Windows Firewall Control (WFC) by BiniSoft.org

Notification exceptions get removed after an update, but I guess re-importing settings solves it, I have not tried it myself though.
P.S. This is a neat webpage to convert names and especially paths to the uppercase. When doing it by hand I always made typos.

Code:

https://convertcase.net

 

No, they don't get removed. You can also use Notepad++ to quickly convert case. I guess other text editors, too.

 

The installer does not know the difference between an admin account or an admin account elevated from a standard user account. For this reason, the Run button is disabled in all cases. To be able to start wfcUI.exe under the original user account, it is more complex. The installer should launch a second instance which is elevated, the second instance will then connect to the first unelevated one through some sort of IPC mechanism and send callbacks to it to display a progress. When you click on the Run button you should be in the original instance which was not elevated. This mechanism requires a lot of code changes which were not yet ready. Maybe in a future version. For now it was easier to disable the Run button.

PS: When you are on the final page in the installer/updater, press Shift+F10 to enable the Run button. wfcUI.exe will be executed with the same privileges as the installer like in the past.

 

Tnx and soon you will have the usual email with the language...

 

@alexandrud

Thank you for the new version. Translation DE is ready soon.

Maybe now a dumb question: how is then the restricted WFC sensefully if it runs with Medium Profile? Because there are no notifications for not allowed connections anymore ...
Or in other words, if I use WFC for my restricted account (which is my daily "working" account), with Medium Profile, I have always first to elevate WFC after reboot ...

On the other side: I can understand that automatically running with elevated rights is not desired in restricted accounts ... maybe as option (configurable)? Also restricted WFC makes sense for Low Profile.

I don't see now which Profile is active in restricted mode, that's not really good. Here a 2-color-Icon gray-green, gray-orange etc. (or something like that) would make more sense.

Greetings

 

With the latest update, how do I know a connection has been blocked on a standard account?

 

@Azure Phoenix

Yeah, asked the same above ...

 

Updated from 6.9.6.0 to 6.9.9.1, gui cannot handle the update automatically, some error. Downloaded separately, update still won't go through. Uninstalled 6.9.6.0, 6.9.9.1 installs normally and everything seems to be ok.

Then gui update to 6.9.9.2, same issues as above. BUT everything is not ok, Connections Log hangs forever. I had Auto Refresh On Open selected, and now it's loading with "Please wait..." message forever. Uninstall and reinstall does NOT solve this. Recreated the user settings in case there was something from earlier versions but didn't help.

1. The obvious, how to make Connections Log run again?
Tried to check registry at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Firewall Control for a value to toggle the Connection Log Auto Refresh but couldn't find anything relevant.

2. Did the functionality of Import Rules change? Now it adds the rules, ended up with a mangled ruleset full of doubles after loading a saved set. Wish one could choose to add or replace.

Sorry for not having the exact errors, time constraints.

Also, if one ended up manually removing the wfcs service (as a side effect of it being stuck in "Stopping..." state), the uninstaller errors about it and won't complete the uninstall. "Please reinstall this software from the original installer" is hardly helpful when one wants to uninstall it. It should proceed to uninstall to completion.

 

Configurable means also exploitable. I will try the half colored icons to be easier to differentiate between Low and Medium Filtering profiles.

You can't without elevating first the software privileges. A standard user account should not receive any notification since there is nothing to do with them. If it has no privileges to create a rule, why sending notifications? Since the standard user account can't set the notifications mode to disabled, it will be spammed by useless notifications.

For administrator accounts this new version did not change. For standard user accounts, you must first elevate the privileges. Unfortunately, this can be done only manually. There is no workaround to make this automatic since this will defeat the purpose of it.

You can send a thank you note to the guy who reported CVE-2023-36631 for these "improvements" I had to do.

 

That some error is important to find out why it is not working on your machine.

This is because the problem might be outside of WFC code.

The settings are stored under HKEY_CURRENT_USER\Software\BiniSoft.org\Windows Firewall Control.

If you don't want to keep the existing rules, delete them first and then import your rules. The import is done on top of the existing rules.

Try WFC event log to see what errors are logged there.

The user guide has the steps to manually uninstall WFC: https://binisoft.org/pdf/guides/Malwarebytes-WFC-User-Guide.pdf#page=51

 

I see.

Probably not that important. I wasn’t trying to referred to the notifications function. But rather to the connection log.

 

Awesome, Thank you!

 

As i mentioned also before:

I did that already. I had allowed all inbounds from all Epson Software!
Then i did your steps:

- Export my existing custom rules created by me
- Reset Windows Firewall default set of firewall rules
- Enabled manually all rules from Network Discovery and File and Printer Sharing groups
- Import back my existing custom rules

And i still CANT start scan procedure from scanner to PC!

Whats next? (going back to ESET imho) TeamViewer Session possible?

(i am an System Engineer IT for over 30yrs)

 

Right, so any good guesses where? Updating the firewall is the only thing I've done. It's a bit far fetched to start looking elsewhere when the only things done are 6.9.9.1 and .2 updates. Need to try something to fix the Connection Log since it's still borked even after un and reinstall.

Sorry, that was just a brainfart typo, of course HKCU. So which one is the setting that controls the Connection Log Auto Refresh so I can turn it off? And how.

Log size has been very small 1MB, only error I can find is Event 911, 2 within 7 seconds of each other:
- System
- Provider
[ Name] WFC
- EventID 911
[ Qualifiers] 0
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2024-01-22T12:11:01
EventRecordID 2118
Correlation
- Execution
[ ProcessID] 4864
[ ThreadID] 0
Channel WFC
Computer B0RNT0BE.HUB
Security

- EventData
System.Windows.Threading.DispatcherUnhandledExceptionEventArgs was caught.
Exception: System.ArgumentException: Property set method not found. at System.Reflection.RuntimePropertyInfo.SetValue(Object obj, Object value, BindingFlags invokeAttr, Binder binder, Object[] index, CultureInfo culture) at System.Reflection.RuntimePropertyInfo.SetValue(Object obj, Object value, Object[] index) at WindowsFirewallControl.Services.RuleServices.CopyToFrom[TSelf,TSource](TSelf self, TSource source) at WindowsFirewallControl.Views.PropertiesView.ApplyClick(Object sender, RoutedEventArgs e) at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised) at System.Windows.UIElement.RaiseEventImpl(DependencyObject sender, RoutedEventArgs args) at System.Windows.Controls.Primitives.ButtonBase.OnClick() at System.Windows.Controls.Button.OnClick() at System.Windows.Controls.Primitives.ButtonBase.OnMouseLeftButtonUp(MouseButtonEventArgs e) at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target) at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs) at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised) at System.Windows.UIElement.ReRaiseEventAs(DependencyObject sender, RoutedEventArgs args, RoutedEvent newEvent) at System.Windows.UIElement.OnMouseUpThunk(Object sender, MouseButtonEventArgs e) at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target) at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs) at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised) at System.Windows.UIElement.RaiseEventImpl(DependencyObject sender, RoutedEventArgs args) at System.Windows.UIElement.RaiseTrustedEvent(RoutedEventArgs args) at System.Windows.Input.InputManager.ProcessStagingArea() at System.Windows.Input.InputManager.ProcessInput(InputEventArgs input) at System.Windows.Input.InputProviderSite.ReportInput(InputReport inputReport) at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr hwnd, InputMode mode, Int32 timestamp, RawMouseActions actions, Int32 x, Int32 y, Int32 wheel) at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr hwnd, WindowMessage msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o) at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs) at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)

 

I understand. The problem is with restricted account and restricted WFC with Medium Profile, a user will never noticed about not allowed outgoing connections anymore. Then programs does not working right and the user has no idea why (except the programs make a helpful message itself). The only "solution" for this in current state would be to elevate WFC right - but then we are explotaible again ...

So, is it not possible to make notifications with restricted WFC - just without possibility to add rule or so then (that could be making under elevated WFC later)?

Greetings

PS: And if the password were mandatory, wouldn't this be enough?
PPS: Or even with mandatory UAC?

 

It would increase chances of posting it, if it was not shown in small red letters in the install window, and then disappear quickly. Not asking user what to do, not giving user a button to click for reviewing installation log. So what is there to say except "some error".

 

This is not even related to Windows Firewall Control since there is no packet filtering at WFC level. You have a configuration problem with Windows Firewall on this particular machine. For your Epson WF-3825 did you install the driver and also EPSON Scan 2 software? Did they create any Windows Firewall rule?
Do you see the your PC on the Epson screen when you try to scan something back to it? What error does provide the printer to you? At this point, did you check on your PC what connections were blocked? Or vice versa, with Windows Firewall disabled, try to scan and then check the recently allowed connections. You said it works with Windows Firewall disabled. Then check what connections were allowed during the scan. There must be some sort of connections available to you to check in Connections Log. Pay attention to svchost.exe and System connections too, not just for Epson.
Did you try to contact Epson support to ask them what to allow in Windows Firewall or any firewall so that you can scan back to your PC?

 

This one goes here:

It looks like a NET Framework crash if the process closed itself. Please check for errors under Windows Logs -> Application in Event Log Viewer.

Try to repair/reinstall NET Framework on your machine.

 

The exploitable was wfcUI.exe running as a standard user account and allowing it to perform actions that normally require elevated privileges. Once you elevate it and execute it under a user account that has enough privileges to change Windows Firewall settings/rules, then it should be fine because you did this manually. It was elevated by an admin user account. I could allow notifications for standard user accounts but they would be read-only (disabled controls) since the standard user account should not alter Windows Firewall. Since the notifications tab is disabled, how would you stop these read-only notifications?

The password is easy to remove, I even added this info in the user guide, which no one reads anyway

Mandatory UAC is not something that you can impose from an external software. If it is off, it is off.

 

I think this is a good way to start troubleshooting this particular issue.

 

@alexandrud

Ok, NOW I understand it fully - that all makes all sense! Thank you for detailed explanation, I appreciate that much!

Greetings

 

@alexandrud, I understand why such changes were implemented in 6.9.9.2 but would it be possible to at least allow standard user accounts read-only access to the Connections Log? Elevation would then be required if the user wanted to change or create a rule.

I ask this because I've always run WFC with notifications disabled, opting instead to review the Connections Log for all silently blocked connections; the need to elevate at every single logon in order to merely read a log is, unfortunately, very cumbersome.

 

Standard user accounts do not have access to read Security Event log. However, I could allow Connections Log in read only mode to check connections at least. In next WFC version.

 

Well here is where it gets interesting, there's no LogAutoLoad reg key on my install, despite fresh installing 6.9.9.2 . How is this even possible. Am I missing some other keys?

No it doesn't close but hangs forever, like this:


Unfortunately adding LogAutoLoad dword 0 didn't fix the log loading issue, it still hangs forever, but now I can at least get the Connections Log window opened. Tried to uncheck and check Allowed/Blocked connections, didn't help. What next?

I'm running other .NET based softwares so highly doubt there's something wrong, this machine is pretty new and plain vanilla, didn't have time to muck it up yet NO WAIT IT WORKS, ALL IT NEEDED WAS 'Clear log'!!! W t f . . . Much thanks for telling me about the LogAutoLoad reg key, without it couldn't have fixed this.

Seems the log loading could use some error catching.

 

@kilves76

Thank you for detailed sharing with us - can always be helpful for other users!

Greetings