Windows Firewall Control (WFC) by BiniSoft.org

In this case, please go back and open the Details and XML View:



Who is the ModifyingUser in your case? Notice the S-1-5-21? This is my local account, I did this from a CMD window. If you do this from WFC, the value would be S-1-5-18. Post a screenshot like mine. Thank you.

 

I've fully allowed ekrn.exe (ESET-related), both In/Out, both TCP/UDP (=4 rules). However, I'm seeing some blocked entries for it in the Connection Log (TCP/UDP). It's the exact same ekrn.exe. Destination address for these blocks are either 192.168.1.xx, 224.0.0.252 and a few IPv6 addresses which don't make sense to me.

Any tips on why this is occurring? Thanks.

 

Yes, S-1-5-18!

 

S-1-5-18 is the SID of the System account. This means a Windows service installed to run as System account launches netsh.exe to disable Windows Firewall.

You should enable Secure Profile in WFC to stop this behavior on your machine. This will prevent external tools, like netsh.exe to disable Windows Firewall.



Open services.msc and check the list of Windows services which have the Log On As column set to Local System. Search for non Microsoft services. One of those services (non-Microsoft), for some shady reason, wants to disable Windows Firewall. You know beter what is installed on your machine and it should be easy to identify the service. I would get rid of that software.

 

If I turn on this option (Secure Profile), nothing changes. The same "Windows Firewall turned off" notification appears.

For non-Microsoft services only these are:
CMigrationService and SamsungMagicianSVC - For Samsung SSDs
NVDisplay.ContainerLocalSystem and NvContainerLocalSystem and NVIDIA FrameView SDK service - For nVidia video card
Steam Client Service - For Steam
MozillaMaintenance - For Mozilla Firefox and Mozilla Thunderbird
GoogleChromeElevationService - For Google Chrome
EpicOnlineServices - For Epic Games Launcher

I really don't know what's causing it anymore.

 

For Csokis' problem, if netsh.exe runs in a process of its own, then if Csokis has enabled the logging of process starts & terminations (into Security eventlog records), & also enabled recording of commands used to start processes, it should be possible (by looking through all the process start events) to find out what parent process started netsh.exe.

Logging of commands used to start processes is a potential security issue, on machines with more than one user, as whoever can display the eventlogs can see commands issued by other people/processes; sometimes those commands include personal info eg passwords. On a home machine only used by one person it's not an issue.

In Windows Pro turning on auditing of process start/terminate etc can be done in GPedit. It cn be done in non-Pro versions of Windows via the commandline using "auditpol" commands (as I have done on XP (I think) and also Win 8.1).

An alternative might be to install & run (with the option that logs boot processing) the Sysinternals Process Monitor tool - see: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon.

 

If Secure Rules is Enabled, then if you try to execute netsh advfirewall set allprofiles state off in an elevated CMD window, you should get Access is denied message and Windows Firewall state should not change.



Without Secure Profile, this command works, see the first result Ok. Does it work the same on your machine if you do these steps?

Anyway, as @JNicoll23 suggested, try to enable the process creation auditing by executing this command in an elevated CMD window:

auditpol.exe /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030} /success:enable

and then watch the Security Event Log for events with ID 4688. There will be a lot of them, but you should be able to find the process which launches netsh.exe to disable Windows Firewall.



Please keep us updated with your findings.

 

The result: Access is denied! It works well then.

For this command I get the Error 0x00000057 occurred: Wrong parameter. I have a Windows 11 Pro system.

 

I also have Windows 11 Pro. Use auditpol /list /subcategory:* /r to get the list of GUIDs. You are interested to get the GUID of the Process Creation subcategory.



Then execute the command by using the GUID or by name. Try with double quotes. Below, both variants are equivalent:

 

I know this has probably been explained, but why am I seeing blocked inbound TCP/UDP on specific port if there are two rules allowing it?

 

Double quotes helped!

I found two things that have netsh.exe.

https://i.imgur.com/uipXigs.jpg

https://i.imgur.com/Ewy06zm.jpg

What next?

 

Each of those eventlog records describes a process being created to run netsh.exe. In the information provided in the record is the process-id of the creator. Eg - when an instance of Firefox starts here:

Process Information:
New Process ID: 0x21ec
New Process Name: C:\Program Files (x86)\~M-folder\Mozilla\Firefox\firefox.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x2a78

So you need to look at the "Creator Process ID" value in each case. Then, because you're logging the successful creation of every process, you need to find the eventlog that logs the creator being started, which will tell you what it is, and who started it.

Edit: on my Win 8.1 system the eventlog normally just shows the creator's process-id ... but in the example posted earlier by NoVirusThanks the record itself also contains the name of the creating process. Your screenshots are very blurry. It'd be better if you c&p the text from the eventlogs into posts here.

I /think/ your Winerr1 shows netsh.exe being run by WFC, and Winerr2 shows something else (that I can't read) being run by netsh.exe.

 

I upgraded to 6.9.7.0. The executable, wfc.exe, shows the version as 6.9.3.0.
wfcs.exe, and wfcui.exe show 6.9.7.0.
Is this expected behavior?
Thanks.

 

Please remove wfc.exe from the beta version 6.9.3.0. The name is now wfcUI.exe.

 

Since about two years I use WFC (thanks you!).
But now I have a small problem (Windows 10 home).
Until 6.9.2 secure boot worked. Then I updated to 6.9.6 and meanwhile to 6.9.7.
But since 6.9.6 secure boot does not work anymore. After reboot, as before, only medium filtering is active.
-I've made a backup of the settings before uninstalling 6.9.2 and imported them after installing 6.9.6.
-I have tried: to reset the settings and then set all settings manually. I think, that after the first reboot secure boot also worked that one time. But I can be wrong.
-If I manually set to high before switching off, after the restart is still set to high. - that's ok
Does anyone have an idea what I could try?
In the download area only the current version is downloaded. Is version 6.9.2 still officially available somewhere? I didn't want to download the file somewhere else on the internet. Then I would try again the old version.
(Sorry for the bad english, I used a translator).

 

Can't delete WFC.exe. Can't delete C:\Program Files\Malwarebytes\Windows Firewall Control. Uninstall does not remove it. Can't change ownership of file. Owner is Builtin Administrator. At least I got wfc.exe to stop starting every time the system starts. Not sure how - maybe repeated uninstalls / installs finally wiped some registry entry out. Apparently the best you can do is disable the service and keep the app from running.

 

Check this topic. Replace the version in the URL to get version 6920.

If you also use Malwarebytes Premium, while self protection is on, you can't just delete any file under C:\Program Files\Malwarebytes. Disable that protection temporarily and you will be able to delete wfc.exe.

 

That did the trick! Thanks.

 

Does the experimental UPPER CASE notification exception still work consistently? I'm having trouble making it work for msedgewebview2.exe. Tried both, one at a time:

C:\PROGRAM FILES (X86)\MICROSOFT\EDGEWEBVIEW\APPLICATION
MSEDGEWEBVIEW2.EXE

It still gets blocked with no rule creation. Block is confirmed in the Connections Log.

 

It worked only for one experimental WFC version, not since, like 5 versions ago. Sadly because winget and store apps change almost daily and even onedrive upon updating. I even tried learning mode, it did not help either.

 

Hmm ... that sounds not good with that experimental function (UPPERCASE expeptions).

Alexandru, have you news about that?

Greetings

 

I wasn't aware that it does not work anymore I will fix it in the next WFC release.

 

Thank you. I've installed version 6.9.2.0, and secure boot works. I don't know why there are problems with the newer versions.

 

I tested this on Windows 7 x86, Windows Server 2022, Windows 11. It worked on all machines. Secure Boot relies on system shut down event. When the event is received, WFC will switch the profile to High Filtering profile. For this to work, wfcUI.exe must be running at the time when the system shut down or restart is triggered. If the computer goes to sleep only, then no event is triggered.

 

hello i updated from 6.9.2 to 6.9.7 and a bunch of rules got deleted without using secure rules to delete them, also i exported them before upgrading and when i try to import them i got invalid file error and the new rules exported file was about 320kb vs 760kb for the old, i manually added back some rules so i can deal with that i guess.

maybe some or most of the deleted rules were restricted to a specific windows user, not sure


Also how do you use multiples keywords for the Search box in the connection log? thx i can't find it in the manual nor the forum. That would be nice if the keywords with the exclude parameter in the search box were saved when you close and reopen the connection logs