Windows Firewall Control (WFC) by BiniSoft.org

win 10 14393.5
wfc 4.8.3.0

it is almost every time after I restart computer, when the wfc in the taskbar but i double click the icon there is no response , and if there are new program need to connect to the Internet ,there is no notice bar to show in the right down area.

sometimes i use the process explorer to end the wfc.exe and reopen wfc , it works , and sometimes still not work..

i want to now why , this question happens very frequent in many win10 inside versions and many wfc version . while i can only remember that last year , this status never exist , but since 2016， it came up.

 

Problems with Connections Log too ...

Alexandru, you know I report a problem with empty Connections Log. I thought, this was a one time problem only but unfortunately, it's not the case.

I have now more details about this behaviour:

1) I have this problem NOT with "Inbound" Log "Recently Allowed/Blocked connections" and

2) I have this problem NOT with "Outbound" Log "Recently Allowed connections"

3) I HAVE this problem with "Outbound" Log "Recently Blocked connections"

I see the following effect:

I have only few entries (maybe 10 or so) in the log and then - even at the same day - the log is cleared! Then few entries again and log is empty again and so far ...

So for me it seems a problem with the log size (limit) through WFC.

MAYBE this could be related to my NON english localized system (you know we have other signs and so (if you have in english localized Win a "," we could have a "." or vice versa.

Can you check this please?

Regards!

Alpengreis

EDIT:

PS: The protocol size from windows (%SystemRoot%\System32\Winevt\Logs\Security.evtx) is 20480 KB by the way, maybe WFC has a problem with defined limit for outgoing blocked size-/time only or so ...

 

Please read this post:
https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-96#post-2590481

 

Please take a look at the screenshot below. My log size is 200MB, so the size is not a problem. Indeed, it took almost 4 minutes to process this log file on a i5 CPU with 8 cores. I have entries from the past 4 days, but depending on the Internet usage, all these 200MB can contains the entries only from the past few hours. For a log size of 20MB, depending on the Internet usage, the entries can be only from the past minutes.

1. When you say that Connections Log has a problem with the outbound blocked connections, check in the Security log if you have entries with Event ID 5157 and the Direction set to Outbound (%%14593). If you don't have such entries, then Connections Log has not found anything to match these. If you have such entries but Connections Log fails to read and display them, please check the WFC log for event ID 323. If no such event id is logged by WFC it means that the processing did not encounter any problem.
2. Try to disable the logging for allowed connections from Connections Log and check if the behavior changes.

 

Alex I been looking into the internal hardening firewall rules, and have discovered they can be controlled via a program API. Is it possible to add this functionality to WFC?

Some info here

http://windowsitpro.com/systems-management/understanding-windows-service-hardening
https://msdn.microsoft.com/en-us/library/aa365489.aspx
http://sourcedaddy.com/windows-7/windows-firewall-and-wsh.html

The reason I want to overide these rules is that some services on windows wont allow direct DNS queries because WSH blocks them, it seems anything running in a appcontainer (modern apps) and some services will fail to do dns lookups unless dnsclient service is enabled and these internal wsh rules are the reason.

 

I will check all the tips and report then - thank you so far!

PS: I think 20480 (20 MB) is too low (I had not checked this right). So this value is reached too quick and then the oldest entries are overwritten too fast (I have MUCH allow entries). I test now with higher value as first measure ...

EDIT: The test is sucessfull till now - it SEEMS it's solved. Thanks again, Alexandru! My main mistake was that I thought with splitted logs, especially because I have created individual logs! Of course the real security log is ONE log with one defined size! My second mistake was that I took 20480 KB for 200 MB, uhhhh, that was bad ;-) In reality I had only 20 MB which was really too low.

BTW: could you not set this value higher while install? For example with a registry check "if the value is < 204800 set it to 204800" or at least "if the value is default 20480 set it to 204800" or you could make an option in WFC to set the size? Just an idea, but could be sensfully, because 20 MB default is really not enough.

 

thanks for your reply.

my condition is in the task bar the ico is green and in the log there is no error, only three logs for last several days says"Resolving the path of the program has failed."

and in my computer environment there is no hips software to effect the wfc.exe and wfcs.exe start. only have the windows defend and even this software i have add it to the white list.

so is there any other ways to find the reason? thanks very much.

 

It is possible to add support to view and modify these rules through Windows Firewall API but I will not implement it. There is a reason why these are not easily accessible to the users and my opinion is that the users should not change the default rules that are applied to Windows services.

I will see if I can add support in Connections Log to set the log size. I do not want to increase the log size automatically at installation because this is not always required. Note that increasing the log size will also increase the waiting time when processing the Security event log.

When the Start automatically at user logon option is checked in the Options tab a new shortcut is created for wfc.exe in the following location:

C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\Windows Firewall Control.lnk

This shortcut is available to all Windows user accounts and will launch the program for all user accounts.

1. This shortcut should be executed with standard privileges and the user must never check the following check box from the Compatibility tab. If this check box is checked, it must be unchecked.



2. Try to remove this shortcut and create a scheduled task to execute the file wfc.exe. https://technet.microsoft.com/en-us/library/cc748993(v=ws.11).aspx

3. If you have installed a major update through Windows Update (e.g.: Windows 10 Build 14393.5) please uninstall and reinstall WFC.

 

Alex sorry to hear your stance in not allowing the end user to control their machine, the developer does not always know best.

I even gave you a specific reason why I want to overide the rules.

 

thanks again - changing location=All seems to end the false notifications & not just at startup

 

Here’s a compatibility issue that looked like it was involving WFC, but really wasn’t so I thought it would be good to share here in case it comes up…

I went to download EMET 5.51 today – it would not download. I eventually had a look at WFC connection log & my browsers were being blocked outbound when I clicked on the download. So I put WFC in ‘Low Filtering’ to allow all outbound traffic, but all browsers were still blocked when I clicked on the download (and still showing up in the WFC log). I had to exit WFC & stop the service to get the download to work.

But, I was replacing MBAE-free with EMET & had not uninstalled MBAE yet. Once I uninstalled MBAE I tested the download again & there were no issues – no blocked browsers. So it was just MBAE causing the problem, but it sure looked like it was WFC – all good now

 

The Security log (Connections Log) contains all connections blocked by Windows Firewall or by other security products. Since WFC does not block or allow anything, the source of blocking is always someone else, but not WFC.

 

ahh - i thought only Windows Firewall was logged

right, but why would disabling WFC clear the block - this is why i thought i might be WFC & another app having a compatibility issue. I'm still not sure why this worked since it seems like it was all caused by MBAE

 

It was just a coincidence. The block was not made by WFC. Please check the user manual to find out how the notifications system works and how the connections are blocked in Windows Firewall. Best regards.

 

Now I get an error message when I go into Network "Network discovery is turned off". When I click turn on nothing happens. Same with the options in Control Panel>Network and Sharing Center>Advance sharing settings. Only when I turn off WFC does it remain on. As soon as I enable WFC (any Profiles) same problem. Tried restoring Windows Firewall default rules and WFC recommended rules with same results.

Obviously, all necessary Services are running as able to connect when WFC is Off.

Any help appreciated.

Thanks,
Robert

Win 10 Pro (clean install)

Alexandrud replied, "When you enable/disable some features from Windows (like Network Discovery, File and Printer Sharing), the operating system enables/disables some group names from the default set of rules. If you have removed these rules, then the operating system can't actually enable these functionalities because the rules from their corresponding groups are not there anymore. In this case, my recommendation is to reset your rules to the default set and start over with the removing carefully of the default rules."

Alexandrud, I have never disabled or removed any of WFC's or Windows default rules. Do you mean reset Windows Firewall with Advance Security to Default Rules and set WFC to just it's/your default rules and start all over again?

Robert

P.S. Why was I in Windows (10) Firewall topic? I deleted my posts.

 

If you use Secure Rules, make sure that you add these default group names into the authorized groups list before enabling them from Advanced sharing settings.

On my system, pressing on the 1 does nothing, pressing on the 2 will create the green rules above. But, if I close the Advanced sharing settings window and reopen it, the 1 check box is again set to OFF. The same happens even if I disable Windows Firewall. It is probably a bug in Windows?

 

Windows Firewall Control v.4.8.4.0

Change log:
- New: Added support to find duplicate rules in Rules Panel.
- Fixed: The application always uses the Calibri font family which for some users may not be the best font. If the user changes the default font from the Advanced Appearance Settings... dialog, WFC is still displayed with Calibri font. Now the WFC user interface reflects the system font.
- Fixed: Pressing multiple times on F1 key will open multiple times the user manual.
- Updated: Pressing the F1 key in the focused window will open the user manual to the corresponding topic instead of the main page.
- Updated: The user manual topics were extended.

Note that the installer size was increased because the .chm file is also packed into the installer.

New translation string:
799 = Show duplicate rules

Download location: http://binisoft.org/download/wfc4setup.exe
SHA1: f1d43e140e1ee8f6dcf24e4378a2422535a846de
SHA256: ef8f9c9904452db1edf7bb76597be364bd9b27d1275dae084c837bdd8a2efbb4

- The search for duplicate rules is made on the following columns: Program, Location, Action, Direction, Local addresses, Local ports, Remote ports, Remote addresses, Protocol, Service, Edge traversal, ICMP settings, Interface types. The following columns are not taken into consideration during the search: Name, Group, Description, Enabled. The results contain only the rules for which at least two similar rules were found.

- I tried to group the duplicated rules results in a more user friendly way. Unfortunately, even if the user interface looked pretty good, the grouping on the data grid was very very slow and the entire experience was extremely poor. I will look for an alternative way in the future. Currently they are displayed by groups but the grouping has no visual expression.

Best regards,
Alexandru

 

As usual you were right. It was Secure rules that had caused the problem. User error! Uninstalled and reinstalled now everything is as it should be.

Damn, now I have to start from scratch.

Thanks Alexandrud,
Robert

 

Spanish manual user the latest version, does not start with F1 key or icon in WFC.Checked same file in version 4.8.3.0 and works well.

English user manual if it works in both versiones.¿Possible problem file size?

Spanish = 1.51 mb
English = 9.48 kb

regards

 

German language translation for newest WFC update v4.8.4.0 is done, sent to Binisoft.org and should be ready very soon!

 

The user manual is still under development and is still changing. Version 4.8.3.0 just launched an external process with the chm file, while version 4.8.4.0 is able to launch the help file inside WFC on specific topic depending on where the user presses F1 key. These topics have some IDs which were reassigned in the last version of the user manual. Because the user manual part is something new in WFC, these IDs will probably change again in the future until I have a definitive structure.

 

I couldn't turn on network discovery and advanced file sharing options, and luckily the above posts explained it. I have secure rules on; I had to reinstall and select "Import group names from current existing rules". When I uninstalled I selected "Restore to the state before installing this program". This is great.

While doing this, I thought it would be nice to actually see the list of group names from current existing rules. Maybe like the pic below. Thanks again for the wonderful WFC.

 

This approach uses too much space and does not have a way to enter something new. You can add only the existing entries. I guess this will remain as it is now.

Meanwhile I managed to define a visual style to group the duplicate rules and the results looks like this. This works pretty fast and will be included in the next version.

 

Alexandrud, how exactly does this Secure rules work. The help file is not very informative to me. If I select it and highlight WFC only the rules in current WFC group are imported and Secured and all the rest are either deleted or disabled correct? How does one create a Group with ALL the current rules secured? Your not saying that I have to go to All Rules and No Filter and manually Add to Group>WFC? Not sure how Secure rules work.

Thanks,
Robert

 

@alexandrud

Can we have someting like this in WFC?
http://www.nirsoft.net/utils/wireless_network_watcher.html