Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    342
    Location:
    SE Asia
    ^ that is a good idea ! I have it. Image done (yesterday morning) with Macrium Reflect.

    Thanks for this, will try it and report back !!

    Edit 1: In the System Hive from the Image there is only ControlSet001 and ControlSet002. No CurrentControlSet.

    But it looks like that ControlSet001 has the rules I "lost".

    Shall I rename (in the exported .REG file) ControlSet001 to CurrentControlSet or leave it be ??
     
    Last edited: Dec 13, 2018
  2. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    342
    Location:
    SE Asia
    No idea why it did that. Any way NO issue with WFC but an Issue with ME not making a Backup of the Rules (which I should have done) ;)

    Edit: @alexandrud maybe an idea to make an automatic backup function in WFC. (Just a suggestion of course)
     
    Last edited: Dec 13, 2018
  3. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    319
    Location:
    Germany
    Leave it, ControlSet001. Compare the name in the real registry.
    Before manipulating, make a backup copy of the real hive v1809.
     
  4. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    342
    Location:
    SE Asia
    ^ Will do and do you one better, I will make another Image ;) !

    Thx again, really appreciated.
     
  5. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    319
    Location:
    Germany
    With Windows Scheduler and .bat file, perform automatic export (backup) of that registry hive, it also adds a date stamp to the file name
    ScreenShot_238.png
    Right name CurrentControlSet
     
  6. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    342
    Location:
    SE Asia
    ^ hahahahaha (Good One)

    Good enough for the Techies, but not everyone who uses WFC is able to do that ;)
     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    It is really easy to create a backup of your firewall rules. You have to execute the following command in an elevated process: netsh.exe advfirewall export "mybackup.wfw"
    You can easily create a scheduled task to execute this command for you. Anyway, I don't think anyone creates tens of firewall rules each day. Just make a manual backup once a month (week) and that should be enough.
     
  8. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    Again, off topic, but related... Yesterday I announced my new website biniware.com on this topic. I asked for advise from the administrators of this great forum and they agreed to create a dedicated section for all Biniware products.
    The topic for Biniware Run software can be found here.

    "I, the developer of Windows Firewall Control, created a new web site named biniware.com where I will publish new tools that I will develop.
    Currently I have one new tool called Biniware Run. I also have in mind a new security tool that will get published in 2019 on the new website. I can't give more details about it, but it definitely will be very useful.

    P.S.: I still work at Malwarebytes, I still support Windows Firewall Control."
     
  9. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    798
    Hi Alexandrud

    Tried your backup of FireWall Rules netsh.exe advfirewall export "mybackup.wfw" . Problem is I cannot find the created file.
    Can you advise where I can find it?

    Thank you

    Terry
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    It is probably in C:\Windows\System32 where the netsh.exe is located. Change the path to your desired location: netsh.exe advfirewall export "D:\Backup\FirewallRules_December_13.wfw". You get the idea.
     
  11. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    798
    Hi Alexandrud

    Thanks. Found it!

    Terry
     
  12. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    342
    Location:
    SE Asia
    Got my old rules back thanks to @aldist

    What I did was (Quoted Text by @aldist)

    and extracted the keys from

    (Made a New system Image just in case ;))

    Then I imported the Regfile, at first the rules did not show in WFC, but they showed in the Registry, so I rebooted and my rules where there. !! Yeah ....

    This whole exercise could have been prevented if I had backup my old rules (MY BAD I KNOW)

    @alexandrud thx for the NETSH cmd line
     
  13. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    Instead of a reboot, it is enough to restart Windows Firewall service. It will read again the rules on start-up.
     
  14. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    319
    Location:
    Germany
    Congratulations! Super! :thumb:
     
  15. keeka

    keeka Registered Member

    Joined:
    Dec 13, 2018
    Posts:
    3
    Location:
    UK
    I'm a new user to WFC. @alexandrud thanks for building a well thought out and robust tool, and for maintaining it. I'd been using a windows 7 setup just for CAD, that was not connected to the WAN so had not bothered with a firewall. Now, my first time with Windows 10 and I was dismayed by how busy the networking has become. I have a couple of questions I'd be grateful if someone can answer.

    I notice the existing MS and also the WFC recommended rules for svchost.exe all reference a service. This presumably narrows their scope, so you aren't opening up the firewall to any service conecting via svchost. Post-install, many of the notifications I'm seeing are for svchost.exe. The notification tell me the PID. How do I find the associated service (short name)? I then plan to narrow the scope of any allow rule to the relevant service.

    Also, I'd like to export the WFC connection log or better still, link to it via API if it exists so that I can analyze the logs. What's the best way to do that?

    Many thanks.
     
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    Thank you for your good thoughts. I recommend you to take a look in the user manual, it will answer a lot of questions. Just press F1 in any WFC window to open an old school user manual in CHM format.

    Check this topic in the user manual: User interface > Main Panel > Rules > Windows Firewall Control recommended rules

    Regarding svchost.exe, my recommendation is to not bother with it. If you are in Windows 10 and want everything smooth, svchost.exe should be allowed to connect to 80,443 anytime. svchost.exe is a legitimate process and is used by all Microsoft Windows services. If you don't want to allow a specific service, you better disable that service instead of creating rules for each service.

    If you are concerned about privacy, go back to Windows 7 or even better, Linux.

    Connections Log entries are read from the Security event log of the system. You can export them through Event Viewer (but not in the same user friendly way). In Connections Log, if you select all entries and use the right click context menu you can copy all details in plain text and paste them in any text editor.
     
  17. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    550
    Location:
    Far East
    Hi

    When I set to Medium Filtering Windscribe VPN and ProtonVPN cannot connect to the net i.e. they timed out

    However, when I set to Low Filtering both the VPNs can connect to the net

    Any reason? How can I set to Medium Filtering and still can connect to the net?

    Thanks
     
  18. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    Medium Filtering
    Outbound connections that do not match a rule are blocked.
    Only the programs that have an allow rule can initiate outbound connections.
    When this profile is enabled the outbound filtering from Windows Firewall is enabled.
    When this profile is enabled the user must define an allow rule for each program that he wants to allow to connect to the Internet.
     
  19. keeka

    keeka Registered Member

    Joined:
    Dec 13, 2018
    Posts:
    3
    Location:
    UK
    Many thanks for your help. When I installed WFC, I kept the default/existing rules created by windows 10 (fresh install), and I loaded the recommended WFC rules. I deleted the svchost.exe//outbound/tcp/80,443 then attempted to selectively allow sevices. After posting, I used process hacker to identify the services associated with each PID notified by WFC outbound alert. It did get a bit tedious! I have gone with your recommendation and re-enabled the suggested rule.
    I do use Linux for pretty much everything other than CAD & 3D printing. However, whilst I am booted in to windows for that, it's convenient to run a few networked applications. I have also used windows guests under KVM and briefly tried VFIO passthrough, but couldn't get it working quite how I'd like with VM restarts. I will be revisiting that some time.
    So for time being I need to boot windows and best I bite the bullet and get used to windows 10. I accept the privacy trade-off (I think!) but want to lock down application firewall as best I can.
    Presumably non-microsoft services/processes are able to make network connections via an svchost process. If so, that's a concern.
    I guess svchost is something like inetd but somewhat less transparent.
    I have now followed your suggestion here.
    Thanks again for the tool and your support. Much appreciated.
     
  20. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    319
    Location:
    Germany
    High Security mode, only for James Bond and his fans :thumb:
    Windows Updates - only manual or off-line.
    Only one allowed rule for svchost:
    allow DHCP - UDP out source port 68 dest. port 67
    Additionally, for each application that needs internet (Browser, e-mailer...):
    allow DNS - UDP Out dest. port 53 (can specify dest. IP 8.8.8.8 and 8.8.4.4)
    allow TCT Out port 80, 443...
    And do not forget to turn off the DnsCache service!
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache
    set parameter Start to 4 and reboot machine.
     
  21. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    550
    Location:
    Far East
    Hi

    Yes, I have selected Windscribe VPN and ProtonVPN to allow in Medium Filtering but they cannot connect out
     
  22. keeka

    keeka Registered Member

    Joined:
    Dec 13, 2018
    Posts:
    3
    Location:
    UK
    That's interesting. So, disabling dnscache would cause each application to resolve hosts directly and require its own outgoing/UDP/53 permission?
    What determines whether a service/process MS or otherwise can reach the network via svchost?
     
  23. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    319
    Location:
    Germany
    Yes.
    This requires deep knowledge, which I do not have enough.
     
  24. Mannillo

    Mannillo Registered Member

    Joined:
    Jun 19, 2017
    Posts:
    11
    Location:
    UK
    Hi, sorry to harp on about the same thing but haven't got a response yet, see below post from Dec 3, any ideas please thanks. Thing is I can't update 5.3.1.0 to 5.4.0.0 until this is solved else I can't see the connections log. Best would maybe be an update where this never happens which I would then update to?

    About the issue where the Connections Log doesn't show up in 5.4.0.0, I think this is because due the changes in Windows Firewall Control at some point instead of simply update users have to uninstall the program and reinstall from scratch. In running the executable users then get the three options down the bottom of the window, "create shortcut and desktop icons", I can't remember what the second one is, but the last one is "stop logging windows connections". So anyway you tick or untick as you wish, but the problem with 5.4.0.0 is, MILLISECONDS before the program installs, you see that window for just a moment and everything is still ticked... so regardless of what you want to do installation of 5.4.0.0 chooses to stop logging windows connections, then once it's installed you can no longer view the connections log, and can't get it back either for some reason. I rolled back to 5.3.1.0 which still has the connections log, so until an update comes out that solves that problem I'll stick with this as I don't think my security is compromised too much by using an earlier version.
     
  25. Skinny

    Skinny Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    4
    Location:
    Melbourne, Australia
    Mannillo
    Why would your security be compromised because of WFC not showing the connection logs ??.
    WFC is not a Firewall,
    It is a front end for the Windows Firewall.
    Try reading a few pages back and you will see how to manage the connection logs issue.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.