,
    "LocalPorts": "53",
    "RemotePorts": "*",
    "Action": 3,
    "Profiles": 2147483647,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
    "SchemaVersion": 544,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "ErrorCode": 0
  },
  "message": ""
}

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2073-firewall-windows-11.md