Jaa


4953(F): Windows Firewall ignored a rule because it couldn't be parsed.

Event 4953 illustration

Subcategory: Audit MPSSVC Rule-Level Policy Change

Event Description:

This event generates if Windows Firewall wasn't able to parse Windows Firewall rule for some reason.

It can happen if Windows Firewall rule registry entry was corrupted.

Note  For recommendations, see Security Monitoring Recommendations for this event.


Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4953</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>13571</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8010000000000000</Keywords> 
 <TimeCreated SystemTime="2015-10-07T22:03:40.261507200Z" /> 
 <EventRecordID>1052340</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="524" ThreadID="5088" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="Profile">All</Data> 
 <Data Name="ReasonForRejection">An error occurred.</Data> 
 <Data Name="RuleId">{08CBB349-D158-46BE-81E1-2ABC59BDD523}</Data> 
 <Data Name="RuleName">-</Data> 
 </EventData>
 </Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Field Descriptions:

Profile [Type = UnicodeString]: the name of the profile of the ignored rule. Possible values are:

  • All

  • Domain, Public

  • Domain, Private

  • Private, Public

  • Public

  • Domain

  • Private

Reason for Rejection [Type = UnicodeString]: the reason, why the rule was ignored.

Rule:

  • ID [Type = UnicodeString]: the unique identifier for ignored firewall rule.

    To see the unique ID of the rule, navigate to the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules” registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters:

Registry Editor FirewallRules key illustration
  • Name [Type = UnicodeString]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (wf.msc), check “Name” column:
Windows Firewall with Advanced Security illustration

Security Monitoring Recommendations

For 4953(F): Windows Firewall ignored a rule because it couldn't be parsed.

  • This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.