I use TinyWall which has a service to protect the firewall config, so any external attempt to modify the firewall will cause it to reload its configuration. This is really good protection, but the annoying part is that it kills the network connection momentarily. Something in the Windows service host (svchost.exe) tries to modify or add some firewall rule(s). I need to find out exactly which service or process is doing this. TinyWall simply reports the nondescript event: "Reloading firewall configuration because C:\Windows\System32\svchost.exe has modified it." So that's not very helpful in my case. Any ideas? (Oh and by the way, I don't allow svchost.exe in the firewall. So that's not a solution I can use unfortunately.)
stop working with admin rights, so nothing can intrude into your ruleset and modify system files. nothing more easy than that. same here for windows 10 firewall control - as a service it cant be stop without admin rights. and if killed network will brake down.
Exactly. If something is trying to modify the rules than OP should use a non-Administrative account, and set a password for the admin account. When UAC is enabled, the program trying to modify the rules will probably be caught by UAC and it's name should be displayed on the screen.
Maybe you can temporarily put it in Autolearn mode and then check out which rules were added. Off course you can then delete those new rules. If more than one rule for service was added you will still probably get a shorter list. Then you can try disabling services one after another (if they are not system critical...) and see when this problem stops. At least I would try it this way to identify which service tries to modify rules.
This is most likely just Microsoft trying to phone home about something. I don't care what honestly. I run my own DNS resolver, so I don't need Windows' built-in resolver, and consequently I don't need svchost.exe — or any process it hosts — in the firewall. This is Windows periodically trying to make connections to Microsoft-related IPs (almost all Microsoft domains are hardcoded into different DLLs), or something that thinks it should have access but really doesn't. Setting a password on the Administrator account, and whether UAC is enabled or not doesn't apply here. The service host hosts so many different processes and services that it would be really hard to pinpoint what is trying to gain network access. I'm just trying to think of how I should go about catching the culprit. These are what I have to work with. I've spit each services into its own process to hopefully make it an easier task (I should probably start with BITS): Spoiler BITS BrokerInfrastructure DcomLaunch LSM PlugPlay Power SystemEventsBroker RpcEptMapper RpcSs Appinfo gpsvc IKEEXT LanmanServer ProfSvc Schedule SENS Themes UserManager Winmgmt Audiosrv Dhcp EventLog HomeGroupProvider lmhosts Wcmsvc wscsvc FDResPub SSDPSRV TimeBroker AudioEndpointBuilder Netman SysMain TrkWks wudfsvc EventSystem fdPHost FontCache netprofm nsi WinHttpAutoProxySvc BFE CoreMessagingRegistrar MpsSvc LanmanWorkstation NlaSvc StateRepository tiledatamodelsvc Anyway, thanks.