another Windows Firewall Control?

I was curious and had a look in my event log too. The following warning comes up very often (760 times in 2 hours, no other event is logged at all).

ParseMessage failed !
Die Beschreibung für Ereignis-ID 5157 in Quelle Microsoft-Windows-Security-Auditing wurde nicht gefunden. Der lokale Computer hat möglicherweise nicht die notwendigen Registrierungsinformationen oder Meldungs-DLL-Dateien, um die Meldung anzuzeigen, oder Sie sind nicht berechtigt, darauf zuzugreifen. Die folgenden Informationen sind Teil des Ereignisses:'564', '\device\harddiskvolume2\windows\system32\svchost.exe', '%%14592', '169.254.255.255', '137', '169.254.56.17', '137', '0', '146720', '%%14610', '44', 'S-1-0-0', 'S-1-0-0'

I am using Windows 7 Ultimate x64 in German, so I try to translate the above to English:

ParseMessage failed ! (this one was easy )
The description for event-id 5157 in the source Microsoft-Windows-Security-Auditing wasn't found. The local computer possibly doesn't have the necessary registry information or notification-dll-files to show the event, or you don't have the credentials to access them. The following information is part of the event:'564', yadda-yadda, rest is the same in English

I am going out on a limb here, but I guess this event isn't normal, is it? And the fact, that no other event is logged at all neither?

 

I notice the same on my system.

No crashes so far.

I'm going to check the WFC-section of the Event Viewer later when I'm at home...

 

Same issues reported by Crular and Broadway:

~ "it takes quite a long time for the "manage rules" window to open". It comes out when firstly is opened (same when open WFC in systray); after there aren't problem.

~ Event Viewer: similar "ParseMessage failed !" events.

 

So I found similar "ParseMessage failed" events in the log, too.
But "only" 62 of them starting from May, 30th.

 

... but the Java-issue does not produce an entry in the WFC-log, as I found out.

 

There's a second related issue here.

For the time being, I clicked the default Allow this Program for svchost.exe

However, I have since got subsequent prompts exactly the same as in the image I posted. I can click Allow this program again and it will add a duplicate rule. The issue is that it's not seeing the first rule which was set to allow.

Mark

 

"Manage Rules" should normally load in 1-3 seconds. 15 seconds is way too much. What is your system configuration ?

If the program crashes at loading Manage Rules it means that the communication with the Windows service is lost. Normally, the application would not start if the service is not available. Did you closed the wfcs.exe process ?

The error logging is enabled by default, you don't have to activate it.

This error is from previous versions of WFC. Starting with version 3.3.0.4, that method dissapeared. If you encounter this error, you must use a previous version. Please update to the latest version available from: http://binisoft.org/wfc.php

It is normal because the notification that you receive has invalid data. This the reason why, even if you choose to create a rule, it will not be created because it does not contain all the needed data.

Please go to Event Viewer. In the "Applications and services logs" category you will find a subcategory named "WFC". Please check if there are any errors logged for WFC. If, so, please choose to "Save All Events As..." to export a file with those events. Please send this file to: support@binisoft.org and a short description.

 

For all of you, if Manage Rules is loading very slow, if you have the chance, please install WFC on another system than the one where you have this problem to see if the problem persist. Unfortunately, I can't reproduce this behaviour, and I tested WFC on 5 different system configurations.

Also make sure that you use the latest version which is always the most updated and includes all the fixes.

Thank you for your support and your patience. I will fix all the problems as soon as possible.

 

What exactly do you mean by system configuration? I am running under Windows 7 x64, newest version of your software.

No, I never close that process.

Yes, you are right, that error was from some days ago, when I was still running 3.3.0.3. But the above mentioned issues are while running the newest version.

 

1. So, you do have version 3.3.0.4 and sometimes the loading time for Manage Rules is very long. And sometimes, it just fails to load and wfc.exe just closes itself. Is this your scenario ?
2. This happens all the time or just random ?
3. Did you encountered this problem also with previous versions of WFC, or just with the latest version ?
4. The notifications for outgoing blocked connections work as expected ?

Please go to Event Viewer. In the "Applications and services logs" category you will find a subcategory named "WFC". Please choose to "Save All Events As..." to export a file with those events. Please send this file to: support@binisoft.org

 

1. Yes, that's right. Just when I type this reply I tried to open Manage Rules again and the client crashed again. I started it again and then I could open Manage Rules without problems.
2. No, doesn't happen all the time. Usually after the program has run a longer time. Maybe it is connected to hibernating. I am running it on my laptop. Will test this.
3. Well, every version took quite some time to open Manage Rules from time to time. When the program has been just started it is quick (1-3 seconds), but when it ran for quite a while it gets slower. As above mentioned, maybe when coming out of hibernation, have to watch that.
4. Do you mean entries in the event log or being notified by wfc.exe about programs being blocked? If the latter's the case, no, as mentioned a few posts before I also had - and still would have, if I hadn't manually added a rule for it - the java problem, mentioned by broadway.

I sent you the event log, but the only repeating entry in it is the one about ParseMessage failed. No other entry in there.

 

I have noticed the slow rule view loading on my system with latest WFC version, using W7X64, but only occasionally. Nothing in the event viewer when this happens. I'm all up to date on .net & system patches. It is like WFC is waiting on some resource to become free. Never had a crash, the rules always come up eventually.

I have seen, very infrequently, repeated requests for an identical svchost connection, notably 224.0.0.252 when I deny it. I do have the "Enable notifications for system applications" checked. Using my VPN seems to trigger a lot of duplicate requests for some reason.

Don't have Java installed so I can't relate to this reported problem. I am quite happy with your progress with WFC, the new interface is very good IMO and I am sure that you will track down any remaining problems.

 

I've just noticed a problem with WFC apparently not blocking a program's attempt to establish an Internet connection. The program is The KMPlayer (http://www.kmplayer.com/forums/index.php), which has an "update check on program start" setting and also a manual update check feature. Neither of those update check attempts triggered a popup on wfc and apparently the connection to the Internet was established without me being able to authorize it or not. This is a fresh install of The KMPlayer and no rules had been established for that program.
I'm running the latest version of KMPlayer (3.2.0.19) and the latest wfc (3.3.0.4). I've already checked and "Learning mode" is enabled on wfc, and it's running with "Medium filtering". Any ideas why this connection is not detected?

 

The log contains 760 events that are from version 3.3.0.3 and reffers to inbound connections. There is no error for processing of the outbound blocked connections.

I have found a memory leak in Manage Rules which prevent GarbageCollector to release the object from memory. I have fixed it. Now every class of the program gets released from memory when is not in use anymore. This will reduce the memory consumption of WFC because now the objects are released properly. A new beta version will be out very soon.

When this notification appears, what firewall rule do you create ?

This notification I receive instantly when I press on "Check for updates" from KMPlayer context menu. It does work here. For other programs, notifications work as expected ? Do you have this problem only with KMPlayer ?

 

Here is the rule, note that this rule request only repeats when I Deny the rule, if allowed all is fine:

 

I do exactly the same but I don't get the notification. I just checked a couple of other programs and they seem to work, meaning I do get the notifications if there are no rules set up for them and I want to start a connection.
I've also rebooted my PC to see if it was a temporary glitch, but nothing changed regarding the KMPlayer update connection.
No idea what may be happening.
I'm running Windows 7 Professional 64-bit (Spanish)

 

Prerequisites: Medium Filtering is used, Learning Mode is enabled, there is no rule for KMPlayer.exe.

What you can try is to:
1. Run KMPlayer and manually try to check for updates.
2. If no notification appears, go to Event Viewer and under Windows Logs category you will se a subcategory named Security. See if there appeared an event with ID 5157 for KMPlayer.exe. If the answer is yes, Learning Mode should have notified you. If the event 5157 is not triggered, it means that Learning Mode did not received any new event.

Please check this scenario.

 

OK, that's how I have my setup

I've just finished this test and I didn't find any events 5157 for KMPlayer.exe in the Event Viewer. There are a number of Events 5157 for svchost.exe but none for KMPlayer.exe
What does it mean? That KMPlayer.exe didn't actually tried to connect to the Internet and that's why I didn't receive a notification?
Anyway, it looks like WFC is working OK and the problem is on the KMPlayer side, right?

 

The slow loading of Manage Rules is related to the system which provide the firewall rules with a delay. It should not block the main UI because it is done on a different thread. I will do some more tests to find the problem.

Also, the Hibernation or the Sleep Mode, does not affect the communication between "wfc.exe" with "wfcs.exe".

I have found the problem and I have fixed it. It will be included in the next version. There was some validation problem.

The Windows service (wfcs.exe) monitors the security event log. If a new event with the ID 5157 is triggered and the notification is possible, a new notification is send to the GUI (wfc.exe), which shows the user a new notification window. If the event is 5157 is not triggered, there is nothing to be processed.

If the event ID 5157 is not triggered, it means:

1. The event was not triggered because the connection was possible. This means that there is a rule which allows the program to connect. In this case, the event ID 5157 can't be triggered because the connection was permitted.

2. The program didn't try to connect to the Internet. In this case, the event ID 5157 is not triggered because there is no request to connect. Nothing happens.

I think the same problem is with "javaw.exe" which does not raise the event ID 5157. Because of this, no notification is possible.

The thing that bothers me, is that on some computers, these programs (javaw.exe, kmplayer.exe) raise the event ID 5157 and on some computers, they don't. This makes no sense. Meanwhile, any other programs raise this event, and the notifications are ok.

 

I think it is even more complicated: On my system - when there is no rule for javaw.exe - javaw.exe raises the event ID 5157 and is blocked - but without notification in WFC.

What about the java.exe-issue I mentioned above?

Thank you

 

Version 3.3.0.5 available

What's new:
- New: Added a new shortcut to Resource Monitor (resmon.exe) in the Shortcuts tab.
- New: Updated the Properties view of a rule to accept also "bin" files beside "exe" files. Open Office uses "soffice.bin" to connect to internet and check for updates.
- Fixed: Validation of the IP address was changed because in some situations it could have failed.
- Fixed: Manage Rules is loading slow and freezes the main GUI. The loading is done now in a background thread. (Crular)
- Fixed: Manage Rules crashes randomly when is loading. (Crular)
- Fixed: On notification window the information of the blocked connection is incomplete. (markd89)
- Fixed: Duplicate notifications are displayed for the blocking rules, when using remote IP as blocking rule. (focus)

Download link: http://binisoft.org/download/wfc.exe

Just check for updates and install the new version.

Please let me know if this version solves the problems that you have reported with the previous version. They should be fixed.

More features will come in the future, it just takes time to implement them. I already have some new ideas.

Thank you for your support and your patience.
Alexandru

 

Another example for a blocked java.exe connection without notification is when going to

http://www.freechess.org/Login/jin/applet.php

with my browser.

 

3.3.0.5 (win x64)
find invalid rules -> delete -> refresh -> rules window became empty?
I had to restart wfc to get rules re-listed

 

As you can see, does not happen here. The notification is instant for java.exe. I will install a german version of Windows 7 and I will test it more to find the problem.

The rules are refreshed from the windows service. Even if they dissapear, they will reload in a second or two again, depending on your system configuration. This happened only one time or everytime when you delete multiple rules, you encounter this behaviour ? Closing and opening again the Manage Rules window should be enough to make the application to reload the rules.

 

3.3.0.5 (win x64)
Rules do not reappear after a while .. I've had to restart wfc to get rules relisted, closing and opening manage rules did not relist rules.
It happened every time for invalid entry that I whish to delete. (delete/refresh=window became blank)