Blocking application that has already bound to port? RRS feed

  • Question

  • Currently I use the FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4 for user mode to block applications from using the network. This works great, except it obviously does nothing once the assignment has already been done. I've searched the other layers where ALE_APP_ID condition is able to be used, but none of them stood out to me as an obvious choice. Is there a way to intercept and block applications that are already bound without using kernel mode, or if not, to somehow unbind the port and force them to rebind themselves, thus getting blocked?

    (Example: I can block Windows Live Messenger fine if I active the filter before it connects. However once it is connected, even if I try to block it it will operate as normal until it is disconnected. If it tries to connect again the filter blocks it successfully.)

    Sunday, October 24, 2010 9:57 PM


  • You can write code that queries what ports the application has bound to (similar to what netstat.exe does), and then add BLOCK filters at FWPM_LAYER_OUTBOUND_TRANSPORT_V{4/6} and FWPM_LAYER_INBOUND_TRANSPORT_V{4/6}.  You won't be able to filter by AppID, however you should be able to obtain enough information about the socket to effectively block it from reaching the destination.

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights
    Monday, October 25, 2010 4:24 PM