Windows firewall blocks outbound connection that is allowed by a rule
After asking for help in the Windows Filtering Platform (WFP) forum on MSDN I learned that you can capture the activity of WFP (which the firewall employs) using the following commands:
netsh wfp capture start
netsh wfp capture stop
The resulting log file is XML which makes it human readable and from that file I learned that wermgr.exe
is blocked by the rule WSH Default Outbound Block with the description Blocks all outbound traffic for services who have been network hardened. Apparently, this rule takes precedence over my "allow" rule.
I'm not sure exactly why wermgr.exe
is affected by the Windows Service Hardening default rule but I assume that one of the hardened services execute wermgr.exe
to perform a task of connecting to the server at 65.55.53.190
(a Microsoft IP address), and wermgr.exe
is then blocked just as the service would be.
Related videos on Youtube
pmms
Updated on September 18, 2022Comments
-
pmms over 1 year
I have configured Windows Firewall to block all outbound connections. I have then created "allow" rules to enable certains applications to create outbound connections. Unfortunately it seems that some connections that should be allowed are still blocked and I don't understand why.
I have a simple rule to allow Windows Problem Reporting:
- Enabled: Yes
- Action: Allow the connection
- Programs:
C:\windows\system32\wermgr.exe
- Protocol type: TCP (6)
- Local port: All Ports
- Remote port: All Ports
- Local IP address: Any IP address
- Remote IP address: Any IP address
- Profiles: Domain, Private, Public
Nevertheless, after creating this rule, a connection was blocked and logged in the event log:
The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 7440 Application Name: \device\harddiskvolume3\windows\system32\wermgr.exe Network Information: Direction: Outbound Source Address: 192.168.1.23 Source Port: 31532 Destination Address: 65.55.53.190 Destination Port: 80 Protocol: 6 Filter Information: Filter Run-Time ID: 184645 Layer Name: Connect Layer Run-Time ID: 48
Given the rule that was created specifically to allow
wermgr.exe
to connect I don't understand why the connection was blocked. How can I modify the rule to allow the connection to succeed?By the way, this is not an issue isolated to
wermgr.exe
. Once in a while I see blocked connections for other applications even though I have created rules for them also. Luckily most of the time the rules work as expected.