Is there anyway to see when a Windows firewall rule was created/enabled using PowerShell v2 or CMD?

3

1

I have been poking around the interwebs but I cannot seem to find a definitive answer to this question. I am forced to work with PowerShell v2. I know that using the following command will give me a list of all the firewall rules:

netsh advfirewall firewall show rule name=all

However it gets me output like this:

Rule Name:                            Core Networking - Teredo (ICMPv6-In)
----------                            ------------------------------------
Enabled:                              Yes
Direction:                            In
Profiles:                             Domain,Private,Public
Grouping:                             Core Networking
LocalIP:                              Any
RemoteIP:                             Any
Protocol:                             ICMPv6
                                      Type    Code
                                      128     Any 
Edge traversal:                       No
Action:                               Allow

What I need to find though is the exact time the rule was created/enabled. Is this possible? Or, alternatively, is there a way to set up temporary(timed) Windows firewall rules?

*EDIT: It seems there really isn't a way to do this with netsh or a firewall specific powerhshell v2 cmdlet, however I believe my solution might lay in the /Applications and Services Logs/Microsoft/Windows/Windows Firewall With Advanced Security/Firewall log under Event ID's 2004/2006.

****Edit:** The following command can be used to view Instance ID 2004 (A rule has been added to the firewall...):

Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | Where-Object {$_.ID -eq "2004"}

*****Edit:** The following command is the fastest way to gather this information as far as Measure-Command -Expression is concerned. You can modify the start/end time or remove it altogether if you'd like:

Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{logname="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"; id=2004; StartTime=(Get-Date).AddMinutes(-5); EndTime=Get-Date}

Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 0
Milliseconds      : 166
Ticks             : 1662222
TotalDays         : 1.92386805555556E-06
TotalHours        : 4.61728333333333E-05
TotalMinutes      : 0.00277037
TotalSeconds      : 0.1662222
TotalMilliseconds : 166.2222

And get's you output like this(you can get the full message text by piping it to something like Format-List:

     ProviderName: Microsoft-Windows-Windows Firewall With Advanced Security

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
4/28/2014 2:42:26 PM          2004 Information      A rule has been added to the Windows Firewall exception list....
4/28/2014 11:56:43 AM         2004 Information      A rule has been added to the Windows Firewall exception list....

The updated question would be this: Is there a way to get this information and instead of Message column, get the Rule Name (Format-List pipe below)

TimeCreated  : 4/28/2014 10:50:54 AM
ProviderName : Microsoft-Windows-Windows Firewall With Advanced Security
Id           : 2004
Message      : A rule has been added to the Windows Firewall exception list.

           Added Rule:
               Rule ID:    ...
               Rule Name:    Dummy rule
               Origin:    Local
               Active:    Yes
               Direction:    Inbound
               Profiles:    Private,Domain, Public
               Action:    Block
               Application Path:
               Service Name:
               Protocol:    Any
               Security Options:    None
               Edge Traversal:    None
               Modifying User:    ...
               Modifying Application:    ...

Expected output would be something like this:

TimeCreated                     Rule Name
-----------                     ---------
4/28/2014 2:42:26 PM            Dummy rule
4/28/2014 11:56:43 AM           Dummy rule

beardedeagle

Posted 2014-04-28T17:10:53.013

Reputation: 176

Erm, your second edit is the answer, right? Just in case you're looking for a way to view the creation time: Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | Where-Object {$_.ID -eq "2004"} | Foreach-Object {$_.TimeCreated} – nixda – 2014-04-28T19:01:18.997

Answers

2

It's been at least a day so I assume it's ok to answer my own question (I think I asked this question in the wrong place, probably more suited for Stack Overflow):

$Events = Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{logname="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"; id=2004}

ForEach ($Event in $Events) {
    $eventXML = [xml]$Event.ToXml()
    For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
        Add-Member -InputObject $Event -MemberType NoteProperty -Force `
            -Name  $eventXML.Event.EventData.Data[$i].name `
            -Value $eventXML.Event.EventData.Data[$i].'#text'
    }
}

$Events | Format-Table -Property TimeCreated,RuleName -AutoSize

Output looks exactly like what I wanted:

TimeCreated           RuleName
-----------           --------
4/28/2014 2:42:26 PM  Dummy Rule
4/28/2014 11:56:43 AM Dummy Rule

Hope this helps someone in the future. Thanks.

beardedeagle

Posted 2014-04-28T17:10:53.013

Reputation: 176

Asked: 2014-04-28T17:10:53.013

Viewed: 3 895 times

Active: 2014-04-30T17:31:58.427