Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. SanyaIV

    SanyaIV Registered Member

    Joined:
    Oct 17, 2013
    Posts:
    278
    Thanks! I didn't realise that the notifications had their own exclusions. Either way, do you know what "Internet" means in the context of the attached screenshot? I'm guessing it means anything outside of the local subnet but I may be wrong.
     

    Attached Files:

  2. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    I use COMODO's Firewall, and I don't use Windows own, I have that one disabled, BUT I can still open the Windows Advanced Firewall and there are rules for all my programs that I use that Windows created automatically, I was wondering if this Frontend can be used to interact with Windows Advanced Firewall, basically just use the GUI for trimming rules and such.

    Can I have WFC not start on startup, and just run it on demand to use, then close it when I'm done?
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Check this post regarding this. Apparently there is no documentation of these keywords:
    https://social.technet.microsoft.co...rnet-and-intranet-predefined-set-of-computers
    If Windows Firewall is disabled, then it doesn't matter what rules are defined in Windows Firewall since they don't apply. You can use WFC to manage Windows Firewall rules. For your scenario, removing some rules from WFwAS will have the same result. Using WFC has more sense if you really use Windows Firewall.
     
  4. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    Another dumb question, are settings saved in the registry? I was wondering if it's a portable program.
     
  5. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    Okay so after playing with it a bit I kinda have some pet peeves with it, hoping maybe these can be added to a future release.

    1) Opening the Rules and Connection panels, the windows don't seem to save positions, like ideally I would want them to open on my second monitor not fully maximized, and centered there, but they seem to randomly be either fullscreened or not, and on a random monitor, they should open where and how I closed them last.

    2) Okay this one might seem really stupid but can these "temp allow buttons" be switched around? I've missed clicking on them a few time already, and I feel if they were on the other side it wouldn't happen.

    http://i.imgur.com/SCkTfmf.png
     
  6. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Please read this post: https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-96#post-2587326
    1) Please read this post: https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-81#post-2548757
    2) Temporary buttons are placed on the right on purpose because they are not used so often. The answer is no, they will not be switched around.
     
  7. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
  8. MerlinGreen

    MerlinGreen Registered Member

    Joined:
    Apr 15, 2017
    Posts:
    1
    Location:
    USA
    I am unable to install the WFC app. I need help from anyone who has experienced the same thing and solved it or others who might know how to fix it.

    Windows 7 Pro Service Pack 1 64bit
    Dell Precision T3500 Xeon Processor

    Error: "The application was unable to start correctly (0xc000007b)..."

    This seems to be a problem with the installer and not the app, since I can't get the installer to run.

    I have tried:
    Replacing C++ Runtimes, Replacing .NET Frameworks, ChkDsk, Run as Admin, Compatibility Modes (tried them all). Nothing helps. Alexander (author) offered some of those ideas via (excellent) email support response.

    Any ideas out there? I'd love to use WFC app. Thank you.
     
  9. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    Haven't seen it but I'd check the path (version numbers) first to see if it is the same for you then try these commands (both). Technically 'replacing the .NET runtimes' should have done this already but .NET can be finicky [in my experience].
    %WINDIR% likely equals C:\Windows
    Code:
    %WINDIR%\Microsoft.NET\Framework\v4.0.30319\ngen.exe update
    %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update
    
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Hi all. If you remember, back in 2012, due to the fact that many users use standard user accounts for security purposes, in Windows Firewall Control version 3.3.0.0 I have split the logic between a GUI part which is wfc.exe and a Windows service which is wfcs.exe. Before this version, Windows Firewall Control was only a single wfc.exe file which required elevated privileges in order to be able to do something.

    This implementation with two components has the following benefits:
    - No more UAC prompt when starting WFC because the tray icon application does not require administrative privileges. All tasks are done by the Windows service under LocalSystem account.
    - The startup entry for WFC is clearly visible in MSCONFIG since the program is started through an entry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in Windows Registry.
    - Secure Rules feature starts to do it's job earlier at boot time, since the logic is integrated in the service, while the GUI tray application startup may be delayed several seconds.

    But it also has some drawbacks because the WFC Windows service runs under the LocalSystem account:
    - Import and export of policy files located on network paths don't work correctly because the LocalSystem account is not aware of network shares, credentials, etc. Impersonating another user which would require WFC to ask for network username/password is not an option here.
    - In Windows 10, the rules names, description and group names for Windows Store apps are not retrieved correctly (for example @{Microsoft.SkypeApp_11.8.190.0_x64__kzf8qxf38zg5c?ms-resource://Microsoft.SkypeApp/Resources/SkypeVideo_ProductName} instead of Skype Preview). These are displayed correctly if the user launches manually WF.msc, but not in WFC Rules Panel or in WFwAS launched from WFC. These strings are user related and are not resolved properly for the LocalSystem account.
    - Because WFC has a Windows service it is not portable anymore.
    - Often, antivirus programs block the execution of WFC service and the users see the following system tray icon:

    upload_2017-4-18_9-58-8.png

    This happens because WFC service is blocked from being executed correctly, it fails to initialize properly and WFC tray application can't connect to the service.

    Maybe there are more benefits and drawbacks, but I pointed out only the most important of them here.

    Now, the BIG QUESTION: What do you think about the following changes ?

    1. Let's remove the Windows service and make WFC one single exe again. This will solve all the drawbacks explained above. This will make WFC portable again.
    2. To make WFC fully portable, the WFC event log (available in Event Viewer) will be removed and the logging will be made in a text file in the WFC folder or in a subfolder of ProgramData folder since this folder has less privileges restrictions.
    3. The installer can be removed. Instead, on the first run, WFC may display a wizard asking the user to save the current rules, create program shortcuts, etc.
    4. The CHM help file can be converted to HTML and published online. This could be done anyway to reduce the size of WFC installer.

    Drawbacks:
    A) Launching wfc.exe will always require elevated privileges and the UAC prompt will be displayed when WFC will be launched.
    B) To be able to autostart WFC at Windows logon, a scheduled task must be used to avoid the UAC prompt. Scheduled tasks are not so evident when it comes to startup items.
    C) Because WFC will not appear in Programs and Features anymore, if WFC is locked with a password and WFC is not running anymore (folder removed), then Windows Firewall CPL and WFwAS access will be blocked. Currently, if WFC is locked with a password, the uninstall is prohibited to avoid such scenarios.

    Maybe there are other benefits and other drawbacks here too.

    Please share your opinions and suggestions about these changes. As you can see, each implementation has benefits and drawbacks.
    Thank you.
     
    Last edited: Apr 18, 2017
  11. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    15
    I am strongly in favor of the current setup.

    I would assume both of these might still be an issue with the single executable, as WFC won't be run under the users account if the user has a standard account. As an aside that has nothing to do with WFC, it is extremely difficult to edit parts of the registry for this same reason.

    I fail to see why this is a drawback, speaking as a person who has no programs on my machine that need an installer besides the firewall.
     
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    The only issue I occasionally have with WFC is the service not starting as you mentioned. I haven't been able to isolate the cause, but when it occurs I just open the Services UI and start it; end of problem. Making WFC a single executable combined with a scheduled task to bypass UAC would also be fine. For my purposes that would work equally well, so I guess I can't help you decide ;)
     
  13. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    I like how things are now as is, these changes seem annoying to me, for example removing the CHM help file to an online HTML version, not very smart here since this is a firewall and people could lock them selves out of a connection or just no access to online at the moment. I do think there should be an online version though on your website.
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    To have both implementations to have benefits from both worlds, is it too much to ask for both to be available for users to pick one of their liking?
     
  15. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    I would prefer going on with the current implementation.
    For years WFC has been running flawlessly on my system(s) - and I have never experienced any of those drawbacks related to the current setup.
    The current implementation is easy and transparent.
    Although I highly prefer portable software over non-portable I cannot see an advantage for WFC being portable.
    Also: A software that needs a scheduled task to be started or logs into the ProgramData folders in fact is not portable by definition:
    https://portableapps.com/about/what_is_a_portable_app

    @alexandrud Thanks for sharing your thoughts anyway :thumb:
     
  16. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    I wouldn't use the version proposed and would stick to the last "original" WFC release.
     
  17. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    A standard user account would have to elevate WFC and run it as an administrator account. If he doesn't have access to an administrator account credentials, then WFC will be useless.
    It happens on my computer randomly with SQL Server service. The logs are clean but the service would not automatically start at random times. Never found the reason, not even after enabling enhanced logging and tracing. It just happens.
    As a side note to this. If WFC service is not started, if you choose to execute the WFC desktop shortcut with Run as administrator, this will first attempt to start the service. It is easier this way to start the service instead of running services.msc and manually start the service.
    Good observation. I missed this scenario, which happens very often because I receive many support emails with the subject "Can't browse the Internet after installing your firewall" :)
    I thought about this too, but it would require extra work and development time. I will analyze this option.
    WFC can't be fully portable since all Windows Firewall settings are saved in Windows Registry. :)

    Thank you for your feedback. I really appreciate that you took your time to analyze my post and the possible implications.
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thanks for considering it. I assumed correctly you'd thought about maintaining both too, however if you consider this will exceed your resources of any kind and you can only develop one or the other, I'd say leave it as gui + service (current development).
     
  19. Andrew1a

    Andrew1a Registered Member

    Joined:
    Apr 6, 2017
    Posts:
    3
    Location:
    Earth
    Alexandrud,

    Thank you for answering my previous question.

    New Question:

    I accidentally blocked my internet connection but don't know what process or service it was. How can I discover what is services is being blocking my internet connection?
     
  20. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    15
    I just meant that WFC is run in a different environment than the actual user of the computer and so if Windows 10 program names or network paths are user dependent, they may still be incorrect.
     
  21. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    1) I prefer CLEAR the current solution with the service! I would not like to have a Schedule Task to start WFC with admin rights - and this would be necessary if I understand this correctly (even for the notification system).

    2) To make WFC portable again is not important (for me and I assume for 90% of users also not).

    3) I would also not like to make TWO versions. Too difficult to handle for you, Alexandru - and for "supporters" here.

    Overall: the current drawbacks are not really a reason to make a such big change with bigger disadvantages.

    So, especially if I am right with point 1), I vote clear for a do not change!

    Alpengreis
    Maintainer of WFC DE translation file
     
  22. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    15
    Slightly off topic:
    At least according to PortableApps.com. As far as (paranoid) security issues, this is probably a reasonable definition, although I don't think many people actually use personal programs on computers where they are scared of leaving any tracks whatsoever. If you're on that kind of computer, you should be throwing that thumb drive away after using it rather than keeping personal data on it.

    I think a much weaker definition is much more useful as far as usability is concerned. I consider a "program" a set of files you can put anywhere on your computer, and be able to run the executable. So for example itunes, chrome, MS word are not programs(at least the last time I tried using them). WFC could be portable in this sense. As an aside, having only programs of this type makes setting up a new computer easy, all the programs live on a drive different than C: and they all just work without being "installed."
     
  23. WarGames

    WarGames Registered Member

    Joined:
    Mar 13, 2017
    Posts:
    20
    Location:
    UK
    There is an old saying:
    if it ain't broke don't fix it.
    So I prefer the the current implementation.

    I cant think why anyone would want it portable.
    I have only had the service not start twice and it was very easy start.

    You have an excellent application and would just prefer any updates to just improve current setup.

    The only other thing is the help file.
    Perhaps you could make it pdf?
    Everyone has a pdf reader and it should be easy to incorporate into the setup.
     
  24. blackwind

    blackwind Registered Member

    Joined:
    Apr 18, 2017
    Posts:
    3
    Location:
    Canada
    I strongly prefer the current setup, particularly given that most of the listed drawbacks can be worked around:
    This is problematic -- I've been bitten by the issue myself -- but could be worked around by utilizing %TEMP%. If the user requests an import from or an export to a network path:
    • Copy the file to %TEMP% via the user WFC process, import, delete file in %TEMP%.
    • Export to %TEMP%, move to the location the user requested via the user WFC process.
    This is problematic, but assuming you're using "netsh advfirewall" to retrieve this data, get operations can be done unelevated from the user WFC process. WFwAS could also be launched via the user WFC process at the cost of a UAC dialog.
    Like the others here, I don't see this as a relevant use case.
    Victek notes that this can be solved by simply starting the service manually, so when this occurs, I suggest making the user WFC process auto-launch "net start _wfcs" elevated. Users will get a UAC dialog, but at least the program will work without further user intervention. The first time (and only the first time) you need to use "net start _wfcs", pop up a dialog suggesting the user add WFCS to his antivirus exclusions to prevent further UAC dialogs.
     
  25. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Check the screenshot from my post below:
    https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-85#post-2563841
    Some svchost.exe and System connections must be allowed to be able to browse the Internet. Make sure you don't create some block rules that will match these, otherwise you will block your Internet access.
    Recently I had a support case where the installer won't run at all. As a result I have created two batch files:

    install.cmd - which registers the service, starts the service, starts wfc.exe in system tray.
    uninstall.cmd - which unregisters the service, then kills wfcs.exe and wfc.exe processes.

    Then we can place these batch files along wfcs.exe and wfc.exe into any folder, including on a USB stick. When we want to run WFC without installing it we just execute install.cmd from an elevated command prompt and WFC works without installation. When we finish what we have to do, we just call uninstall.cmd. Note that this will still save WFC settings in Windows Registry and WFC logging will not be available.

    Anyone interested in this solution, it can be checked here:
    https://www.binisoft.org/download/beta/wfc4961.zip

    Even if this solution works, I would not recommend it to be used. But this was an exercise.
    Not a good idea. With the chm file which works by default on any Windows version, I can navigate directly to a specific topic. For example, depending on which tab you have active in Main Panel, if you press F1, the user manual will open to that specific topic. With PDF files, I can't do this.
    I thought about this. Or, the user could save the file locally and then manually move it to a network location. :)
    Nope, WFC uses Windows Firewall API for this, not netsh. An unelevated process does not have access to this info.
    wfc.exe already automatically starts the service if it is launched with elevated privileges.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.