Discussion in 'other firewalls' started by alexandrud, May 20, 2013.
Please read in WFC help file, site 25 "Secure Rules".
In the medium filtering mode, another application working with elevated privileges (from the admin) will create allow outbound rules or allow inbound rules on its own and log on to the network. Secure Rules protects against unauthorized creation of such rules.
Will I still be notified via notifications when a new software attempts to create a rule with Secure Rules enabled or are they automatically disabled without notification?
They will be disabled or deleted, depending of your choice, without any notification.
So what if secure rules disables a new rule that I do actually want but isn't in authorized groups?
If you need rules that programs create on their own, you don't need a firewall.
But if you need a rule, create the rule yourself in the Rules panel.
Then don't use Secure Rules. Simple. It is an optional feature, not a mandatory one.
after a while wfc seem to use lot of vram and closing the app and relaunching it seems to fix it, i have noticed that since at least 2 years, is that normal?
Hmmm, I think there is a bug in Task Manager or in your video driver somewhere. The number that you have there is 17 GB, do you even have a video card with so much memory ? I have an RTX 2080 card and it has only 8 GB. WFC is using Windows Presentation Foundation (WPF) which uses DirectX for rendering, so it is normal to see WPF apps using GPU instead of CPU. However, WFC is just showing a few normal windows, is not a demanding 3D game launched a few weeks ago.
Did you notice any side effect of this ? If you try to launch a game it gives you an error because insufficient memory or something ? I think this is just a displaying bug, not an actual problem in WFC. If this bothers you, you can launch wfc.exe -nogpu which will force software rendering and your Dedicated GPU memory will always be 0 since the processing will be made by CPU only.
This is on my laptop with all WFC windows open after 10 hours of uptime.
Check the readings in the third-party process manager aka Process Hacker.
1. In WFC Recommended rules, there is a WIndows Update rule which allows svchost,exe. It is allowed in general. Isn't this supposed to be limited to wuauserv (Windows Update) service only? All kinds of other services are communicating through it. When I set it to wuauserv only, windows updating seems to work fine.
2. I have an allow rule for windows Cryptographic Services. Yet there are blocked connections in violation of this rule in the log. Same thing sometimes happens with Windows Update rule. How is this possible?
That is surprising, but for me that only works for checking windows updates, for downloading them I need to allow at least BITS and for store updates Delivery Optimization and so on.
I have other allow rules as well. Here is all of them:
Allowing only wuauserv was enough in Windows 7. But in Windows 8 and Windows 10 it no longer works, svchost.exe must be fully allowed when Windows Update Center checks/downloads new updates.
The Cryptographic Service network access is not needed at all. Or do you have something that doesn't work without it?
Windows Firewall user rules are stored in Windows Registry here. These are the rules displayed in WFC too.
Besides these rules, Windows Firewall also contain some mandatory rules that are not/should not be accessible for users to edit/view. These rules can't be overwritten by user rules.
This is why even if you create some specific svchost.exe user rules, the connections are still blocked. Starting with Windows 8 not all service based rules work anymore. My supposition here is that the logic became very complex (related to svchost.exe) and for example, you make a rule for wuauserv and check for updates. Svchost.exe spawns another instances which are not not necessarily service specific, they are not allowed, the initial call fails, you see blocked connections for wuauserv. You have an allow rule for wuauserv but it doesn't matter because it called other instances which were blocked and those failed. As a result wuauserv fails too. This is just an example and this may be extended to other services too.
For this reason, I do not bother anymore with granular control on svchost.exe. I just allow all connections of it on remote ports 80,443 and leave it be. I have more important things to do with my time than debugging svchost.exe connections.
The rules are exactly the same in these two registry keys:
Firewall rules are written to both keys at the same time? Why is this or why should it be so? At one time I used a batch file to create a backup of the second registry key, then restored it, and all the rules were restored and worked. Where am I wrong?
The rules are also exactly the same in the two keys:
I wanted to say HKLM\SYSTEM\CurrentControlSet. My mistake. See here the answer to your question: https://stackoverflow.com/questions...t-differ-from-controlset001-and-controlset002
I keep getting msedge.exe (x86) Microsoft Edge (msedge.exe) Remote port 5353 TCP. I block or allow and as soon as I close Edge and reopen, it pops up again. How can I stop this?
Two ways. Add it to notifications exceptions, or create a general outbound connection blocking rule for msedge.exe and disable this rule and check the "use disabled rules when searching for matching rules..." option.
Where is the "use disabled..." located?
But it would be simpler to just add msedge.exe in the notifications exceptions list and forget about it.
Yep! Thanks aldist and Alex. Damn Edge uses so many UDP/TCP ports.
Rules Panel - would it be possible to add a "System created rules" filter i.e. to show all rules except user created rules?
System created rules are all rules which are not created in "Windows Firewall Control" group name. You could click on the Group column header to sort the rules on that column and keep WFC/user created rules grouped. Anything else are not user created rules.
There might be some exceptions: inbound rules without a group name created from a Windows Firewall notification when a software wants to listen on a port for incoming connections, new rules created by the user by using netsh command. But WFC can't detect if these were created by the user or not.
November 2, 2012 - https://web.archive.org/web/20121102164116/http://www.binisoft.org/wfc.php
You can actually download old versions of WFC. I don't even have the code of these versions anymore