none
new firewall rules created for each user RRS feed

  • Question

  • What's the deal with these new windows firewall rules created for each "local user owner", that allow all ports and programs?  How can I disable their creation?

    Contact Support -- All -- windows.contactsupport_cw5n1h2byewy

    Search -- All -- microsoft.windows.cortana_cw5n1h2byewy

    Work or school account -- Domain, Private -- microsoft.aad.brokerplugin_cw5n1h2byewy

    Your account -- Domain, Private -- microsoft.windows.cloudexperiencehost_cw5n1h2byewy

    Wednesday, November 9, 2016 6:36 PM

All replies

  • Hi JS2010,

    How did you check the firewall information?

    Here is my understanding:
    "Contact Support"
    It should be related to the Metro app "Contact Support". It is an app could be used to ask for help from Microsoft directly. If it is disabled, this app may not work.
    "Search"
    It is related to the Cortana app. If it is disabled, the Cortana may not work well.
    "Work or school account"
    It should be related to the Azure AD account. If it is disabled, the Azure AD account may not work well.
    "Your account"
    It should be related to the cloud service of your account(Microsoft account sync settings between machines).

    These seem to be new default firewall rules for Windows 10. If you don`t want to use those features, we could disable them in firewall with the UI or the command line "netsh advfirewall".
    Control Panel\All Control Panel Items\Windows Firewall\Allow an app or feature through Windows Firewall

    If you want to use those features, we`d better to keep them.

    Best regard


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 10, 2016 2:13 AM
    Moderator
  • I have print stations with 20,000 of these firewall rules.  The cpu of the Windows Firewall service is often very high.  I am trying to delete them remotely with powershell running as system user.  When I tried netsh I couldn't find the rules going by name.  But for some reason system user can't find the rules either even though administrators can:

    Remove-NetFirewallRule : No MSFT_NetFirewallRule objects found with property
    'DisplayName' equal to 'Your account'.  Verify the value of the property and
    retry.
    At C:\Users\myadmin\firewall-clean.ps1:6 char:1
    + Remove-NetFirewallRule -DisplayName "Your account"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Your account:String) [Remove-Ne
       tFirewallRule], CimJobException
        + FullyQualifiedErrorId : CmdletizationQuery_NotFound_DisplayName,Remove-N
       etFirewallRule
    
    

    Do these rules permit all the ports to be open?




    • Edited by JS2010 Thursday, November 10, 2016 12:32 PM
    Thursday, November 10, 2016 12:28 PM
  • This seems to work as the system user.  The displaynames of the rules appear different to system than to administrators:

    remove-netfirewallrule -displayname "*Windows.ContactSupport*"
    remove-netfirewallrule -displayname "*Microsoft.Windows.Cortana*"
    remove-netfirewallrule -displayname "*Microsoft.AAD.BrokerPlugin*"
    remove-netfirewallrule -displayname "*Microsoft.Windows.CloudExperienceHost*"


    Thursday, November 10, 2016 7:55 PM
  • Hi JS2010,

    I am glad you have figured out the method to remove the firewall rules. As I pointed out before, removing those firewall rules may affect the related feature. Please be careful.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, November 11, 2016 6:39 AM
    Moderator
  • This is much faster:

    netsh advfirewall firewall delete rule name=@{Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy?ms-resource://Windows.ContactSupport/Resources/appDisplayName}
    netsh advfirewall firewall delete rule name=@{Microsoft.Windows.Cortana_1.4.8.176_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/DisplayName}
    netsh advfirewall firewall delete rule name=@{Microsoft.AAD.BrokerPlugin_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}
    netsh advfirewall firewall delete rule name=@{Microsoft.Windows.CloudExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}
    


    Friday, November 11, 2016 4:10 PM
  • I'm still looking to this.  There are 8 other firewall rules (at least 8 unique displaynames of rules) made for each user that you can't even see in the firewall control panel.  Their names start with an "@" symbol.  Plus 16 more unique displaynames of rules in the configurableservicestore policystore.  On some computers, I run out of memory in powershell just trying to count them:

    get-netfirewallrule -policystore configurableservicestore -all | measure-object
    

    Friday, November 11, 2016 11:46 PM
  • Hi JS2010,

    If it is possible, please post back the rules here. I will try my best to explain the rules for you.
    According to my experience, most of those new firewall rules are related to the metro apps. If you don`t want to use them, we could delete them directly.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 15, 2016 9:12 AM
    Moderator
  • It's tempting to paste here all 80 or so metro app firewall rules per user.  You can just pick a user's sid and dump them all like this in powershell.  Most of them are in the configurable service store and aren't visible in the control panel.  What do they do?  There's a few visible in the firewall control panel with names "Search", "Work or school account", "Your account", and "Contact Support".

    get-netfirewallrule -owner $sid
    get-netfirewallrule -policystore configurableservicestore -owner $sid
    



    • Edited by JS2010 Tuesday, November 15, 2016 3:47 PM
    Tuesday, November 15, 2016 3:45 PM
  • Hi JS2010,

    I tried to check the rules with command line "get-netfirewallrule ". Most of them should be related to the metro apps. The "Display name" and "Description" tag should explain the rule.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, November 17, 2016 5:56 AM
    Moderator
  • Hmm, it doesn't make much sense to me.  When there are a lot of these rules, svchost.exe goes to maximum cpu (25%) for several minutes after a new user logs in.  And the rules never go away, even after profiles are deleted.

    get-netfirewallrule -owner S-1-5-21-1111111111-222222222-3333333333-4444  | select-object displayname,description
    
    DisplayName                   description                  
    -----------                   -----------                  
    Work or school account        Work or school account       
    Work or school account        Work or school account       
    Your account                  Your account                 
    Your account                  Your account                 
    Search                        Search the web and Windows   
    Search                        Search the web and Windows   
    Email and accounts            Email and accounts           
    Windows Default Lock Screen   Windows Default Lock Screen  
    Windows Spotlight             Windows Spotlight            
    Microsoft family restrictions Microsoft family restrictions
    Windows Feedback              Windows Feedback             
    Xbox Game UI                  Xbox Game UI                 
    Xbox Identity Provider        Xbox Identity Provider       
    Contact Support               Contact Support              
    Contact Support               Contact Support              
    PurchaseDialog                Print Dialog                 
    
    get-netfirewallrule -owner S-1-5-21-1111111111-222222222-3333333333-4444 -policystore configurableservicestore | select-object displayname,description
    
    DisplayName                   description                                              
    -----------                   -----------                                              
    Work or school account        Work or school account                                   
    Work or school account        Work or school account                                   
    Work or school account        Work or school account                                   
    Work or school account        Work or school account                                   
    Work or school account        Work or school account                                   
    Work or school account        Work or school account                                   
    Work or school account        Work or school account                                   
    windows_ie_ac_001             Created by IE                                            
    windows_ie_ac_001             Created by IE                                            
    windows_ie_ac_001             Created by IE                                            
    Your account                  Your account                                             
    Your account                  Your account                                             
    Your account                  Your account                                             
    Your account                  Your account                                             
    Your account                  Your account                                             
    Your account                  Your account                                             
    Your account                  Your account                                             
    Windows Shell Experience      Windows Shell Experience                                 
    Windows Shell Experience      Windows Shell Experience                                 
    Search                        Search the web and Windows                               
    Search                        Search the web and Windows                               
    Search                        Search the web and Windows                               
    Search                        Search the web and Windows                               
    Search                        Search the web and Windows                               
    Search                        Search the web and Windows                               
    Search                        Search the web and Windows                               
    Search                        Search the web and Windows                               
    Email and accounts            Email and accounts                                       
    Email and accounts            Email and accounts                                       
    Email and accounts            Email and accounts                                       
    Bio Enrollment                Bio Enrollment                                           
    Bio Enrollment                Bio Enrollment                                           
    Windows Default Lock Screen   Windows Default Lock Screen                              
    Windows Default Lock Screen   Windows Default Lock Screen                              
    Windows Default Lock Screen   Windows Default Lock Screen                              
    Assigned Access Lock app      Launches above lock app when assigned access user logs in
    Assigned Access Lock app      Launches above lock app when assigned access user logs in
    Windows Spotlight             Windows Spotlight                                        
    Windows Spotlight             Windows Spotlight                                        
    Windows Spotlight             Windows Spotlight                                        
    Microsoft family restrictions Microsoft family restrictions                            
    Microsoft family restrictions Microsoft family restrictions                            
    Microsoft family restrictions Microsoft family restrictions                            
    Windows Feedback              Windows Feedback                                         
    Windows Feedback              Windows Feedback                                         
    Windows Feedback              Windows Feedback                                         
    Xbox Game UI                  Xbox Game UI                                             
    Xbox Game UI                  Xbox Game UI                                             
    Xbox Game UI                  Xbox Game UI                                             
    Xbox Identity Provider        Xbox Identity Provider                                   
    Xbox Identity Provider        Xbox Identity Provider                                   
    Xbox Identity Provider        Xbox Identity Provider                                   
    Contact Support               Contact Support                                          
    Contact Support               Contact Support                                          
    Contact Support               Contact Support                                          
    Contact Support               Contact Support                                          
    Contact Support               Contact Support                                          
    Contact Support               Contact Support                                          
    Contact Support               Contact Support                                          
    Contact Support               Contact Support                                          
    PurchaseDialog                Print Dialog                                             
    PurchaseDialog                Print Dialog                                             
    PurchaseDialog                Print Dialog                                             
    
    



    • Edited by JS2010 Thursday, November 17, 2016 4:09 PM
    Thursday, November 17, 2016 4:05 PM
  • Hi,

    I know it's been a few months, but we have just run into this problem in our computer labs and are discovering thousands of firewall rules as others have described above.  Specifically, we are trying to address exactly the behavior that JS2010 is describing with svchost.    

    It doesn't seem too complicated to write a ps script to clean up the existing entries to run on logout or something, but has anyone found a way to keep these rules from being added in the first place?

    Wednesday, March 1, 2017 12:51 AM
  • I think you'd have to completely break all the windows apps.  I've seen a warning starting powershell when I tried deleting all the rules for the admin account though.  To me the biggest problem is they stay around after deleting user profiles, even in 2016 LTSB.  And unlike netsh, when using powershell, the more rules there are, the slower deleting or adding rules happens, because it seems to process every rule.  I ended up going directly to the registry to delete them in powershell.






    • Edited by JS2010 Thursday, March 9, 2017 7:39 PM
    Wednesday, March 1, 2017 2:55 PM
  • Boy, you're not kidding that it takes a long time to process firewall rules with Powershell!  Sheesh!  I think the estimate was something like 2 days for 10k rules, and we have machines with over 100k of these duplicate rules.   At least with Remove-ItemProperty it take as long as it needs and then a restart (or start...) of the firewall service puts the change in place.  That's a good call.  We're using SCCM to deploy a cleanup script that can be run while the computer is in use, and if that's successful, then I'll try and share that for others that might run across this.  

    These were the two registry locations that we found.  I don't know if you found more, so I thought I'd mention it.

    HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

    HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"

    Monday, March 6, 2017 6:41 PM
  • Here's my version of the script.  It's all the way at the bottom.  I went a little crazy with the ETA bar.  It deletes firewall rules with owners that have no profiles from those two firewall stores.  Even in Windows 10 2016, deleting a profile will not clean these up.  http://stackoverflow.com/questions/40620634/speed-up-powershells-remove-netfirewallrule





    • Edited by JS2010 Thursday, March 9, 2017 7:39 PM
    Monday, March 6, 2017 9:38 PM
  • Hey, I like your progress bar!  I have to admit, I'll probably borrow it myself for some other projects.  :-)

    We did it slightly differently, but I think both approaches work just fine.  So there were two things that guided our solution: (1) We found that the rules were duplicated at login each time a user logged in, so regardless of whether rules had been previously added for a given user, 21 rules were added again at the next login -- every time.  For that reason, we did not limit ourselves to profiles that didn't exist but rather domain users.  (2) We were deploying this as a script to run hidden in the background and so focused on logging details instead of displaying them on the screen.  

    We did this with a simple CMD file that exports the list of registry entries based on the existence and contents of "LUOwn..." and then runs a powershell script to clean them up.  Depending on how long it took, the SCCM job may fail due to time exceeded this first time, but the script still finished running and could be run on a schedule within SCCM.  

    @ECHO OFF
    REM Export the problem entries
    REM Note that these file paths are used as variables in fw_cleanup.ps1 so be sure to change them both places
    reg.exe query HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\ /f LUOwn=S-1-5-21 > c:\temp\fw_reg_rules.log
    reg.exe query HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\ /f LUOwn=S-1-5-21 > c:\temp\fw_reg_system.log
    
    REM Use powershell to parse the file and remove the registry keys
    PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command "& '%~dp0fw_cleanup.ps1'"
    

    The SCCM program calls the CMD file above and runs it hidden whether or not a user is logged in, and this PS1 file is stored in the same directory:

    # fw_cleanup.ps1
    # Created - 2017-03-01
    # Purpose - Clean up bad firewall rules in the registry based on the existence of LUOwn string in the definition
    
    # Populate date for logging
    $date = Get-Date -Format "yyyy-MM-dd_HHmmss"
    $systemFile = "C:\TEMP\fw_reg_system.log"
    $rulesFile = "C:\TEMP\fw_reg_rules.log"
    
    $log = "C:\TEMP\fw_cleanup" + $date + ".log"
    
    Try {  "Running fw_cleanup.ps1 on " + $date | Out-File $log -append } Catch { Write-Warning "$_" }
    Try {  "--------------------------------------------" | Out-File $log -append } Catch { Write-Warning "$_" }
    
    If(Test-Path $log) {
    	# Process rules from HKLM:\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
    	Try {  "Beginning FirewallRules key processing" | Out-File $log -append } Catch { Write-Warning "$_" }
    	Try {  "--------------------------------------" | Out-File $log -append } Catch { Write-Warning "$_" }
    	If(Test-Path $rulesFile) {
    		foreach ($line in Get-Content $rulesFile) {
    			If ($line -match "LUOwn") {
    				# Grab just the GUID from the log file
    				Try { $name = $line.Substring(4,38) } Catch { Write-Warning "$_" }
    				If ($name) {
    					Try { 
    						Remove-ItemProperty -Path "HKLM:\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" -Name $name 
    						$logentry = "Removed " + $name
    						$logentry | Out-File $log -append
    					} Catch { 
    						$logentry = $name + "$_"
    						$logentry | Out-File $log -append
    					}
    				}
    			} Else {}
    		}
    		$newRulesFile = "C:\TEMP\fw_reg_rules_" + $date + ".log"
    		Try { Move-Item $rulesFile -Destination $newRulesFile } Catch { Write-Warning "$_" }
    	}
    	Else { Try { "No rules source file." | Out-File $log -append } Catch { Write-Warning "$_" } }
    	# Process rules from HKLM:\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System
    	Try {  "Beginning System key processing" | Out-File $log -append } Catch { Write-Warning "$_" }
    	Try {  "--------------------------------------" | Out-File $log -append } Catch { Write-Warning "$_" }
    	If(Test-Path $systemFile) {
    		foreach ($line in Get-Content $systemFile) {
    			If ($line -match "LUOwn") {
    				# Grab just the GUID from the log file
    				Try { $name = $line.Substring(4,38) } Catch { Write-Warning "$_" }
    				If ($name) {
    					Try { 
    						Remove-ItemProperty -Path "HKLM:\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System" -Name $name 
    						$logentry = "Removed " + $name
    						$logentry | Out-File $log -append
    					} Catch { 
    						$logentry = $name + "$_"
    						$logentry | Out-File $log -append
    					}
    				}
    			} Else {}
    		}
    		$newSystemFile = "C:\TEMP\fw_reg_system_" + $date + ".log"
    		Try { Move-Item $systemFile -Destination $newSystemFile } Catch { Write-Warning "$_" }
    	}
    	Else { Try { "No system source file." | Out-File $log -append } Catch { Write-Warning "$_" } }
    } Else { Write-Warning "No log file." }
    

    This leaves the NT AUTHORITY-based rules, which could be included by changing the search string in the CMD file from LUOwn=S-1-5-21 to LUOwn=S-1-5- instead.  It also leaves the log files by date.  We expect to clean up at a later time but wanted to keep for reference for a bit.  

    Good times!  I hope this is helpful to someone, and thanks JS2010 for helping us get here! 

    Wednesday, March 8, 2017 7:55 PM
  • So you make those input files with another script?  I'm not using active directory, but it looks like the only difference is the active directory sid's are more different than the local account sid's.  The computer shouldn't make any new firewall rules for a user unless the profile has been deleted.  I have a few local accounts so I keep the firewall rules around for them (including System for configurableservicestore), but I don't really know what they do; I guess allow Windows Apps full network access.  I did see a warning starting powershell when I deleted them from a local admin account.



    • Edited by JS2010 Thursday, March 9, 2017 6:49 PM
    Thursday, March 9, 2017 6:46 PM
  • Oh boy, you're right!  This is making by head hurt a little.  :-)  

    I thought we had a handle on the behavior, but you're right that the rules don't get added every time like we had assumed.  We use a combination of local, roaming and mandatory profiles, and it seems it's only the mandatory profiles that are adding the rules each time.  That makes some sense since changes to the profile are discarded on logout, but then the local profile stays for a week (in our environment) and the effect seems to be that those app rules are added each time for that subset of users. Then, as you've mentioned, for local or roaming users it doesn't seem to be a problem until the local profile is removed.

    So for our environment I think I get to add some more logic to my script to identify mandatory profiles and also use some of your script on identifying SIDs with no local profile.  Just when I thought we were on the home stretch!  Ha!

    Thank you!

    Thursday, March 9, 2017 9:02 PM
  • It seems a little better in Creator's edition.  Only 17 firewall rules get left behind after deleting a user's profile.

    function user2sid ($user)
    { Get-CimInstance win32_useraccount | where name -eq $user | select -exp sid }

    $usersid = user2sid 'user'
    Get-NetFirewallRule -owner $usersid | measure

    Count    : 17

    Get-CimInstance Win32_UserProfile  | where localpath -eq 'c:\users\user' |
    Remove-CimInstance

    Get-NetFirewallRule -owner $usersid | measure

    Count    : 17



    • Edited by JS2010 Wednesday, June 7, 2017 7:10 PM
    Wednesday, June 7, 2017 7:01 PM
  • Having this problem as well, 5 RDSH servers and 1 of them had over 66000 rules. 

    Wasn't even able to clean out "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"

    Powershell ran out of memory. Not even able to open that path in regedit, it just stops responding.

    Tuesday, June 27, 2017 8:43 AM
  • Have you tried something like this where you keep everything in the pipeline to save memory? (Remove-NetFirewallRule will take forever) (I'm passing the name property over the pipe)  Even this might take hours.  The newer win10 is better with this problem (but not perfect).

    function sid2user($sid)
    {  
      get-wmiobject -class win32_useraccount | where sid -eq $sid
    }
    
    $profiles = get-wmiobject -class win32_userprofile
    Get-NetFirewallRule -All -PolicyStore ConfigurableServiceStore | 
      Where-Object { $profiles.sid -notcontains $_.owner -and $_.owner } | 
      remove-itemproperty -path HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System -verbose # -whatif






    • Edited by JS2010 Tuesday, June 27, 2017 2:51 PM
    Tuesday, June 27, 2017 2:37 PM
  • Im afraid that throws the same error. 

    Get-NetFirewallRule : There is not enough space available to complete this action.

    /Fredrik

    Thursday, June 29, 2017 6:51 AM
  • This is more from the Server 2016 point of view, but we seem to have found (on a fairly small sample set) that the new rules don't get created if you've already gone ahead and prevented the related Desktop Experience "services" from being spawned by new users.

    So that might be an approach to try. We get only one set related firewall rules created (when the server is built), and those are easy enough to manage.

    Note that the first set of services we disable (in $deskexpSvcs) probably contains some stuff you'd want to keep on Win 10 workstations, so prune that section accordingly.

    The reference document for the Server 2016 services and whether they're "required" is here:

    https://blogs.technet.microsoft.com/secguide/2017/05/29/guidance-on-disabling-system-services-on-windows-server-2016-with-desktop-experience/

    #desktop experience services
    $deskexpSvcs = @(
        "QWAVE",
        "MapsBroker",
        "lfsvc",
        "wlidsvc",
        "WpnService",
        "AxInstSV",
        "lltdsvc",
        "bthserv",
        "dmwappushservice",
        "PhoneSvc",
        "NcbService",
        "PcaSvc",
        "RmSvc",
        "SensorDataService",
        "SensrSvc",
        "SensorService",
        "ShellHWDetection",
        "SSDPSRV",
        "WiaRpc",
        "TabletInputService",
        "upnphost",
        "WalletService",
        "Audiosrv",
        "AudioEndpointBuilder",
        "FrameServer",
        "stisvc",
        "icssvc",
        "XblAuthManager",
        "XblGameSave"
    )
    #desktop experience services that can only be disabled in the reg key
    $deskexpReg = @(
        "CDPUserSvc",
        "PimIndexMaintenanceSvc",
        "NgcSvc",
        "NgcCtnrSvc",
        "OneSyncSvc",
        "UserDataSvc",
        "UnistoreSvc",
        "WpnUserService"
    )
    
    $disablesvcs = $sysSvcs + $deskexpSvcs
    foreach ($svc in $disablesvcs) {
        get-service $svc |Set-Service -startuptype Disabled
    }
    foreach ($svc in $deskexpReg) {
        $SVCpath = "HKLM:\SYSTEM\CurrentControlSet\Services\" + $svc
        Set-ItemProperty -Path $SVCPath -Name Start -Value 4 -Type DWord
    }
    
    #remove Xbox scheduled tasks and folder
    Get-ScheduledTask | Where {$_.taskname -like "xbl*"} | unregister-ScheduledTask -confirm:$false
    $scheduleObject = New-Object -ComObject schedule.service
    $scheduleObject.connect()
    $rootFolder = $scheduleObject.GetFolder("\")
    $rootFolder.DeleteFolder("Microsoft\XblGameSave",$null)
    
    #reboot


    • Edited by TracMac Monday, December 18, 2017 11:12 AM
    Monday, December 18, 2017 8:57 AM
  • Old post, but as we ran into these issues as well:

    at first I wrote a tool in .net that removes the bogus firewall rules, directly from registry. For the "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules" I couldn't find another way to to it, as I can't connect to that with the firewall APIs, opposed to the older location from pre 1703 I think it was.

    Anyway, my tool removes about 400.000 values in about 90 seconds. Caveat is that is does require a reboot to be effective. But again, as the AppIso rules can't be removed through API, I don't know of any other way.

    After years Microsoft finally patches their f#ckup in November 2018:

    https://support.microsoft.com/en-us/help/4467684/windows-10-update-kb4467684

    • Addresses an issue that slows server performance or causes the server to stop responding because of numerous Windows firewall rules. To enable the changes, add a new registry key “DeleteUserAppContainersOnLogoff” (DWORD) on “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy” using Regedit, and set it to 1.

    Setting that value indeed cleans all auto-created rules, also the hidden ones af far as I can see, after logging off.

    Monday, June 3, 2019 11:14 AM
  • Thanks for the info.  Here's another area I've been cleaning up, to prevent high cpu from Appxsvc.   I think "appuriverifierdaily" in Task Scheduler is related to this.  Yes, there's a registry key with literally the name "*".


    $sids
    =Get-CimInstance win32_userprofile| select-expand sid
    $keys =ls 'HKLM:\SOFTWARE\classes\local settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\*'
    $DeleteList =$keys |where { $_.PSChildName -ne'AllUsers' -and
      -not ($_.PSChildName -in $sids ) }
    $DeleteList |rm -r-verbose

    # if this gets too numerous, search breaks
    remove-item HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Appiso\FirewallRules


    Note also that deleting a lot of profiles at once will make Appxsvc use all the cpu of a machine.

    • Edited by JS2010 Monday, June 3, 2019 5:14 PM
    Monday, June 3, 2019 4:21 PM
  • Yeah, in my opinion 2008R2 was good, after that it becomes worse and worse. Of course some things have improved, but a lot of things are way worse than before. Who thought of putting a users customized start-menu (tiles) in AppData\local???

    This is the list I have so far that is cleaned by my 'logoff crapcleaner' tool I wrote because Windows just leaves crap there. I've just added your AppModel line as well. What a trainwreck.

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP
    HKLM\SOFTWARE\Microsoft\UserManager\Users
    HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\features\<SID>
    HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Sites\<SID>
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\<SID>
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\<SID>
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TouchKeyboard\Users\<SID>
    HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Search\Gather\Windows\SystemIndex\Sites\<SID>
    HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>
    HKU\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\<SID>
    HKU\S-1-5-18\Software\Microsoft\IdentityCRL\DeviceIdentities\production\<SID>
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserTile
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache\PurgeAtNextLogoff
    HKLM\SOFTWARE\classes\local settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\*


    Tuesday, June 11, 2019 1:10 PM