3
1
I have been poking around the interwebs but I cannot seem to find a definitive answer to this question. I am forced to work with PowerShell v2. I know that using the following command will give me a list of all the firewall rules:
netsh advfirewall firewall show rule name=all
However it gets me output like this:
Rule Name: Core Networking - Teredo (ICMPv6-In)
---------- ------------------------------------
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping: Core Networking
LocalIP: Any
RemoteIP: Any
Protocol: ICMPv6
Type Code
128 Any
Edge traversal: No
Action: Allow
What I need to find though is the exact time the rule was created/enabled. Is this possible? Or, alternatively, is there a way to set up temporary(timed) Windows firewall rules?
*EDIT: It seems there really isn't a way to do this with netsh or a firewall specific powerhshell v2 cmdlet, however I believe my solution might lay in the /Applications and Services Logs/Microsoft/Windows/Windows Firewall With Advanced Security/Firewall log under Event ID's 2004/2006.
****Edit:** The following command can be used to view Instance ID 2004 (A rule has been added to the firewall...):
Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | Where-Object {$_.ID -eq "2004"}
*****Edit:** The following command is the fastest way to gather this information as far as Measure-Command -Expression
is concerned. You can modify the start/end time or remove it altogether if you'd like:
Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{logname="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"; id=2004; StartTime=(Get-Date).AddMinutes(-5); EndTime=Get-Date}
Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 166
Ticks : 1662222
TotalDays : 1.92386805555556E-06
TotalHours : 4.61728333333333E-05
TotalMinutes : 0.00277037
TotalSeconds : 0.1662222
TotalMilliseconds : 166.2222
And get's you output like this(you can get the full message text by piping it to something like Format-List
:
ProviderName: Microsoft-Windows-Windows Firewall With Advanced Security
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
4/28/2014 2:42:26 PM 2004 Information A rule has been added to the Windows Firewall exception list....
4/28/2014 11:56:43 AM 2004 Information A rule has been added to the Windows Firewall exception list....
The updated question would be this: Is there a way to get this information and instead of Message
column, get the Rule Name
(Format-List pipe below)
TimeCreated : 4/28/2014 10:50:54 AM
ProviderName : Microsoft-Windows-Windows Firewall With Advanced Security
Id : 2004
Message : A rule has been added to the Windows Firewall exception list.
Added Rule:
Rule ID: ...
Rule Name: Dummy rule
Origin: Local
Active: Yes
Direction: Inbound
Profiles: Private,Domain, Public
Action: Block
Application Path:
Service Name:
Protocol: Any
Security Options: None
Edge Traversal: None
Modifying User: ...
Modifying Application: ...
Expected output would be something like this:
TimeCreated Rule Name
----------- ---------
4/28/2014 2:42:26 PM Dummy rule
4/28/2014 11:56:43 AM Dummy rule
Erm, your second edit is the answer, right? Just in case you're looking for a way to view the creation time:
Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | Where-Object {$_.ID -eq "2004"} | Foreach-Object {$_.TimeCreated}
– nixda – 2014-04-28T19:01:18.997