Windows Firewall Control (WFC) by BiniSoft.org

About the issue where the Connections Log doesn't show up in 5.4.0.0, I think this is because due the changes in Windows Firewall Control at some point instead of simply update users have to uninstall the program and reinstall from scratch. In running the executable users then get the three options down the bottom of the window, "create shortcut and desktop icons", I can't remember what the second one is, but the last one is "stop logging windows connections". So anyway you tick or untick as you wish, but the problem with 5.4.0.0 is, MILLISECONDS before the program installs, you see that window for just a moment and everything is still ticked... so regardless of what you want to do installation of 5.4.0.0 chooses to stop logging windows connections, then once it's installed you can no longer view the connections log, and can't get it back either for some reason. I rolled back to 5.3.1.0 which still has the connections log, so until an update comes out that solves that problem I'll stick with this as I don't think my security is compromised too much by using an earlier version.

 

Guys,

just an heads up.

I was using an older version of WFC (I believe 5.1.1.0) and I got updated to Windows 10 1809 (from 1803) yesterday.

Everything (after the upgrade) worked perfectly, but the only thing missing were my Firewall Rules, the rules that were there (after the update) were ONLY the MS Standard rules.

I stupidly didn't make a backup of the OLD firewall rules before the upgrade (MY BAD)

So before the upgrade or just as a precaution make a backup of your firewall rules often

Ps: Anyone knows how to get the (old) rules back, I still have the Windows.old directory. I looked in the USER NTUSER.DAT / Windows SYSTEM REG Hive but couldn't find them. Any idea else where to look ??

 

Firewall rules: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
We work only with Windows.old folder:
The registry is in the folder C:\windows\system32\config
HKEY_LOCAL_MACHINE\SYSTEM = %SystemRoot%\System32\Config\System
First, copy C:\Windows\System32\config\SYSTEM (file named SYSTEM) in another place.
Then open this file in the registry editor and export the desired hive.
Try google search "extract registry hive from windows.old" for detail info.
Ad
Or, if you have system image v1803, create system image v1809, restore to image v1803, extract hive, restore to image v1809.

 

Strange. This update did not overwrite my firewall rules. Instead of spending time on recovering them, I suggest you to start over from scratch. This way you will you will have a cleaner set of rules.

 

Or, if you have system image v1803, mount it and copy C:\Windows\System32\config\SYSTEM (file named SYSTEM) in another place, then extract hive.
5 minutes for everything, it's easy.

 

^ that is a good idea ! I have it. Image done (yesterday morning) with Macrium Reflect.

Thanks for this, will try it and report back !!

Edit 1: In the System Hive from the Image there is only ControlSet001 and ControlSet002. No CurrentControlSet.

But it looks like that ControlSet001 has the rules I "lost".

Shall I rename (in the exported .REG file) ControlSet001 to CurrentControlSet or leave it be ??

 

No idea why it did that. Any way NO issue with WFC but an Issue with ME not making a Backup of the Rules (which I should have done)

Edit: @alexandrud maybe an idea to make an automatic backup function in WFC. (Just a suggestion of course)

 

Leave it, ControlSet001. Compare the name in the real registry.
Before manipulating, make a backup copy of the real hive v1809.

 

^ Will do and do you one better, I will make another Image !

Thx again, really appreciated.

 

With Windows Scheduler and .bat file, perform automatic export (backup) of that registry hive, it also adds a date stamp to the file name

Right name CurrentControlSet

 

^ hahahahaha (Good One)

Good enough for the Techies, but not everyone who uses WFC is able to do that

 

It is really easy to create a backup of your firewall rules. You have to execute the following command in an elevated process: netsh.exe advfirewall export "mybackup.wfw"
You can easily create a scheduled task to execute this command for you. Anyway, I don't think anyone creates tens of firewall rules each day. Just make a manual backup once a month (week) and that should be enough.

 

Again, off topic, but related... Yesterday I announced my new website biniware.com on this topic. I asked for advise from the administrators of this great forum and they agreed to create a dedicated section for all Biniware products.
The topic for Biniware Run software can be found here.

"I, the developer of Windows Firewall Control, created a new web site named biniware.com where I will publish new tools that I will develop.
Currently I have one new tool called Biniware Run. I also have in mind a new security tool that will get published in 2019 on the new website. I can't give more details about it, but it definitely will be very useful.

P.S.: I still work at Malwarebytes, I still support Windows Firewall Control."

 

Hi Alexandrud

Tried your backup of FireWall Rules netsh.exe advfirewall export "mybackup.wfw" . Problem is I cannot find the created file.
Can you advise where I can find it?

Thank you

Terry

 

It is probably in C:\Windows\System32 where the netsh.exe is located. Change the path to your desired location: netsh.exe advfirewall export "D:\Backup\FirewallRules_December_13.wfw". You get the idea.

 

Hi Alexandrud

Thanks. Found it!

Terry

 

Got my old rules back thanks to @aldist

What I did was (Quoted Text by @aldist)

and extracted the keys from

(Made a New system Image just in case )

Then I imported the Regfile, at first the rules did not show in WFC, but they showed in the Registry, so I rebooted and my rules where there. !! Yeah ....

This whole exercise could have been prevented if I had backup my old rules (MY BAD I KNOW)

@alexandrud thx for the NETSH cmd line

 

Instead of a reboot, it is enough to restart Windows Firewall service. It will read again the rules on start-up.

 

Congratulations! Super!

 

I'm a new user to WFC. @alexandrud thanks for building a well thought out and robust tool, and for maintaining it. I'd been using a windows 7 setup just for CAD, that was not connected to the WAN so had not bothered with a firewall. Now, my first time with Windows 10 and I was dismayed by how busy the networking has become. I have a couple of questions I'd be grateful if someone can answer.

I notice the existing MS and also the WFC recommended rules for svchost.exe all reference a service. This presumably narrows their scope, so you aren't opening up the firewall to any service conecting via svchost. Post-install, many of the notifications I'm seeing are for svchost.exe. The notification tell me the PID. How do I find the associated service (short name)? I then plan to narrow the scope of any allow rule to the relevant service.

Also, I'd like to export the WFC connection log or better still, link to it via API if it exists so that I can analyze the logs. What's the best way to do that?

Many thanks.

 

Thank you for your good thoughts. I recommend you to take a look in the user manual, it will answer a lot of questions. Just press F1 in any WFC window to open an old school user manual in CHM format.

Check this topic in the user manual: User interface > Main Panel > Rules > Windows Firewall Control recommended rules

Regarding svchost.exe, my recommendation is to not bother with it. If you are in Windows 10 and want everything smooth, svchost.exe should be allowed to connect to 80,443 anytime. svchost.exe is a legitimate process and is used by all Microsoft Windows services. If you don't want to allow a specific service, you better disable that service instead of creating rules for each service.

If you are concerned about privacy, go back to Windows 7 or even better, Linux.

Connections Log entries are read from the Security event log of the system. You can export them through Event Viewer (but not in the same user friendly way). In Connections Log, if you select all entries and use the right click context menu you can copy all details in plain text and paste them in any text editor.

 

Hi

When I set to Medium Filtering Windscribe VPN and ProtonVPN cannot connect to the net i.e. they timed out

However, when I set to Low Filtering both the VPNs can connect to the net

Any reason? How can I set to Medium Filtering and still can connect to the net?

Thanks

 

Medium Filtering
Outbound connections that do not match a rule are blocked.
Only the programs that have an allow rule can initiate outbound connections.
When this profile is enabled the outbound filtering from Windows Firewall is enabled.
When this profile is enabled the user must define an allow rule for each program that he wants to allow to connect to the Internet.

 

Many thanks for your help. When I installed WFC, I kept the default/existing rules created by windows 10 (fresh install), and I loaded the recommended WFC rules. I deleted the svchost.exe//outbound/tcp/80,443 then attempted to selectively allow sevices. After posting, I used process hacker to identify the services associated with each PID notified by WFC outbound alert. It did get a bit tedious! I have gone with your recommendation and re-enabled the suggested rule.

I do use Linux for pretty much everything other than CAD & 3D printing. However, whilst I am booted in to windows for that, it's convenient to run a few networked applications. I have also used windows guests under KVM and briefly tried VFIO passthrough, but couldn't get it working quite how I'd like with VM restarts. I will be revisiting that some time.
So for time being I need to boot windows and best I bite the bullet and get used to windows 10. I accept the privacy trade-off (I think!) but want to lock down application firewall as best I can.
Presumably non-microsoft services/processes are able to make network connections via an svchost process. If so, that's a concern.
I guess svchost is something like inetd but somewhat less transparent.

I have now followed your suggestion here.
Thanks again for the tool and your support. Much appreciated.

 

High Security mode, only for James Bond and his fans
Windows Updates - only manual or off-line.
Only one allowed rule for svchost:
allow DHCP - UDP out source port 68 dest. port 67
Additionally, for each application that needs internet (Browser, e-mailer...):
allow DNS - UDP Out dest. port 53 (can specify dest. IP 8.8.8.8 and 8.8.4.4)
allow TCT Out port 80, 443...
And do not forget to turn off the DnsCache service!
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache
set parameter Start to 4 and reboot machine.