locked
Firewall Event Monitoring is no longer Working in Windows 10 RRS feed

  • Question

  • The FwpmNetEventSubscribe0 function has suddenly stopped working on my brand new install of Windows 10 Pro, Version 1709,  Build 16299.192.

    FwpmNetEventSubscribe0 is now returning 5 (Access Denied) instead of 0 (ERROR_SUCCESS).  This has worked since 2014 in Windows 7, 8.0, 8.1 and 10 until now.  This function is called within a Windows Service running under the SYSTEM account, so credentials are not, or at least have not in the past been a problem.

    I am getting ready to bring this product to market and suddenly it no longer works!

    Here is the function which calls FwpmNetEventSubscribe0 and has not changed since it was written in 2014.

    +++++++ START

    // Subscribe/unsubscribe to/from firewall event monitoring
    BOOL FwEventListener::EnableFwEventMonitoring(BOOL bEnable)
    {
        DWORD rv;
        
        // Start monitoring
        if (bEnable)
        {
            if (m_hEngine && m_hEventFirewall)
                return TRUE;

            // open firewall engine
            FWPM_SESSION0 Session;
            memset(&Session, 0, sizeof(Session));
            Session.flags = FWPM_SESSION_FLAG_DYNAMIC;
            Session.flags = 0;
            Session.displayData.name = L"Firewall Helper";

            if (ERROR_SUCCESS != (rv = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, &Session, &m_hEngine)))
            {    
                logmsg(TEXT("FwpmEngineOpen0 call failed. Error = 0x%08X"), rv)
                return FALSE;
            }
            
            // time values
            SYSTEMTIME st;
            FILETIME Start, End;
            GetSystemTime(&st);
            SystemTimeToFileTime(&st, &Start);
            st.wYear += 2;
            SystemTimeToFileTime(&st, &End);

            // net event template structure
            FWPM_NET_EVENT_ENUM_TEMPLATE NetEventTempl;
            NetEventTempl.startTime = Start;
            NetEventTempl.endTime = End;
            NetEventTempl.numFilterConditions = 0;
            NetEventTempl.filterCondition = NULL;

            // net event subscription structure
            FWPM_NET_EVENT_SUBSCRIPTION NetEventSub;
            memset(&NetEventSub, 0, sizeof(NetEventSub));
            NetEventSub.enumTemplate = &NetEventTempl;
            NetEventSub.flags = 0;
            NetEventSub.sessionKey = Session.sessionKey;
        
            
            m_hEventFirewall = NULL;
            // THIS IS NOW RETURNING 5 INSTEAD OF 0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
            if (ERROR_SUCCESS != (rv = FwpmNetEventSubscribe0(m_hEngine, &NetEventSub, OnFirewallEvent, this, &m_hEventFirewall)))
            {                                           
                FwpmEngineClose0(m_hEngine);
                m_hEngine = NULL;
                logmsg(TEXT("FwpmNetEventSubscribe0 Failed, Error = 0x%08X"), rv)
                return FALSE;
            }
            logmsg(TEXT("Firewall event monitoring started ..."))
        }

        // Stop monitoring
        else
        {
            if (!m_hEngine || !m_hEventFirewall)
                return TRUE;
            
            // The popup is currently locking the Fw Event Monitoring function.
            if (m_hEventQuit)
                SetEvent(m_hEventQuit);
            
            // Unsubscribe from the Firewall Event
            FwpmNetEventUnsubscribe0(m_hEngine, m_hEventFirewall);
            
            // Close Engine
            FwpmEngineClose0(m_hEngine);
            
            m_hEventFirewall = NULL;
            m_hEngine = NULL;
            
            logmsg(TEXT("Firewall event monitoring stopped ..."))
        }    
        return TRUE;
    }
     +++++++ END

    I really need to fix this, so your help will be really appreciated.

    Thank you!


    Charles S. Cotton

    Tuesday, January 30, 2018 3:44 PM

Answers

  • Well, things progressed with this windows 10 installation and suddenly BFE would no longer start.  No BFE, no firewall!  Trying to start BFE returned error 87, "parameter is incorrect" or something like that.  No one at Microsoft support was able to fix this, even paid support!

    So I went ahead and did a totally clean install of windows 10.16299.125, freshly downloaded using the Microsoft Media Creation tool, onto a newly formatted partition.  Now everything is back working again.  Actually, I've never experienced such a well running windows 10 before, .16299.192 after all the updates.  I think I'll keep it!

    So, I don't know what was wrong with my previous windows 10, oddly at 16299.215??  This was the windows that came with this "new" Toshiba Satellite laptop.  Maybe someone, somewhere, put something special on that instance of Windows 10, you know what I mean?  Good riddance.


    Charles S. Cotton

    • Marked as answer by Charles Cotton Sunday, February 11, 2018 10:01 PM
    Sunday, February 11, 2018 10:01 PM

All replies

  • Have you tried using FwpmNetEventSubscribe2 (and associated updated structures) ?

    See https://msdn.microsoft.com/en-us/library/mt767557

    It is the new API provided in Windows 10, build 1607 and later. It may be the case that FwpmNetEventSubscribe0/1 are now deprecated on newer OS

    EDIT: i found there is now a Subscribe2 for windows 10, see above



    • Edited by blockeduser Saturday, February 3, 2018 4:44 PM
    Saturday, February 3, 2018 4:32 PM
  • No, I haven't tried the windows 8 and 10 versions of the function.  The application I am writing must work on windows 7, 8 and 10!

    Also, if what you are saying is true, that FwpmNetEventSubscribe0/1are now deprecated on newer OS, that would mean that this sudden change will break formerly working applications.

    Furthermore, FwpmNetEventSubscribe0 was working on build 10.0.16299 when I first installed it from the iso file which was something like 10.0.16299.12.  With all the updates, I am now on 10.0.16299.214.  So whatever change has been made, it is very, very recent.

    I just checked my other laptop running preview build 10.0.17025 and FwpmNetEventSubscribe0 works on it!!!

    So, something has recently changed.  I sure hope this has nothing to do with the Spectre/Meltdown patch amateur hour fiasco.

    Right now I have VS 2010 and VS 2013 installed on this brand new laptop.  I will go ahead and download VS 2017  next and try the latest versions of the API to see if that fixes the problem.

    I'll report back with the result of that experiment.

    Thank you, blockeduser for your response!

    2/4/2018 Update:

    I installed VS 2017 and tried to use the latest version of the functions.  Same result.  I am now chasing down the FWPM_ACTRL_SUBSCRIBE WFP Access right.  Is it possible that either the default access rights for the firewall engine have recently changed in windows 10, or that this required access right has only been recently implemented? 


    Charles S. Cotton


    Saturday, February 3, 2018 7:14 PM

  • Hmm... Reading this page: https://support.microsoft.com/en-us/help/4058258 which describes known issues for build 16299.214 it looks like some antivirus software will get blocked until a certain registry key is set. That might be (or be related to) your issue since antiviruses are often implemented (at least partially) using WFP.
    Monday, February 5, 2018 2:40 PM
  • No, that doesn't appear to be it.  I have this key set exactly as shown the the KB.

    But, thanks for bringing this to my attention, nevertheless.



    Charles S. Cotton

    Monday, February 5, 2018 9:30 PM
  • Well, things progressed with this windows 10 installation and suddenly BFE would no longer start.  No BFE, no firewall!  Trying to start BFE returned error 87, "parameter is incorrect" or something like that.  No one at Microsoft support was able to fix this, even paid support!

    So I went ahead and did a totally clean install of windows 10.16299.125, freshly downloaded using the Microsoft Media Creation tool, onto a newly formatted partition.  Now everything is back working again.  Actually, I've never experienced such a well running windows 10 before, .16299.192 after all the updates.  I think I'll keep it!

    So, I don't know what was wrong with my previous windows 10, oddly at 16299.215??  This was the windows that came with this "new" Toshiba Satellite laptop.  Maybe someone, somewhere, put something special on that instance of Windows 10, you know what I mean?  Good riddance.


    Charles S. Cotton

    • Marked as answer by Charles Cotton Sunday, February 11, 2018 10:01 PM
    Sunday, February 11, 2018 10:01 PM