Windows Firewall Control (WFC) by BiniSoft.org

What I described in this earlier post keeps happening fairly often now (once every couple of weeks).

WFC main settings cannot be changed. Don't know what triggers it and I have to resort to the Windows Repair solution which fixes it.

 

Somethin like dr web firewall pop-up...
https://imgur.com/a/7ProDXE

 

WFC version? Secure Rules on/off? Secure Profile on/off? CPU usage for wfc.exe and wfcs.exe when this happens? When this happens, was the computer powered on without a restart for a long period of time? Doesn't a Windows restart help with this?

Is this a response to someone or a suggestion sent in the outer space?

 

WFC 6.9.2.0, Secure Rules + Secure Profile = ON. I'll monitor CPU usage next time and let you know. I shut down the PC every day so it's never really a long period. I do 'Sleep' it sometimes (always within the same day) so I'll monitor that, too. Simple Windows restart does not help.

I was wondering about that, too.

 

WFC 6.9.2.0, Secure Rules + Secure Profile = ON - it seems that the bug, which allows automatically created windows firewall rules still exist despite of those settings. For example, I install Driver Easy, it auto-creates rules and downloads updates just fine. When I open WFC, I can see that the rule was auto-added, after 5 secs WFC refreshes and removes it along with others, then I get a popup asking to allow Driver Easy. So any app with admin rights renders WFC "useless".

 

I wonder if some permissions are not overwritten by the OS after certain Windows updates. When this happens again (locked profile) try to uncheck Secure Profile and see if you are able to switch the profile after. If it works, then just re-enable Secure Profile. I will try to reproduce this on my side, but without being able to reproduce it, I can't tell for sure what is going on.

 

WFC can't prevent creation of firewall rules because even Windows Firewall itself would not deny this action for programs that have administrative privileges. Instead, WFC is subscribed to system Event ID number 4946 which is triggered when a new firewall rule is added. WFC gets the details of the rule that was added and checks if this rule was created in one of the authorized group names (if Secure Rules is enabled) and deletes/disables it if it is not in the list. This happens in under a second.

There is also a timer that runs every 10 seconds which removes unwanted rules and/or expired temporary rules. From your description, it seems that the Driver Easy rule which is created by its installer, is deleted by WFC in this scenario but not on the first scenario (immediately when the rules is created, event 4946) like it should. When you enable Secure Rules, it enables the auditing of MPSSVC Rule-Level Policy Change so that Event ID 4946 will be logged in the Security Event log. Please run the command below and see if the status of this subcategory is set to Success. Also check if you had these events in Security Event log.



I really don't understand your remark So any app with admin rights renders WFC "useless". If one feature does not work as intended on one machine, it doesn't mean WFC is useless.

 

alexandrud... thank you very much for all the work you put into WFC. Have been using it for years and absolutely love it. It is the very first piece of software I install after a new Windows build.
But I wasn't aware of the 'Secure Profile' option until I read your explanation in the post above. All rules I use have been created via WFC and I will use the 'Disable' option rather than 'Delete'. So I don't expect any drastic changes. Will backup existing rules prior too. The 'Secure Profile' option looks like a really good idea and will add to my security confidence.

My question...
When I sort the Rules page on the 'Enabled' column, all those that are disabled can be seen with a 'No' setting. After I turn on 'Secure Profile', is there any way of distinguishing the rules that have been disabled by that action vs those that were already disabled?

 

The names of disabled rules will be prefixed with "U -" and the Group column will be empty.

 

KB5025305 Windows 11 Insider Release Preview Build 22621.1631 (22H2) has added this option. The first noticeable Windows firewall update since forever.

 

@TairikuOkami

Thanks for sharing. Really interesting!

 

hi
but i have noticed the older version start always under w7 and w8
but v6 on 10 boots or most of cold boot it doesn't show the icon in system tray and seems the service does not want to start , and i have noticed on many laptop with w7 64bit
is there a hope in the future?
under w10 /11 work great at every boot
thanks

 

User Guide Troubleshootings page 43-47. wfc.exe, wfcs.exe to antivirus exceptions, Delayed Start wfcs.exe etc.

 

hi
i have done all the tips included in the forum

 

Sorry I do not have any Windows 7 hardware anymore. Just virtual machines with Windows 7 where I can't reproduce this problem. If this does not help:


then check the WFC event log and also the Application event log. Check if there is any error entry related to wfcs. Also, make sure wfc.exe is not executed with elevated privileges:



When the service does not start, if you manually want to start it, what happens? Does it work or not?
One thing that you may try is to set the service startup to Manual, disable auto start-up for wfc.exe from the user interface and create a scheduled task that starts both after a specific event, for example "at log on" and delay the task "30 seconds":



This should help with startup problems since you delay it until the boot sequence finishes and the NET Framework is already loaded.

 

@alexandrud

nothing , the icon doesn't show , even the wfc.exe is running in the task manager

i have to disable the autorun in

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and create a scheduler?
but wfc.exe is always running even the icon is not shown
thanks

 

Yes, because at the time wfc.exe is trying to start, the system tray area is not yet ready and wfc.exe runs as a process but is not registered by the OS in the system tray area. You need to add a delayed startup. Task Scheduler can help to achieve that delay. I just tried this approach on my machine and I confirm it works. I set the service startup to Manual and unchecked "Start automatically at user logon" in Options tab. I created one scheduled task to start "%ProgramFiles%\WFC\wfc.exe" and a second scheduled task that is starting "%windir%\System32\sc.exe" start wfcs. This second task was set to "Run with highest privileges" so that it can start a Windows service. Restarted the computer and after 30 seconds both started as expected. Try this and let me know if this improves the situation.

 

Hi @alexandrud
I have tried on several w7 laptop and the schedule and the delay do work
I have create a task with a delay only for WFC.exe
but if the wfc service and wfc.exe don't work , does the windows firewall block according the rules?
I mean if i have blocked a program , and wfc and wfc.exe don't work/load correctly ,does the firewall block the program
i
thanks

 

The rules will work, because Windows Brandmauer provides protection and the WFC is only a handy tool to manage Windows Brandmauer.
Temporarily set Delayed Start to 5 minutes, this is enough time for you to check.
If you enable the Secure Boot option in the WFC, all network connections will be blocked after the computer boots (black WFC tray icon) until you switch profiles (green tray icon).

 

Regarding this KB5025305 that mentions:

• New! This update changes firewall settings. You can now configure application group rules.

I want to ask you guys what should Secure Rules do if a new rule is added from wf.msc/netsh.exe directly with a group name? Currently, these sources can't set the group name. You can do this only from WFC currently.

I have here in mind this scenario: some software adds a new rule directly in "Windows Firewall Control" which is by default an authorized group name. Secure Rules will keep this rule. This is in theory since no software will add itself to a group named "Windows Firewall Control", but you can create a script which may execute:

netsh.exe advfirewall firewall add rule name="Allow rogue" dir=out program="C:\ProgramData\rogue.exe" action=allow group="Windows Firewall Control"

The red part is not yet supported but I expect this to be possible like this soon when this functionality will go mainstream. So:

1. Do nothing, this is a non issue.
2. If the rule is not created within WFC and has a group name set, automatically unset the group name and let Secure Rules process it like a rule without a group name. With this approach, Secure Rules may disable/delete legitimate rules created by the user himself (if the rules are created from outside of WFC). This is what I am trying to avoid.

What do you think?

 

Bad option.

The right decision.

 

Also, prevent any use of forced netsh/shutdown command, somethin like:
shutdown /force
netsh interface portproxy add

 

@alexandrud

Would be not good IMHO.

I think, this would be right way.

Greetings

 

@aldist
hi
thanks!

@alexandrud
Hi
do you think that can I use nircmd.exe to run "%ProgramFiles%\WFC\wfc.exe" with a delay instead of task manager ?
because the task manager keep running for all time?
nircmd -> https://nircmd.nirsoft.net/exec.html with cmdwait 30000 -> should be 30 seconds
it could be used in the registry run
thanks
https://i.imgur.com/rE5UUxA.png

 

Hello guys. I'm having a headache with WFC (but it's a problem on how modern apps are developed...).
Modern apps usually follow the following strategy when installing a new version of the app: they create another folder with the version number of the software package.
This invalidate all the previous rules I given to WFC; I keep it at "medium filtering" (so no app besides from the one I choose can connect to the internet)
But when a new version of the app is downloaded older rules becomes invalid, at the software doesn't have access anymore to the network.

An example is here:

https://www.flickr.com/photos/189079799@N02/shares/WQ5kfG0R4E

Here for example MS Edge View 2 and googledrive fs have been granted access; but after the next update they won't have access anymore. I need to manually grant concession at every update (sometimes they can be very frequent, for ms edge view 2 for example).

How can I overcome this? There is a way to authorize all the .exe in a folder? It would be a dream (but I guess impossible, since it's based on how Windows Firewall works)

If anyone has an idea please tell me..