Windows Firewall Control (WFC) by BiniSoft.org

Strange... Does it also work after several reboots if you select Display: All Connections? If I have lot of blocked connections from currently running session last 100 connections works for example here, becuase I think it's not enough to encounter this problematic part of event log. But selecting All connections throws error then.
Get-EventLog Security also displays all events in Powershell correctly after several reboots?

 

I've installed latest Win10 1803 update (https://support.microsoft.com/en-us/help/4284848) and refresh now populate events in WFC. Had to clear the Security log once (I guess it will stay "corrupted" once it is corrupted)
Ttried several reboots, so far so good. No more Index out of bounds errors.

I'll let you know if the problem reappears.

 

Holy Crap its been fixed?!?!

I too had that Windows update the other day and today as habit of clearing my logs, noticed it doesn't show up anymore, and WFC connection logs show working on a fresh boot. I wonder what part of those patch notes was the fix?

 

Hi,
I've got a problem with WFC and connection attempts from 127.0.0.1 and ::1 to addresses on port 3702.
This is Windows "Web Service Discovery".
I'd like to allow it in private networks and block it in public networks.
Therefore I have according rules and it seems to work fine.
But I get alerts for connection attempts from 127.0.0.1 and ::1.
I've tried to generate additional rules especially for these source addresses, but it seems, this has no effect.
Actually, 127.0.01 and ::1 are Loopback addresses and therefore don't fit to any of the network categories private/domain/public and Web Service Discovery makes no sense for Loopback devices...
So how can I handle this, that no alerts are displayed for source address 127.0.0.1, while I can allow the connection on private networks.
It seems to display no alert if I completely block the connection ANY -> 239.255.255.250:3702

 

@Big Mike

Windows Firewall can't handle Loopback things.

 

@gb62 @Special

First, THANKS gb62 for the hint with deleting the protocol! I could indeed open and display the connections after a reboot too again.

BUT: HERE it's only possible if I select "Last 100 connections". After switching to "500" or "All", I can't open it anymore and the error 323 appears again.

Maybe you can test this out too ...

Hint: reason could be because the fresh protocol has not yet >= 500 entries?!?

However: at least it's possible now to display the last 100 without error.

 

Ok - I see no problem in general with windows firewall.
But in this case, WFC shouldn't generate alerts for Loopback networks (127.0.0.1/8 and ::1/128 ).
It's useless to get an alert for things the underlying firewall doesn't handle at all.
And I guess Windows producing log entries (which is probably the problem's root cause) is pretty misleading.

 

@Big Mike

Have you tried to make a related notification exception? PERHAPS you could make an exception with the related EXE or DLL (not tested). Hint: if you not have the related file already you could search for string "*wsd*" or so.

I don't know if this can help ... maybe it's worth a try ...

 

That's a bit of a problem, the related exe is "svchost.exe". And I don't want an exception for all alerts from svchost.exe.
I just saw, there was a fix in version 4.0.6.2 that will suppress these alerts if there's no network connection.
If the windows firewall doesn't handle these connections, there should be no alert independently from existing network connections or the process causing them. By the way, I noticed yesterday, that I also get some similar alerts for port 1900 (UPnP) if I close an reopen my network connection.

 

You can add svchost.exe in the notifications exceptions list so that you won't be bothered again about it. If you don't want to automatically dismiss all notifications for svchost.exe, another way is to create a block rule for remote IP 127.0.0.1 and then WFC will not display again notifications for these connections. WFC just reads the events generated by Windows Firewall and behaves accordingly. There is no logic in WFC to skip displaying notifications for loop back connections, but there are ways to stop these from being displayed if they are not interesting to the user.

 

After the April Update, my start menu wouldn't show up anymore.
I spent days trying to fix it with all possible tools and powershell commands, to no avail.
Then I started uninstalling every single program from my pc... uninstalling WFC (even with the 3rd option "Keep the current firewall and settings") solved my start menu issue.
I still kept a VM snapshot of my pc at the time of the issue, so I can reproduce it as many times as I want... uninstalling WFC works 100% and was my only solution.
I love WFC (paid version), but I think Binisoft messed up and made people lose so much time...

 

Have you tried disabling Secure Boot, Secure Rules, and Secure Profile? My Win10 with the latest update works fine with those three disabled. Iirc, Secure Rules and Secure Profile enabled may bork things made in UWP or similar language, including system stuff such as Start Menu, Settings, etc.

 

This side effect of using Secure Rules is already mentioned in the user manual. I already put a warning when you enable Secure Rules. Nothing is messed up. Everything is documented.

Secure Rules

In Windows, a software executed with administrative privileges can add, modify, remove Windows Firewall rules. Windows Firewall Control can prevent these external changes. When this feature is enabled, adding, modifying or importing firewall rules can be done only through the Windows Firewall Control user interface. This feature is automatically disabled when Windows Firewall Control is uninstalled.

When this feature is enabled:

• Windows Store will fail to install new apps because they will try register themselves in Windows Firewall, which will not be allowed.
• Adding, modifying or removing firewall rules through Windows Firewall with Advanced Security or command line will not work.
• If you see a notification from Windows Firewall when a new program tries to open a port, no matter what action you choose, "Allow access" or "Cancel", a new firewall rule will not be created.
• If you try to enable/disable certain operating system features through Control Panel, like Network Discovery, File and Printer Sharing, etc, nothing will happen.
• Sometimes, the Start Menu may freeze and not display anymore. If this happens, disable Secure Rules for a few seconds to allow the operating system to install the firewall rules it requires, then enable again Secure Rules and review your rules. Remove manually any new unwanted firewall rules.

 

I had the same exact issue after the April patch after not having the issue for a year. I also didnt use secure rules.

I can also replicate the issue even with secure rules disabled.

 

You mean as the source address? It's a connection 127.0.0.1 -> 239.255.255.250 (a default network multi cast address, which shouldn't be blocked in general)
I tried to create allow and block rules from the alert popup, but this didn't work. I will try to set up the rule manually.
I want to get rid of alerts originating from 127.0.0.1/8 and ::1/128

 

Sorry Alex, but this happened to me too. No Start, Time and Date, Action Center and Store apps. Uncheck Secure rules and updated ALL the apps from Store and everything works. Took me soooo many installs both clean and upgrade to isolate the problem. Funny, it was just user error (not reading what it does and it's effects) and unchecking 2 options within WFC fixed everything.

Robert

 

Ok, adding the rule for 127.0.0.1/8 manually, instead of creating a rule out of the alert window seems to work (no idea why...), I don't get alerts anymore for 127.0.0.1 -> 239.255.255.250:1900 and 127.0.0.1 -> 239.255.255.250:3702.
But: I can't generate a rule for the IPv6 alerts. It seems, that I can't create a rule with source address ::1 or 0:0:0:0:0:0:0:1. In WFC, nothing happens and the rule window stays open. In the Windows Firewall itself, I get an error, that I'm using a wrong parameter, when I try to create the rule.

 

BTW, is it normal for WFC to lose all it user created rules when you install TinyWall?

 

It is normal. WFC is an add-on for the Windows Brandmauer , and TinyWal is an add-on for the Windows Brandmauer. TinyWall at installation removes all the rules of the Windows Brandmauer (read - WFC) writes down its rules there.
You needed at first to create a backup copy of the WFC rules (read - Brandmauer Windows rules).

 

I updated to v5.3.1.0 last week, from 4.4.3. I am periodically getting high CPU (50%) from wfcs.exe. The cpu goes back up to 50% usage after restarting the service. I cannot seem to isolate what drives it into high gear. It lasts for hours. Sometimes I can get it to stop with a combination of restarting the application and the service. Sometimes it just goes right back to high usage.

It only does this in the Medium Profile. All other profiles are normal. But of course I don't see the point of WFC without the notifications. (I also use Display Notifications and didn't try Learning Mode.) For now my rules also allow all NT Kernel and Svchost outbound connections. (Didn't fix the problem.) I reset my Firewall to Windows default when I updated.

I saw that a cpu bug was fixed in a recent update. Maybe it's still a problem?

FYI: Both my security settings are enabled.

FYI: I am using a VPN and it's application is allowed In and Out. Disabling it did not stop the Cpu processing.

FYI: Connections log is not open, and it is set to only log blocked connections.

___________
~ Win7x64, Windscribe VPN IKEv2, Ethernet Lan to Xfinity Modem, 100mbps.

 

Is there any way to edit the .wfw file (exported firewall rules) in a text editor?

 

If you try to create a rule from WF for ::1 it says that "An unspecified, multicast, broadcast, or loopback IPv6 address was specified". Windows Firewall itself does not support adding such firewall rules. In WFC nothing happens and an error with ID 134 is logged in WFC Event Log stating that the rule failed due to invalid parameters.

WFC and TinyWall are both controllers for Windows Firewall and I recommend you not to use both in the same time. TinyWall will replace all of your rules. It should have asked what you would like to do with your existing rules instead of just wiping them out.

When a connection is blocked, the notifications system will compare the details of the blocked connections with the details of your existing rules. THen it will decide if a new notification should be displayed or not. Now, if you have programs that make a lot of network traffic (which is blocked), then WFC service will do a lot of work. Also, if you have many firewall rules, this will make WFC to do these checks against more firewall rules. It works faster and uses less resources if you have 50 firewall rules, slower if you have 500 rules. I saw users that import the same policy 3 times and they end up having 1500 rules and tens of duplicate useless rules.

Check the Connections Log and see the recently blocked connections and create a notification exception for the programs that you know that you want blocked. In WFC if a program is in the notifications exceptions list, then the check against existing rules will not be performed. If you disabled the notifications system, you still have the same CPU usage?

No. This is a Microsoft format. You can export all rules by using the partial policy feature of WFC. Then the exported file will be in XML format which can be edited in any text editor.

 

Yes, it's a good idea to back up rules. Luckily I don't have any complex rules, I only allow a couple of apps to make outbound connections.

Yes I understand, I just quickly wanted to check something out in TinyWall, but isn't the Secure Rules option meant to protect from messing around with the Win Firewall rules? If not, then perhaps it's a better idea to use a third party firewall. BTW, any news on your job at Malwarebytes?

 

I having been having trouble accessing (sharing) one laptop because of permissions. My next step is to uninstall WFC (paid) and reverting Windows Firewall to default then reinstall WFC.
Is there still a problem with getting recognized as a paid version ?

Two desktops and one HP laptop No problem
Dell laptop is a real pain
All four have same settings. Checked numerous times.

Thanks

 

WFC is a frontend. You can revert to default Windows firewall rules without uninstalling WFC, you'll achieve nothing other then creating extra steps by needing to reinstalling WFC...

And there was never any problems with "getting recognized as a paid version".