Not really a solution, but this may help you figure out what is causing it.
Check your event log by running the "Event Viewer" app. Go to Applications and Services logs -> Microsoft -> Windows -> Windows Firewall with Advanced Security
and view the Firewall log.
That log should log a event whenever the firewall is enabled or disabled with a event similar to
A Windows Firewall setting in the Public profile has changed. New Setting: Type: Enable Windows Firewall Value: Yes Modifying User: MyMachine\srchamberlain Modifying Application: C:\Windows\System32\dllhost.exe
You can check the Modifying Application
property to see which app initiated the firewall change.
UPDATE 1:
So it appears something is running netsh
on a semi-regular basis. I would check Applications and Services logs -> Microsoft -> Windows -> TaskScheduler -> Operational
in the event viewer to see if it is a scheduled task doing it.
If that does not show it being run run secpol.msc
and and enable Audit process trackingAudit process tracking to see who started netsh
, once it is enabled you can go to the Windows Logs -> Security
and find the "Audit Success" entry for that process.
Here is a example of me manually starting notepad.exe
with it on.
A new process has been created. Creator Subject: Security ID: MyMachine\srchamberlain Account Name: srchamberlain Account Domain: MyMachine Logon ID: 0x71FA757 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1510 New Process Name: C:\Windows\System32\notepad.exe Token Elevation Type: %%1938 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0x938 Creator Process Name: C:\Windows\explorer.exe Process Command Line:
The thing we are most interested in is the Creator Process Name