Subscribing to Block Events for a Specific Service RRS feed

  • Question

  • Hello, I've got a setup where I'm allowing specific traffic and blocking all else.  But I need to know what is being blocked.  When I subscribe to all Block Events, I can't differentiate between different services (because they all use svchost.exe).  So I tried using FWPM_CONDITION_ALE_USER_ID when calling FwpmNetEventSubscribe, with a Security Descriptor of "D:(A;;CCRC;;;S-1-5-80-1452425288-2709461340-3274533413-2407537074-986069024)S:NO_ACCESS_CONTROL" for example. (I've tried both constructing the Security Descriptor manually, and from a string, and both work fine for getting the Security Descriptor.) I then use multiple subscriptions for all the different services for which it is possible.

    However, when there is a block event, every single callback function is being called for the same event. And thus I am unable to differentiate between services once more.

    I'm on Windows 7 x64, by the way.

    Any insight would be greatly appreciated!
    Tuesday, September 10, 2019 9:14 PM