How to Fix Blank Windows Firewall Logs in Windows Server 2008 R2 (pfirewall.log Empty Issue)


13 views

html

After digging through countless forum threads and Microsoft docs, I found myself staring at two stubbornly empty files: D:\pfirewall.log and D:\pfirewall.log.old. Here's what I discovered about enabling proper Windows Firewall logging without Group Policy.

When GPO isn't available (like on standalone servers), these registry keys control firewall logging:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging]
"LogFilePath"="D:\\pfirewall.log"
"LogDroppedPackets"=dword:00000001
"LogSuccessfulConnections"=dword:00000001
"LogFileSize"=dword:00004000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging]
"LogFilePath"="D:\\pfirewall.log"
"LogDroppedPackets"=dword:00000001
"LogSuccessfulConnections"=dword:00000001

The SYSTEM account needs full control over:

  • The target directory (D:\ in this case)
  • The log file itself (when it exists)

Verify permissions using PowerShell:

$acl = Get-Acl "D:\pfirewall.log"
$acl.Access | Where-Object {$_.IdentityReference -like "*SYSTEM*"} | Format-Table

When registry edits feel too raw, try these approaches:

# PowerShell configuration
Set-NetFirewallProfile -Profile Domain,Public,Private -LogFileName "D:\pfirewall.log" -LogMaxSizeKilobytes 4096 -LogAllowed True -LogBlocked True

# Netsh legacy method
netsh advfirewall set currentprofile logging filename D:\pfirewall.log
netsh advfirewall set currentprofile logging droppedconnections enable
netsh advfirewall set currentprofile logging allowedconnections enable

The Windows Firewall service (MPSSVC) must be running with these dependencies:

sc query mpssvc
sc qc mpssvc

Watch for errors in the System event log with Event ID 7024 or 7000 related to the firewall service.

Here's how I trapped a logging failure:

# Monitor service starts/stops
Get-EventLog -LogName System -Source Service Control Manager -After (Get-Date).AddHours(-1) | 
    Where-Object {$_.Message -like "*Windows Firewall*"}

# Check for file access errors
Process Monitor (ProcMon) filter:
Path contains "pfirewall.log"
Result is ACCESS DENIED

As a last resort, reset the firewall configuration:

netsh advfirewall reset

Then reconfigure logging and test with a known blocked connection:

Test-NetConnection -ComputerName bad.host.com -Port 80

When troubleshooting Windows Firewall on standalone servers (non-domain joined), you might encounter empty log files despite proper configuration. The typical symptoms include:

1. pfirewall.log file created but remains 0 bytes
2. pfirewall.log.old file present but empty
3. No errors in Event Viewer related to logging

For standalone servers where Group Policy Management Console (gpmc.msc) isn't available, we can configure logging directly through registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging]
"LogFilePath"="D:\\pfirewall.log"
"LogDroppedPackets"=dword:00000001
"LogSuccessfulConnections"=dword:00000001
"LogFileSize"=dword:00004000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging]
"LogFilePath"="D:\\pfirewall.log"
"LogDroppedPackets"=dword:00000001
"LogSuccessfulConnections"=dword:00000001
"LogFileSize"=dword:00004000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging]
"LogFilePath"="D:\\pfirewall.log"
"LogDroppedPackets"=dword:00000001
"LogSuccessfulConnections"=dword:00000001
"LogFileSize"=dword:00004000

The Windows Firewall service depends on several components. Check these services are running:

sc query windefend
sc query mpssvc
sc query bfe

You can restart the firewall stack with:

net stop mpssvc
net start mpssvc

For modern management, use PowerShell to configure logging:

# Set logging path and enable logging
Set-NetFirewallProfile -All -LogFileName "D:\pfirewall.log" -LogMaxSizeKilobytes 4096
Set-NetFirewallProfile -All -LogAllowed True -LogBlocked True

# Verify settings
Get-NetFirewallProfile | Select-Object Name, LogFileName, LogAllowed, LogBlocked, LogMaxSizeKilobytes

# Force immediate logging test
Test-NetConnection -ComputerName google.com -Port 80

Even with correct registry settings, the SYSTEM account needs write permissions:

icacls D:\pfirewall.log /grant "NT AUTHORITY\SYSTEM":(F)

For the directory containing the log file:

icacls D:\ /grant "NT AUTHORITY\SYSTEM":(OI)(CI)(F)

Common pitfalls that prevent logging:

  • Conflicting third-party firewalls
  • Storage filter drivers interfering with logging
  • Disk space monitoring preventing log writes
  • Antivirus real-time protection blocking log updates

To test for these, create a temporary log file on C:\ drive with default permissions and minimal path length.