Windows Firewall Control 4

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    349
    Haven't seen it but I'd check the path (version numbers) first to see if it is the same for you then try these commands (both). Technically 'replacing the .NET runtimes' should have done this already but .NET can be finicky [in my experience].
    %WINDIR% likely equals C:\Windows
    Code:
    %WINDIR%\Microsoft.NET\Framework\v4.0.30319\ngen.exe update
    %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update
    
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,299
    Location:
    Romania
    Hi all. If you remember, back in 2012, due to the fact that many users use standard user accounts for security purposes, in Windows Firewall Control version 3.3.0.0 I have split the logic between a GUI part which is wfc.exe and a Windows service which is wfcs.exe. Before this version, Windows Firewall Control was only a single wfc.exe file which required elevated privileges in order to be able to do something.

    This implementation with two components has the following benefits:
    - No more UAC prompt when starting WFC because the tray icon application does not require administrative privileges. All tasks are done by the Windows service under LocalSystem account.
    - The startup entry for WFC is clearly visible in MSCONFIG since the program is started through an entry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in Windows Registry.
    - Secure Rules feature starts to do it's job earlier at boot time, since the logic is integrated in the service, while the GUI tray application startup may be delayed several seconds.

    But it also has some drawbacks because the WFC Windows service runs under the LocalSystem account:
    - Import and export of policy files located on network paths don't work correctly because the LocalSystem account is not aware of network shares, credentials, etc. Impersonating another user which would require WFC to ask for network username/password is not an option here.
    - In Windows 10, the rules names, description and group names for Windows Store apps are not retrieved correctly (for example @{Microsoft.SkypeApp_11.8.190.0_x64__kzf8qxf38zg5c?ms-resource://Microsoft.SkypeApp/Resources/SkypeVideo_ProductName} instead of Skype Preview). These are displayed correctly if the user launches manually WF.msc, but not in WFC Rules Panel or in WFwAS launched from WFC. These strings are user related and are not resolved properly for the LocalSystem account.
    - Because WFC has a Windows service it is not portable anymore.
    - Often, antivirus programs block the execution of WFC service and the users see the following system tray icon:

    upload_2017-4-18_9-58-8.png

    This happens because WFC service is blocked from being executed correctly, it fails to initialize properly and WFC tray application can't connect to the service.

    Maybe there are more benefits and drawbacks, but I pointed out only the most important of them here.

    Now, the BIG QUESTION: What do you think about the following changes ?

    1. Let's remove the Windows service and make WFC one single exe again. This will solve all the drawbacks explained above. This will make WFC portable again.
    2. To make WFC fully portable, the WFC event log (available in Event Viewer) will be removed and the logging will be made in a text file in the WFC folder or in a subfolder of ProgramData folder since this folder has less privileges restrictions.
    3. The installer can be removed. Instead, on the first run, WFC may display a wizard asking the user to save the current rules, create program shortcuts, etc.
    4. The CHM help file can be converted to HTML and published online. This could be done anyway to reduce the size of WFC installer.

    Drawbacks:
    A) Launching wfc.exe will always require elevated privileges and the UAC prompt will be displayed when WFC will be launched.
    B) To be able to autostart WFC at Windows logon, a scheduled task must be used to avoid the UAC prompt. Scheduled tasks are not so evident when it comes to startup items.
    C) Because WFC will not appear in Programs and Features anymore, if WFC is locked with a password and WFC is not running anymore (folder removed), then Windows Firewall CPL and WFwAS access will be blocked. Currently, if WFC is locked with a password, the uninstall is prohibited to avoid such scenarios.

    Maybe there are other benefits and other drawbacks here too.

    Please share your opinions and suggestions about these changes. As you can see, each implementation has benefits and drawbacks.
    Thank you.
     
    Last edited: Apr 18, 2017
  3. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    13
    I am strongly in favor of the current setup.

    I would assume both of these might still be an issue with the single executable, as WFC won't be run under the users account if the user has a standard account. As an aside that has nothing to do with WFC, it is extremely difficult to edit parts of the registry for this same reason.

    I fail to see why this is a drawback, speaking as a person who has no programs on my machine that need an installer besides the firewall.
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,327
    Location:
    USA
    The only issue I occasionally have with WFC is the service not starting as you mentioned. I haven't been able to isolate the cause, but when it occurs I just open the Services UI and start it; end of problem. Making WFC a single executable combined with a scheduled task to bypass UAC would also be fine. For my purposes that would work equally well, so I guess I can't help you decide ;)
     
  5. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    33
    Location:
    Canada
    I like how things are now as is, these changes seem annoying to me, for example removing the CHM help file to an online HTML version, not very smart here since this is a firewall and people could lock them selves out of a connection or just no access to online at the moment. I do think there should be an online version though on your website.
     
  6. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,285
    Location:
    Mexico
    To have both implementations to have benefits from both worlds, is it too much to ask for both to be available for users to pick one of their liking?
     
  7. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    210
    I would prefer going on with the current implementation.
    For years WFC has been running flawlessly on my system(s) - and I have never experienced any of those drawbacks related to the current setup.
    The current implementation is easy and transparent.
    Although I highly prefer portable software over non-portable I cannot see an advantage for WFC being portable.
    Also: A software that needs a scheduled task to be started or logs into the ProgramData folders in fact is not portable by definition:
    https://portableapps.com/about/what_is_a_portable_app

    @alexandrud Thanks for sharing your thoughts anyway :thumb:
     
  8. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    835
    Location:
    UK
    I wouldn't use the version proposed and would stick to the last "original" WFC release.
     
  9. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,299
    Location:
    Romania
    A standard user account would have to elevate WFC and run it as an administrator account. If he doesn't have access to an administrator account credentials, then WFC will be useless.
    It happens on my computer randomly with SQL Server service. The logs are clean but the service would not automatically start at random times. Never found the reason, not even after enabling enhanced logging and tracing. It just happens.
    As a side note to this. If WFC service is not started, if you choose to execute the WFC desktop shortcut with Run as administrator, this will first attempt to start the service. It is easier this way to start the service instead of running services.msc and manually start the service.
    Good observation. I missed this scenario, which happens very often because I receive many support emails with the subject "Can't browse the Internet after installing your firewall" :)
    I thought about this too, but it would require extra work and development time. I will analyze this option.
    WFC can't be fully portable since all Windows Firewall settings are saved in Windows Registry. :)

    Thank you for your feedback. I really appreciate that you took your time to analyze my post and the possible implications.
     
  10. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,285
    Location:
    Mexico
    Thanks for considering it. I assumed correctly you'd thought about maintaining both too, however if you consider this will exceed your resources of any kind and you can only develop one or the other, I'd say leave it as gui + service (current development).
     
  11. Andrew1a

    Andrew1a Registered Member

    Joined:
    Apr 6, 2017
    Posts:
    3
    Location:
    Earth
    Alexandrud,

    Thank you for answering my previous question.

    New Question:

    I accidentally blocked my internet connection but don't know what process or service it was. How can I discover what is services is being blocking my internet connection?
     
  12. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    13
    I just meant that WFC is run in a different environment than the actual user of the computer and so if Windows 10 program names or network paths are user dependent, they may still be incorrect.
     
  13. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    410
    Location:
    Switzerland
    1) I prefer CLEAR the current solution with the service! I would not like to have a Schedule Task to start WFC with admin rights - and this would be necessary if I understand this correctly (even for the notification system).

    2) To make WFC portable again is not important (for me and I assume for 90% of users also not).

    3) I would also not like to make TWO versions. Too difficult to handle for you, Alexandru - and for "supporters" here.

    Overall: the current drawbacks are not really a reason to make a such big change with bigger disadvantages.

    So, especially if I am right with point 1), I vote clear for a do not change!

    Alpengreis
    Maintainer of WFC DE translation file
     
  14. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    13
    Slightly off topic:
    At least according to PortableApps.com. As far as (paranoid) security issues, this is probably a reasonable definition, although I don't think many people actually use personal programs on computers where they are scared of leaving any tracks whatsoever. If you're on that kind of computer, you should be throwing that thumb drive away after using it rather than keeping personal data on it.

    I think a much weaker definition is much more useful as far as usability is concerned. I consider a "program" a set of files you can put anywhere on your computer, and be able to run the executable. So for example itunes, chrome, MS word are not programs(at least the last time I tried using them). WFC could be portable in this sense. As an aside, having only programs of this type makes setting up a new computer easy, all the programs live on a drive different than C: and they all just work without being "installed."
     
  15. WarGames

    WarGames Registered Member

    Joined:
    Mar 13, 2017
    Posts:
    8
    Location:
    UK
    There is an old saying:
    if it ain't broke don't fix it.
    So I prefer the the current implementation.

    I cant think why anyone would want it portable.
    I have only had the service not start twice and it was very easy start.

    You have an excellent application and would just prefer any updates to just improve current setup.

    The only other thing is the help file.
    Perhaps you could make it pdf?
    Everyone has a pdf reader and it should be easy to incorporate into the setup.
     
  16. blackwind

    blackwind Registered Member

    Joined:
    Apr 18, 2017
    Posts:
    2
    Location:
    Canada
    I strongly prefer the current setup, particularly given that most of the listed drawbacks can be worked around:
    This is problematic -- I've been bitten by the issue myself -- but could be worked around by utilizing %TEMP%. If the user requests an import from or an export to a network path:
    • Copy the file to %TEMP% via the user WFC process, import, delete file in %TEMP%.
    • Export to %TEMP%, move to the location the user requested via the user WFC process.
    This is problematic, but assuming you're using "netsh advfirewall" to retrieve this data, get operations can be done unelevated from the user WFC process. WFwAS could also be launched via the user WFC process at the cost of a UAC dialog.
    Like the others here, I don't see this as a relevant use case.
    Victek notes that this can be solved by simply starting the service manually, so when this occurs, I suggest making the user WFC process auto-launch "net start _wfcs" elevated. Users will get a UAC dialog, but at least the program will work without further user intervention. The first time (and only the first time) you need to use "net start _wfcs", pop up a dialog suggesting the user add WFCS to his antivirus exclusions to prevent further UAC dialogs.
     
  17. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,299
    Location:
    Romania
    Check the screenshot from my post below:
    https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-85#post-2563841
    Some svchost.exe and System connections must be allowed to be able to browse the Internet. Make sure you don't create some block rules that will match these, otherwise you will block your Internet access.
    Recently I had a support case where the installer won't run at all. As a result I have created two batch files:

    install.cmd - which registers the service, starts the service, starts wfc.exe in system tray.
    uninstall.cmd - which unregisters the service, then kills wfcs.exe and wfc.exe processes.

    Then we can place these batch files along wfcs.exe and wfc.exe into any folder, including on a USB stick. When we want to run WFC without installing it we just execute install.cmd from an elevated command prompt and WFC works without installation. When we finish what we have to do, we just call uninstall.cmd. Note that this will still save WFC settings in Windows Registry and WFC logging will not be available.

    Anyone interested in this solution, it can be checked here:
    https://www.binisoft.org/download/beta/wfc4961.zip

    Even if this solution works, I would not recommend it to be used. But this was an exercise.
    Not a good idea. With the chm file which works by default on any Windows version, I can navigate directly to a specific topic. For example, depending on which tab you have active in Main Panel, if you press F1, the user manual will open to that specific topic. With PDF files, I can't do this.
    I thought about this. Or, the user could save the file locally and then manually move it to a network location. :)
    Nope, WFC uses Windows Firewall API for this, not netsh. An unelevated process does not have access to this info.
    wfc.exe already automatically starts the service if it is launched with elevated privileges.
     
  18. blackwind

    blackwind Registered Member

    Joined:
    Apr 18, 2017
    Posts:
    2
    Location:
    Canada
    +1. 99% of users have a PDF reader, but 100% have a CHM reader.
    But you can also launch elevated processes from an unelevated process with ShellExecute's "runas" verb. Normally, wfc.exe won't be running elevated, so the current behavior doesn't help in that circumstance.
     
  19. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,299
    Location:
    Romania
    You can launch another process. This is the same process, this would mean to close it and restart it again, accept the UAC prompt, and then have it elevated.
     
  20. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,299
    Location:
    Romania
    Windows Firewall Control uses it's own mechanism that saves the coordinates of a window when it is closed. These coordinates are restored when the window is reopened. Because the saved coordinates contain absolute values, there are scenarios when these coordinates can't be restored. The default size and position is restored when:

    - the window is closed and at least one pixel of it was outside of the screen
    - the screen resolution is changed
    - a different DPI scaling is used
    - the window is closed when a secondary monitor is used and the monitor is removed
     
  21. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    33
    Location:
    Canada
    I saw that in the CHM file, I'm not sure what to say, on the first day I used your firewall, I was able to get both the rule and connection window to save properly on my second monitor, but after that, something happened and they will always default to my primary one no matter how I have them setup when closed. I've just given up and learned to live with this. I can say for certain that all 4 of those points are checked off as being not the issue.
     
  22. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    410
    Location:
    Switzerland
    Unfortunately that is not really the case. I have a 2nd monitor and if I enlarge the (rule manager) window over a certain size on the 2nd monitor WITHOUT any pixel on the first monitor - even clear under the full size, the window is resetted the next time. That was ALWAYS the case here and is reproducable.

    My resolution on both monitors is 2 x 1920 x 1080p.
     
  23. Kob

    Kob Registered Member

    Joined:
    Dec 13, 2011
    Posts:
    31
    I would like to keep the current design as is. Specifically, looking at the current design's drawbacks list above:

    - Inaccessibility of policy files on network shares: does this touch a common scenario among WFC users?
    I'd have thought that this might be only relevant to corporate setups, but then at Corporate they have scripts that pull all kinds of files from a central share after boot - can't a WFC policy file (with "ALLOW" access in WFW) be pulled into the local system just the same?

    Also, from a security POV of SOHO or home setup, I like the idea that rogue network shares can not influence my local WFC policies.

    - Incorrectly retrieves WIN10 Store Apps: Is this can be solved by a helper function, with different credentials (IMHO UAC dialog here is quite OK) that will build the appropriate Rules Names/Description/Group Names and pass them on to the WFC for inclusion?

    - Portability: discussed in other comments above. My personal opinion is that I don't need portability. WFC is a system utility, not an application that I repeatedly move from machine to machine. Also, I normally like portable programs in order to avoid contamination of the registry / dropping endless files in various places. This is not the case with WFC.

    - Antivirus program interference: can't WFC be whitelisted in the AV program once by the user and by that avoid future interference?

    Also, regarding the expected development effort - unless there are many support requests or complaints that the new proposal will resolve, why to engage in a non-trivial re-design effort which does not bring major features to the table?
    In addition, there is a high probability that a major design change will bring with it instability and support requsts for a few weeks/months after introduction due to some unforeseen ill effects. Are the expected benefits from the new design worth it?
     
  24. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    173
    Location:
    united kingdom
    Is there a known problem with importing rules on Windows 10 CU?

    I tried to import rules from a previous export and I ended up losing all my custom rules. WFC did not display any message to say the import was successfull or not.

    I tried the import from the command line, using the Netsh advfirewall import command, and Windows reported the file was not a valid policy file.
     
  25. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,299
    Location:
    Romania
    What extension has the file that you want to import ? *.WFW or *.WPW ? WFW is a Microsoft format. Importing this format from an older Windows version to a newer version of Windows is supported. WPW extension is an XML format (you can open it in Notepad to take a look) and is used by WFC to export and reimport specific firewall rules. On import, WFC reads the rules properties from the file and creates the rules one by one.
    1. Are you able to create a new rule from WFC ? The same code used to create a new rule is also used when importing a WPW file.
    2. Have you checked the WFC log to see if there is an exception during the import ?
    3. Make sure that your antivirus (including Windows Defender) does not block WFC from creating new firewall rules.

    I also use Windows 10 Creators Update on one of my machines and WFC works correctly. The problem must be something on your side.
     
Loading...