Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,065
    Location:
    Romania
    This is impossible to provide because the list of IPs used by Microsoft contains millions of IP addresses since they provide a lot of services across multiple products. You can always use trial and error, if something does not work anymore, review the rules, review the Connections Log.
     
  2. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    32
    Location:
    New Zealand
    Occasionally when I reboot my machine Secure Boot is not active, it boots into Windows with medium filtering already active. How can this be? Running the current Windows 11 Beta build.
     
  3. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    akamai are servers to speed up content delivery, they are secure connections. If you block akamai globally, pages will open slowly in your browser.
    But explorer.exe should be completely blocked from going online unless you use it for connections to your ftp-server and other similar networking tasks.
     
  4. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    320
    Location:
    USA
    Ah, the wide-eyed innocence of youth. :)

    I'm in agreement with alexandrud... Attempts to effectively block Microsoft by IP is a lost cause which is not to say some published lists of well-know servers can hurt. Much.

    Here's my list, FWIW.
    Code:
    c:\windows\system32\mousocoreworker.exe
    c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
    c:\windows\system32\wuauclt.exe
    c:\windows\system32\lsass.exe
    c:\windows\system32\devicecensus.exe
    c:\windows\system32\dashost.exe
    c:\windows\system32\werfault.exe
    c:\windows\syswow64\werfault.exe
    c:\windows\immersivecontrolpanel\systemsettings.exe
    c:\windows\system32\runtimebroker.exe
    c:\windows\system32\unp\updatenotificationmgr.exe
    c:\windows\system32\taskhostw.exe
    c:\windows\system32\compattelrunner.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
    c:\windows\system32\cleanmgr.exe
    c:\program files\windows media player\wmplayer.exe
    c:\program files (x86)\windows media player\wmplayer.exe
    c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
    c:\windows\system32\speech_onecore\common\speechruntime.exe
    c:\windows\system32\wwahost.exe
    c:\windows\system32\usocoreworker.exe
    c:\windows\system32\backgroundtransferhost.exe
    c:\windows\system32\wermgr.exe
    c:\windows\system32\oobe\setupplatform\setupplatform.exe
    c:\windows\system32\systemsettingsadminflows.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\browser_broker.exe
    c:\windows\system32\backgroundtaskhost.exe
    c:\windows\system32\sihclient.exe
    c:\windows\explorer.exe
    c:\windows\system32\apphostregistrationverifier.exe
    c:\windows\system32\dmclient.exe
    c:\windows\system32\speech_onecore\common\speechmodeldownload.exe
    Too many to list here, every exe that logged or will log a connection in c:\program files\windowsapps which all carry the ubiquitous 8wekyb3d8bbwe string in the paths. winstore.app.exe tops the list.

    In an otherwise obvious surrender to Microsoft, I've never had the fortitude to tackle all of the WAN connectivity by the Host Process for Windows Services (svchost.exe) of which right now has 65 instances reported under Task Manager > Processes.

    In just the past month of August, 1 GB and 24 MB of data were downloaded and uploaded, 970 MB via HTTP, by svchost.exe. Granted, that includes Windows Update as I unblock the processes needed during all the monthly fun for the mostest securest stablest Windows that ever was.

    Likewise, unblocking and re-blocking the likes of microsoftedgeupdate.exe or wmplayer.exe as needed is simply done.

    Cheers.
     
    Last edited: Sep 3, 2021
  5. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,065
    Location:
    Romania
    To provide Secure Boot feature, WFC service is subscribed to system shutdown event. In general, this event is received in WFC almost instantly and it has time to switch the profile to High Filtering profile. However, if the system shuts down abruptly, the event is not received or WFC does not have enough time to switch the profile.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    BTW, I have just installed the newest WFC and I noticed something very annoying. It doesn't remember the last tab that was used. I prefer the Profiles tab to be displayed on startup of the WFC GUI, can this be changed?
     
  7. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    But at the same time, using the Dashboard tab seems logical.
     
  8. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,065
    Location:
    Romania
    WFC never remembered the last tab used. When you open Main Panel, the first tab from top is displayed. This is Dashboard, not Profiles since 3 years ago. There is no plan to remember the last used tab, Dashboard is the default one.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,715
    Location:
    U.S.A. (South)
    Hey @alexandrud - Not that you will hint or anything but am going to ask it anyway.

    What strikes you as far as any other additions or what is called improvements do you might have in mind. And as a developer it's natural in spite of whatever other schedules press your demands for time and efforts, that new ideas and inspiration always arise :cool:
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    Then I must be using quite an old version of WFC on Win 8.1, because it always opens with the Profiles tab, which I prefer.

    To me it's not, the user should be able to decide. The Dasboard is pretty much useless to me, but from time to time I like to check if the right Profile is being used.
     
  11. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,065
    Location:
    Romania
    The right profile appears in the system tray area anyway if you take a look at the icon. I don't see this as a reason to use an old version. How much time do you really spend on Profiles tab so that this becomes a deal breaker ?
     
  12. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    32
    Location:
    New Zealand
    That makes sense. So long as this isn't happening too often is nothing to be too concerned about then?
     
  13. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,065
    Location:
    Romania
    No. Unfortunately I could not find a better way to implement this, so if it fails from time to time, we must live with it.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    Yes good point, but it's the tab that I use the most, for when I would like to switch from Profile. Now it's an extra step, and it's a bit of a deal breaker for me so I will downgrade to an older version. Of course WFC is still an excellent tool, I install it on every machine, great way to manage the built-in Windows firewall.
     
  15. Paul04

    Paul04 Registered Member

    Joined:
    Mar 4, 2020
    Posts:
    9
    Location:
    Colorado
    Same thing here - Svchost.exe is plentiful and hard to handle. I've seen some user comment some time back that he just completely blocked Svchost.exe with no ill effects.
    For myself, I have been gradually adding rules to Allow some Svchost processes, but strictly, only when it is associated with a Service that I approve of. So Svchost with no Service - Blocked. Svchost with a Service - maybe Allow.

    PS: Just an unrelated opinion on the user interface panel of WFC - my attitude is that this app is so very useful to me, I am just grateful that Alexandrud is keeping it operational given how Microsoft can shift the earth under it from time to time. So I am happy to accept any user interface idiosyncrasy and work with it as long as WFC continues to function properly, which it largely does (thanks again Alex).
     
  16. Blaspie

    Blaspie Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    13
    Hi all. First let me say what an awesome little program this is. I have two questions/issues concerning WFC recommended rules, which I am using as a base for my own rules as suggested in the user guide:

    1. Even with WFC Updater rule enabled (allow outgoing TCP remote port 443), WFC seems to be blocking itself, see attached screenshot (blocked outgoing connection on TCP destination port 80). Does not seem to affect update check tough, but still it is weird.

    2. As I am not using local network sharing, only connecting to switch, router and through it to the internet, I believe I can disable most of recommended rules with no ill effects, is that right? However there are other computers connected to the switch. I dont need network discovery or ping or printer sharing etc. What is the minimal set of recommended rules in that case? So far I am using only 4 allow rules with no apparent ill effects:
    WFC - Windows Update
    WFC - Windows Time Service
    WFC - Core Networking - Dynamic Host Configuration Protocol (DHCP-Out)
    WFC - Core Networking - DNS (UDP-Out)

    My questions are, do I need the last two rules? If I disable the DHCP rule, will that screw up the local network? And since I am using Simple DNS Crypt (dnscrypt-proxy), do I need the DNS rule?

    https://www.simplednscrypt.org/
    https://github.com/DNSCrypt/dnscrypt-proxy

    Thanks a lot for answers.
     

    Attached Files:

  17. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    The blocked connection is not a WFC update check, the address has nothing to do with the WFC. The update is checked at 66.198.240.5:443 (binisoft.org), nothing seems to have changed here recently.
    In general, these four rules are sufficient. It seems that to check for Windows updates you need to allow all connections for svchost, but I could be wrong, since I don't use Windows updates and I have svchost blocked completely.
    Try to disable this rule and see if the internet works. I work without this rule (svchost is blocked completely).
    You can try that too, but you won't get pages to open in your browser because domain name resolution will stop working. Then create a custom DNS rule for your browser and the pages will open. The DNSCache (DNS Client) service should be stopped!
     
  18. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,165
    Location:
    Slovakia
    @Blaspie you can disable Multicast to prevent it from spamming the log (239.255.255.250).
    Code:
    reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableMulticast" /t REG_DWORD /d "0" /f
     
  19. Blaspie

    Blaspie Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    13
    So I disabled the DHCP and DNS rules and everything seems to work fine. I don't have svchost allowed either, but I did allow a handful of windows .exe files which requested to connect during windows update. So windows update works as well. I disabled Multicast in group policy.
     
  20. Paul04

    Paul04 Registered Member

    Joined:
    Mar 4, 2020
    Posts:
    9
    Location:
    Colorado
    Yes I also noted all those log entries for 239.255.255.250. May I ask if there is any downside to disabling Multicast on your pc?
     
  21. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,165
    Location:
    Slovakia
    No, I have also disabled multicast in Edge causing the same spam.
    Code:
    reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EnableMediaRouter" /t REG_DWORD /d "0" /f
     
  22. yeL

    yeL Registered Member

    Joined:
    Aug 10, 2015
    Posts:
    175
    Is it possible to change filtering type (in my case i want to go from Medium > Low) using CMD?

    I've a machine which is not showing WFC UI (it runs in background, still blocks non-allowed programs, etc) and i'm unable to change filtering method because of it.
    I tried checking the PDF guide over at binisoft but for some reason the website doesn't load for me.
     
  23. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    Last edited: Sep 15, 2021
  24. yeL

    yeL Registered Member

    Joined:
    Aug 10, 2015
    Posts:
    175
    Thanks a lot aldist.
    The WIN + R stuff doesn't work, i think this machine has broken .net framework files which is why the GUI won't show up.

    I will use those CMD lines until i manage to format it. Appreciated
     
  25. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    32
    Location:
    New Zealand
    I don't understand what protection secure rules provides when outbound connections are already blocked with medium filtering. Anybody care to elaborate?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.