Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,056
    Location:
    Romania
    From your description it seems that the connection with the service was in faulted state at the deletion time and the delete was only visual from the data grid. If you restart wfc.exe the same happens ? WFC uses Windows Firewall API so it can delete, add, or modify any rule.
    Please go to Event Viewer (eventvwr.msc). Under "Applications and Service logs" category, there is a subcategory named WFC. Here are logged all errors from WFC. When you are there, on the right panel is a button named "Save all events as...". Use this button to export an *.evtx file and send it to support@binisoft.org to check the log.
     
  2. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    I didn't try to restart WFC. Okay already exported the events... will send you the file
     
  3. Hi Alexandru, Do you have any suggestion at all on my issue with installing on Windows 7 x86? (I explained in post #1087, #1091 and #1092).

    I'm surprised you didn't suggest I post the WFC event log entry. I only found out the WFC event log existed by what you replied to someone else's query in post #1101. Anyway, I opened the WFC event log and first there's a warning which says:

    That entry is followed by the error log entry:

    Could any of this help?

    When I open 'services.msc' I notice that 'Windows Firewall Control' is there and is running.

    I also noticed after failed install attempts that no program shortcut gets placed on the desktop, so the install failure comes before that stage of installation. Is any of this of any assistance?

    I followed a curiosity I had about System.ServiceModel.Channels.ServiceChannel aborting communications, and found out it requires the service 'NetTcpPortSharing' to be running. I checked my services and 'NetTcpPortSharing' is disabled and unable to be started because it is in fact missing.. so I'm currently downloading .NET Framework repair tool and will see what happens.. Will update after it runs.

    Okay, so many repairs and reboots later I still get the same error.

    By the way WFC installed and works perfectly on my x64 OS, and I am really liking the UI and features. It's exactly what I want in a firewall, so I was more than happy to donate 3 times, but thanks for your email reply. Thanks much :D
     
    Last edited by a moderator: Sep 25, 2014
  4. notechyet

    notechyet Registered Member

    Joined:
    Sep 5, 2008
    Posts:
    11
    Location:
    Downunder
    Hi All
    How can I block the ports to stealth as the grc report stated as 11 ports were closed?
    namely:
    Ports found to be CLOSED were: 80, 110, 119, 135, 143, 1027,
    1028, 1029, 1030, 1720, 5000

    Thanks
     
  5. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    @notechyet

    It may be not your PC but the modem/router answering.

    Check your modem / router first.
     
  6. notechyet

    notechyet Registered Member

    Joined:
    Sep 5, 2008
    Posts:
    11
    Location:
    Downunder
    Thanks. I have searched on my FritxBox 7270 without success and did Goooooogle extensively and have not found an answer yet?
     
  7. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
  8. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @alexandrud Any chance of this being added ? I tried chaning the Group of my manually created rules to "Windows Firewall Control" but they still get deleted by the Secure rules feature, which I like to leave enabled.
     
  9. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,056
    Location:
    Romania
    There is no such rules as WFC rules and normal rules. They are the same rules that Windows Firewall has. I tried to change the group for several rules and this does not delete any rule even if the Secure Rules is enabled. That feature works only for rules added by other programs, but in this case this is an update. Even if it was an add action, rules added from WFC are never deleted by the Secure Rules feature. Can you reproduce this with any rule at any time ? Please give some more details about this.
     
  10. Hi Alexandrud, Thank you for your emails suggesting fixes for my Windows 7 x86 .NET Framework error. I uninstalled Framework 4.5.1 and installed 4.0 but it still didn't work so I just ran a Windows 7 Repair installation (Upgrade option) which completely replaced the windows files with the original disc set, but left all my programs and personal files intact...

    Then I installed WFC and it now works perfectly :D

    Thanks for all your help along the way.
     
  11. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    551
    Location:
    Switzerland
    Strange behaviour in following case:

    I had already this outbound allow rule ...
    allowed-rule-already.JPG

    Nevertheless a outgoing try of this program was blocked as you can see in this picture ...
    conn-log.JPG

    I know of course, that blocking rules are over the allowing rules, but the one and only outgoing blocking-rule is the following ...
    blocking-rule.JPG

    The question is now: how is this possible?

    Edit: I found out, that this is in the WFWas-Log as blocked entry (ID 5157) too - so it should be not a problem of WFC itself!

    However, I let the question here, because I really don't know the reason for this behaviour of the Win Firewall ... maybe it's an indirect initiating process or something?

    Edit 3: I found out, that it's initiated probably from the Windows "Aufgabenplanung" ("Task Scheduler" in english) with task "Windows Error Reporting".

    Could be the reason from the initiating process itself or because the path with variable included "%windir%\system32\wermgr.exe -queuereporting"?

    Greetings and a nice rest of weekend!

    Alpengreis

    Edit 2: "not a problem of WFC" to "SHOULD be not a problem of WFC" ... because it's not 100 percent clear, where the reason is ...
     
    Last edited: Oct 5, 2014
  12. MrElectrifyer

    MrElectrifyer Registered Member

    Joined:
    Jul 24, 2012
    Posts:
    177
    Location:
    Canada
    Bug Report: Secure Boot Doesn't Appear to be Working
    I have disable the automatic start-up of WFC via the main panel, I have Secure Boot enabled,
    and I set WinPatrol to automatically start WFC after over 3 minutes after system start-up. During the 3 minute period of WFC not being active, I'm still able to access the internet as normal.

    Bug Report: WFC is Integrated Into Shell, as Expected, but The "Shell Integration" Checkbox is Unchecked After WFC is Started by WinPatrol
    See the following image for clarification. If I exit and manually relaunch WFC, the checkbox is checked again...
    https://www.dropbox.com/s/607dhbx3s3rbw5g/WFC%20Shell%20Integration%20Bug.png?dl=0
     
  13. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,056
    Location:
    Romania
    Does this happen all the time or this was after a wake up from sleep or hibernation mode ? This is the only program that acts this way ? I mean it is still blocked even if it has an allow rule. Do you use MBAM or any other security product that may filter your traffic ?
    Regarding the Secure Boot, when you restart your computer, please open WFwAS (wf.msc) before starting WFC and check your rules. Do you see those block all rules named "Core Networking - Block all outbound connections" and "Core Networking - Block all inbound connections". These rules are created by WFC to ensure the High Filtering profile. The previously saved policy is restored when wfc.exe (GUI part) is subscribing again to the service (wfcs.exe), so until then you should have the block rules which are specific to the High Filtering profile. To test this better, just disable the auto start-up from WFC interface and check again. Then wfc.exe will not start (the service wfcs.exe will) but you will have time to check the rules.

    The Shell Integration check box is checked if the corresponding registry key ("[HKEY_CLASSES_ROOT\exefile\shell\Allow through Windows Firewall\command]") has the same value with the current path from where wfc.exe is executed. If the paths are different then the check box is not checked. The same happens if you install WFC, enable Shell Integration and then you execute it from a different location. Maybe WinPatrol execute it from a different location.
     
  14. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    I have noticed a couple of times in the past week, the global variable for x86 Program Files "%ProgramFiles% (x86)" doesn't hold when there is a firewall rule.
    I've intentionally blocked svchost.exe from internet access till my VPN is up and running, ensuring the internet connection is live, but not active. This approach provides me with a clean log from bootup, up to successful VPN connection.

    Some firewall rules relating to executables running via the x86 Program Files folder are leaking through. However, once I notice them happening, I replace "%ProgramFiles% (x86)" with "C:\program files (x86)\" and all is well.

    One thing worth mentioning, I do my mods via W7FwAS, not WFC. So essentially, this isn't WFC-related, but the WFC log screen rules! Anyone else recently had any issues with %x% variables?

    EDIT: Wow, quick search revealed this "%PROGRAMFILES(X86)%" as the correct assignment for the folder... Hmmm... Is W7F assigning the variables incorrectly? Can someone check theirs please?
     
    Last edited: Oct 8, 2014
  15. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    551
    Location:
    Switzerland
    The notify was NOT direct after sleep/hibernation - but: ev. it was related to the MS Task Scheduler Job for this program (Job after Login), so it's possible, that it was a delayed thing ... At this moment, I can't reproduce it, because this is an automated MS thing - I will try to initiate manually (and reproduce ev.).

    I use FSIS (F-Secure Internet Suite) and this product uses the MS Win Firewall (no own Firewall integrated). "On the other side" it has an integrated HIPS, but then I should have a related warning about a blocked connnection. So I do not believe, that FSIS is the reason.

    Also, the "%windir%" variable from the task job is probably NOT the reason, because the Win FW itself SHOULD known such variables. But okay, the related allow rule is created in WFC WITHOUT the variable. I will try with creating the rule direct in WFWas WITH this variable ...

    Alexandrud, can you check the "Windows Error Reporting" Task in MS Task Scheduler? Maybe you find something there, that could be the reason?

    However, I'll keep an eye on this.
     
  16. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    551
    Location:
    Switzerland
    On my system (win7 ultimate 64-bit swiss-german) BOTH variables "%programfiles(x86)%" and "%programfiles (x86)%" has the value "C:\Program Files (x86)". You can check this in a command prompt with "echo %programfiles(x86)%" resp "echo %programfiles (x86)%".
    So it should not be a problem within Win 7 Firewall itself.

    If you edit a such "variable-rule" in WFC, WFC should convert this in "normal-letters". And after saving in WFC, also the Win 7 FW should overtake the "non-variable-rule" then.
     
  17. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,056
    Location:
    Romania
    As you already saw, there is no such thing as "%ProgramFiles% (x86)", but "%ProgramFiles(x86)%" is accepted in WFwAS as input. However, the fact it accepts system variables is only for displaying purposes because the saved rules contain the converted real paths. In WFC, when I query Windows Firewall API for the rules, they all come with the full path instead of the paths with system variables in them. Why don't you use WFC to create your rules ?
    In WFC system variables are not accepted as a valid input because I have to validate if the user input contains a valid system variable and then I have anyway to convert the path to the real one. The full path to an existing file is required.
     
  18. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    551
    Location:
    Switzerland
    I have BOTH variables on my system (with and without the blank space). One was created with the policy editor (GPO) (this with the blank space).

    Only for clarification for all (I'm sure, you know this already, Alexandrud):
    Rules created with variables (as already known, not possible with WFC) have the advantage, that you are independent of "hard" destinations (drives resp. directories). So it's possible, that on another machine, the related drive is not C: but D: - so you can import such rules and they are valid. Or another example: you make a fresh install on your machine with the decision, to have the OS on drive D:, then all your imported WFC rules with "C:\Windows\..." are invalid - on the other side, all imported rules with the variable "%SystemRoot%" are valid because "%SystemRoot%" is set to the new "D:\Windows\..."!

    Because this, it would be easier/better, if WFC could accept such variables for input too. But this is not the most important thing IMHO.
     
    Last edited: Oct 9, 2014
  19. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Small grammar correction spotted...
    In Connections Log, trying to untick the "Blocked Connections" tickbox pops up a warning message - "Disabling the logging for blocked connections will also disable the notifications. Are you (insert sure here) you want to continue?"
     
  20. Rafales

    Rafales Registered Member

    Joined:
    Feb 20, 2013
    Posts:
    61
    Location:
    Earth
    Hi alexandrud / Members,

    I have a few queries to ask...
    a) Sometimes I'm unable to find information about a Program that tries to make Outgoing connection. I would like to know whether WFC has got an option to "File info search" in internet or database search. I noticed this feature in "System Explorer" ?
    b) Is there an option in WFC to monitor or view the current running processes, the ports and protocols they use as well as the destination and remote address. I noticed this feature in TinyWall / Moo0 Connection Watcher. If not available kindly consider the feasablity of adding this feature in future release if it makes sense.
     
  21. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Feature request (not sure if it is possible, due to Windows Event Viewer)

    The ability via Connections Log to ignore entries made for an application, but be direction-specific...
    For example ignore all blocked outbound entries for Internet Explorer, but still report all allowed outbound entries for Internet Explorer
     
  22. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,056
    Location:
    Romania
    Since Windows Vista came out, if you install your operating system on a logical D:\ or E:\ partition, when Windows starts, the partition that has the operating system on it becomes C:\ drive in Windows. Rules declared with C:\Windows\etc... will work even if the Windows is installed on D:\ drive. Anyway, Windows Firewall API will return always the full path instead of system variables. I will see if I can allow system variables as valid input in paths in WFC.
    I will fix this.
    a) You can use context menu to copy the name or the path of the program and then you can search it in any search engine. System Explorer redirects the queries to their own website and database. Such feature does not exists in WFC.
    b) WFC does not filter any packets. It works in a passive way. You can use Resource Monitor (resmon) to see the current processes that are generating network traffic. There are more versatile programs for such thing. WFC had such a view in the past but the results offered by the .NET Framework were not very accurate, so it was removed. I will reconsider this and I will try to see if there is a good solution.

    Not possible. Microsoft decided to log all blocked inbound/outbound events under 5157 event id and all allowed inbound/outbound under 5156 event id. Can't change this behavior from WFC. They are all or nothing. Or maybe I did not understand correctly the feature request.
     
  23. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    507
    For dummies please... when I change profiles from low to medium filtering, dnscrypt is disabled, and I lose my internet connection. My grasp on wfirewall is tenuous.
     
  24. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    On "Low Filtering" you allow everything except programs you have a "block rule" for. This is why dnscrypt connects to the internet.
    On "Medium Filtering" you allow only the programs you have an "allow rule" for. This is why dnscrypt is blocked.

    "Low Filtering" is not secure. This is why "Medium Filtering" is recommended.
    So set the profile to medium filtering and create an "allow rule" for dnscrypt when prompted.
    HTH :)
     
  25. Clarensio

    Clarensio Registered Member

    Joined:
    May 4, 2014
    Posts:
    1
    Sorry for my english .. So I was wondering:
    as there
    810 = Block for now and ask me later
    811 = Allow temporarily (which I can not identify when it may seem ...)

    frequently using Remote Assistance, it would be possible to have direct voice
    - Allow this time and ask after

    Type the screenshoot (Ita) following ...

    http://i60.tinypic.com/1zya451.png
     
    Last edited: Oct 19, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.