How can I know what's trying to modify the firewall?

Discussion in 'other firewalls' started by luxi, Dec 25, 2015.

  1. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    66
    I use TinyWall which has a service to protect the firewall config, so any external attempt to modify the firewall will cause it to reload its configuration. This is really good protection, but the annoying part is that it kills the network connection momentarily.

    Something in the Windows service host (svchost.exe) tries to modify or add some firewall rule(s). I need to find out exactly which service or process is doing this.

    TinyWall simply reports the nondescript event: "Reloading firewall configuration because C:\Windows\System32\svchost.exe has modified it." So that's not very helpful in my case.

    Any ideas?

    (Oh and by the way, I don't allow svchost.exe in the firewall. So that's not a solution I can use unfortunately.)
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    stop working with admin rights, so nothing can intrude into your ruleset and modify system files. nothing more easy than that.

    same here for windows 10 firewall control - as a service it cant be stop without admin rights. and if killed network will brake down.
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,983
    Location:
    Brasil
    Exactly. If something is trying to modify the rules than OP should use a non-Administrative account, and set a password for the admin account. When UAC is enabled, the program trying to modify the rules will probably be caught by UAC and it's name should be displayed on the screen.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,068
    Maybe you can temporarily put it in Autolearn mode and then check out which rules were added. Off course you can then delete those new rules. If more than one rule for service was added you will still probably get a shorter list. Then you can try disabling services one after another (if they are not system critical...) and see when this problem stops. At least I would try it this way to identify which service tries to modify rules.
     
  5. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    66
    This is most likely just Microsoft trying to phone home about something. I don't care what honestly.

    I run my own DNS resolver, so I don't need Windows' built-in resolver, and consequently I don't need svchost.exe — or any process it hosts — in the firewall. This is Windows periodically trying to make connections to Microsoft-related IPs (almost all Microsoft domains are hardcoded into different DLLs), or something that thinks it should have access but really doesn't. Setting a password on the Administrator account, and whether UAC is enabled or not doesn't apply here.

    The service host hosts so many different processes and services that it would be really hard to pinpoint what is trying to gain network access. I'm just trying to think of how I should go about catching the culprit.

    These are what I have to work with. I've spit each services into its own process to hopefully make it an easier task (I should probably start with BITS):

    BITS
    BrokerInfrastructure
    DcomLaunch
    LSM
    PlugPlay
    Power
    SystemEventsBroker
    RpcEptMapper
    RpcSs
    Appinfo
    gpsvc
    IKEEXT
    LanmanServer
    ProfSvc
    Schedule
    SENS
    Themes
    UserManager
    Winmgmt
    Audiosrv
    Dhcp
    EventLog
    HomeGroupProvider
    lmhosts
    Wcmsvc
    wscsvc
    FDResPub
    SSDPSRV
    TimeBroker
    AudioEndpointBuilder
    Netman
    SysMain
    TrkWks
    wudfsvc
    EventSystem
    fdPHost
    FontCache
    netprofm
    nsi
    WinHttpAutoProxySvc
    BFE
    CoreMessagingRegistrar
    MpsSvc
    LanmanWorkstation
    NlaSvc
    StateRepository
    tiledatamodelsvc

    Anyway, thanks.
     
Loading...