Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    In this case, please go back and open the Details and XML View:

    upload_2023-10-22_21-7-3.png

    Who is the ModifyingUser in your case? Notice the S-1-5-21? This is my local account, I did this from a CMD window. If you do this from WFC, the value would be S-1-5-18. Post a screenshot like mine. Thank you.
     
  2. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    242
    I've fully allowed ekrn.exe (ESET-related), both In/Out, both TCP/UDP (=4 rules). However, I'm seeing some blocked entries for it in the Connection Log (TCP/UDP). It's the exact same ekrn.exe. Destination address for these blocks are either 192.168.1.xx, 224.0.0.252 and a few IPv6 addresses which don't make sense to me.

    Any tips on why this is occurring? Thanks.
     
  3. Csokis

    Csokis Registered Member

    Joined:
    Oct 20, 2023
    Posts:
    8
    Location:
    Hungary
    Yes, S-1-5-18!

    img.jpg
     
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    S-1-5-18 is the SID of the System account. This means a Windows service installed to run as System account launches netsh.exe to disable Windows Firewall.

    You should enable Secure Profile in WFC to stop this behavior on your machine. This will prevent external tools, like netsh.exe to disable Windows Firewall.

    upload_2023-10-23_8-27-44.png

    Open services.msc and check the list of Windows services which have the Log On As column set to Local System. Search for non Microsoft services. One of those services (non-Microsoft), for some shady reason, wants to disable Windows Firewall. You know beter what is installed on your machine and it should be easy to identify the service. I would get rid of that software.
     
  5. Csokis

    Csokis Registered Member

    Joined:
    Oct 20, 2023
    Posts:
    8
    Location:
    Hungary
    If I turn on this option (Secure Profile), nothing changes. The same "Windows Firewall turned off" notification appears.

    For non-Microsoft services only these are:
    CMigrationService and SamsungMagicianSVC - For Samsung SSDs
    NVDisplay.ContainerLocalSystem and NvContainerLocalSystem and NVIDIA FrameView SDK service - For nVidia video card
    Steam Client Service - For Steam
    MozillaMaintenance - For Mozilla Firefox and Mozilla Thunderbird
    GoogleChromeElevationService - For Google Chrome
    EpicOnlineServices - For Epic Games Launcher

    I really don't know what's causing it anymore. :(
     
  6. JNicoll23

    JNicoll23 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    48
    Location:
    Scotland
    For Csokis' problem, if netsh.exe runs in a process of its own, then if Csokis has enabled the logging of process starts & terminations (into Security eventlog records), & also enabled recording of commands used to start processes, it should be possible (by looking through all the process start events) to find out what parent process started netsh.exe.

    Logging of commands used to start processes is a potential security issue, on machines with more than one user, as whoever can display the eventlogs can see commands issued by other people/processes; sometimes those commands include personal info eg passwords. On a home machine only used by one person it's not an issue.

    In Windows Pro turning on auditing of process start/terminate etc can be done in GPedit. It cn be done in non-Pro versions of Windows via the commandline using "auditpol" commands (as I have done on XP (I think) and also Win 8.1).

    An alternative might be to install & run (with the option that logs boot processing) the Sysinternals Process Monitor tool - see: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon.
     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    If Secure Rules is Enabled, then if you try to execute netsh advfirewall set allprofiles state off in an elevated CMD window, you should get Access is denied message and Windows Firewall state should not change.

    upload_2023-10-24_13-19-45.png

    Without Secure Profile, this command works, see the first result Ok. Does it work the same on your machine if you do these steps?

    Anyway, as @JNicoll23 suggested, try to enable the process creation auditing by executing this command in an elevated CMD window:

    auditpol.exe /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030} /success:enable

    and then watch the Security Event Log for events with ID 4688. There will be a lot of them, but you should be able to find the process which launches netsh.exe to disable Windows Firewall.

    upload_2023-10-24_13-25-28.png

    Please keep us updated with your findings.
     
  8. Csokis

    Csokis Registered Member

    Joined:
    Oct 20, 2023
    Posts:
    8
    Location:
    Hungary
    The result: Access is denied! It works well then. :thumb:

    For this command I get the Error 0x00000057 occurred: Wrong parameter.o_O I have a Windows 11 Pro system.
     
  9. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    I also have Windows 11 Pro. Use auditpol /list /subcategory:* /r to get the list of GUIDs. You are interested to get the GUID of the Process Creation subcategory.

    upload_2023-10-24_23-51-48.png

    Then execute the command by using the GUID or by name. Try with double quotes. Below, both variants are equivalent:

    upload_2023-10-24_23-53-27.png
     
  10. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    854
    I know this has probably been explained, but why am I seeing blocked inbound TCP/UDP on specific port if there are two rules allowing it?

    3.png 2.png 1.png
     
  11. Csokis

    Csokis Registered Member

    Joined:
    Oct 20, 2023
    Posts:
    8
    Location:
    Hungary
    Double quotes helped!:thumb:

    I found two things that have netsh.exe.

    https://i.imgur.com/uipXigs.jpg

    https://i.imgur.com/Ewy06zm.jpg

    What next?:)
     

    Attached Files:

  12. JNicoll23

    JNicoll23 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    48
    Location:
    Scotland
    Each of those eventlog records describes a process being created to run netsh.exe. In the information provided in the record is the process-id of the creator. Eg - when an instance of Firefox starts here:

    Process Information:
    New Process ID: 0x21ec
    New Process Name: C:\Program Files (x86)\~M-folder\Mozilla\Firefox\firefox.exe
    Token Elevation Type: TokenElevationTypeDefault (1)
    Creator Process ID: 0x2a78

    So you need to look at the "Creator Process ID" value in each case. Then, because you're logging the successful creation of every process, you need to find the eventlog that logs the creator being started, which will tell you what it is, and who started it.

    Edit: on my Win 8.1 system the eventlog normally just shows the creator's process-id ... but in the example posted earlier by NoVirusThanks the record itself also contains the name of the creating process. Your screenshots are very blurry. It'd be better if you c&p the text from the eventlogs into posts here.

    I /think/ your Winerr1 shows netsh.exe being run by WFC, and Winerr2 shows something else (that I can't read) being run by netsh.exe.
     
    Last edited: Oct 25, 2023
  13. share98

    share98 Registered Member

    Joined:
    Dec 5, 2004
    Posts:
    36
    I upgraded to 6.9.7.0. The executable, wfc.exe, shows the version as 6.9.3.0.
    wfcs.exe, and wfcui.exe show 6.9.7.0.
    Is this expected behavior?
    Thanks.
     
  14. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    Please remove wfc.exe from the beta version 6.9.3.0. The name is now wfcUI.exe.
     
  15. Nehel

    Nehel Registered Member

    Joined:
    Oct 27, 2023
    Posts:
    4
    Location:
    LA
    Since about two years I use WFC (thanks you!).
    But now I have a small problem (Windows 10 home).
    Until 6.9.2 secure boot worked. Then I updated to 6.9.6 and meanwhile to 6.9.7.
    But since 6.9.6 secure boot does not work anymore. After reboot, as before, only medium filtering is active.
    -I've made a backup of the settings before uninstalling 6.9.2 and imported them after installing 6.9.6.
    -I have tried: to reset the settings and then set all settings manually. I think, that after the first reboot secure boot also worked that one time. But I can be wrong.
    -If I manually set to high before switching off, after the restart is still set to high. - that's ok
    Does anyone have an idea what I could try?
    In the download area only the current version is downloaded. Is version 6.9.2 still officially available somewhere? I didn't want to download the file somewhere else on the internet. Then I would try again the old version.
    (Sorry for the bad english, I used a translator).
     
  16. share98

    share98 Registered Member

    Joined:
    Dec 5, 2004
    Posts:
    36
    Can't delete WFC.exe. Can't delete C:\Program Files\Malwarebytes\Windows Firewall Control. Uninstall does not remove it. Can't change ownership of file. Owner is Builtin Administrator. At least I got wfc.exe to stop starting every time the system starts. Not sure how - maybe repeated uninstalls / installs finally wiped some registry entry out. Apparently the best you can do is disable the service and keep the app from running.
     
  17. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    Check this topic. Replace the version in the URL to get version 6920.
    If you also use Malwarebytes Premium, while self protection is on, you can't just delete any file under C:\Program Files\Malwarebytes. Disable that protection temporarily and you will be able to delete wfc.exe.
     
  18. share98

    share98 Registered Member

    Joined:
    Dec 5, 2004
    Posts:
    36
    That did the trick! Thanks.
     
  19. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    242
    Does the experimental UPPER CASE notification exception still work consistently? I'm having trouble making it work for msedgewebview2.exe. Tried both, one at a time:

    C:\PROGRAM FILES (X86)\MICROSOFT\EDGEWEBVIEW\APPLICATION
    MSEDGEWEBVIEW2.EXE

    It still gets blocked with no rule creation. Block is confirmed in the Connections Log.
     
  20. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,549
    Location:
    Flat Earth Matrix
    It worked only for one experimental WFC version, not since, like 5 versions ago. Sadly because winget and store apps change almost daily and even onedrive upon updating. I even tried learning mode, it did not help either.
     
  21. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    693
    Location:
    Switzerland
    Hmm ... that sounds not good with that experimental function (UPPERCASE expeptions).

    Alexandru, have you news about that?

    Greetings
     
  22. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    I wasn't aware that it does not work anymore :( I will fix it in the next WFC release.
     
  23. Nehel

    Nehel Registered Member

    Joined:
    Oct 27, 2023
    Posts:
    4
    Location:
    LA
    Thank you. I've installed version 6.9.2.0, and secure boot works. I don't know why there are problems with the newer versions.
     
  24. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,509
    Location:
    Romania
    I tested this on Windows 7 x86, Windows Server 2022, Windows 11. It worked on all machines. Secure Boot relies on system shut down event. When the event is received, WFC will switch the profile to High Filtering profile. For this to work, wfcUI.exe must be running at the time when the system shut down or restart is triggered. If the computer goes to sleep only, then no event is triggered.
     
  25. yoweho8574

    yoweho8574 Registered Member

    Joined:
    Mar 11, 2020
    Posts:
    19
    Location:
    UK
    hello i updated from 6.9.2 to 6.9.7 and a bunch of rules got deleted without using secure rules to delete them, also i exported them before upgrading and when i try to import them i got invalid file error and the new rules exported file was about 320kb vs 760kb for the old, i manually added back some rules so i can deal with that i guess.

    maybe some or most of the deleted rules were restricted to a specific windows user, not sure


    Also how do you use multiples keywords for the Search box in the connection log? thx i can't find it in the manual nor the forum. That would be nice if the keywords with the exclude parameter in the search box were saved when you close and reopen the connection logs
     
    Last edited: Nov 6, 2023
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.