none
Windows 10 Firewall with Windows Update Service RRS feed

  • Question

  • 

    Previously in Windows 7 and Vista, you could configure Windows Firewall to allow specific outbound traffic via "svchost".  For example, to allow outbound traffic for Windows update, you would allow the program "%SystemRoot%\System32\svchost.exe" with "wuauserv" selected under "Apply to this service".  

    In 10 that functionality no longer exists.  Creating such a rule results in network connectivity errors for both OS.  If a rule is created to allow "%SystemRoot%\System32\svchost.exe" and "Apply to services only" windows update also fails (meaning there is more than the defined services at work here).  The only way I can get it to work is if I just allow "%SystemRoot%\System32\svchost.exe" completely or "%SystemRoot%\System32\svchost.exe" and "Apply to all programs and services", which defeats the purpose of me trying to block all services, but those that require network access.  

    Any help in addressing this problem is appreciated.

    Tuesday, August 18, 2015 2:21 AM

All replies

  • Hi,

    Did you mean to add outboard rule for allowing Windows update service on "%SystemRoot%\System32\svchost.exe"?

    I have done the same settings as yours and also another block rule, but I noticed that there is no any affects on Windows update.

    I consider that this is related to force updates in Windows 10.

    I will do a feedback, you can also post your test results onto Windows feedback.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, August 20, 2015 3:31 AM
    Owner
  • Sadly this has been a problem since Windows 8.1 at least. Here's a link to the 8.1 thread: https://social.technet.microsoft.com/Forums/windows/en-US/27ded2ad-cc85-4c0a-9b41-c6b469a20aab/windows-firewall-and-windows-update-win-81

    Sorry, I can't post links yet.

    Another one seems to be one of the Peer Networking services. No matter which combination of those services I allow, I will always get one blocked connection for remote tcp port 3587.

    • Edited by Jani, Friday, August 21, 2015 6:27 PM
    Friday, August 21, 2015 6:23 PM
  • Hi - I actually attempted to allow only the Windows update service. I agree that permitting all outbound traffic from svchost.exe works, but it also allows all services and applications using scvchost.exe to communicate with the Internet. This defeats the point. Thanks, -d
    Monday, August 24, 2015 4:00 PM
  • Thanks,

    Agreed - I noted the same behavior in Windows 8.1.  I'm fairly certain that earlier version of the Windows 10 pre-release actually worked, but I no longer have access to my initial test system.  

    This appears to be a bug - not sure how to get MS's attention to fix this.  It would be very helpful in allowing admins to lockdown endpoints.

    -d

    Monday, August 24, 2015 4:02 PM
  • I've just upgraded to Windows 10 and wanted to use block all incoming and out going in firewall to in order to know and limit all network traffic.  Surprisingly, the Edge browser will still function (with some application services event logging for sensitive data showing) and the Internet Explorer app seems completely blocked.

    I would like Microsoft to explain what or why Edge browser still has accesses out with the default rules but Internet Explorer doesn't.  This is so I can know how to limit Edge communication!

    Also I would like Microsoft to explain why the templates for rules don't include something a) for Edge, b) (most importantly) their Windows update services configuration (WindowsUpdateFailure3), and c) pursuant to this post why and how I cannot limit individually accesses through svchost.exe (!!!)

    Hope this is monitored and receive an update before the Ides of March 2016!

    Thursday, February 18, 2016 2:18 AM
  • I did a bit of digging. Turns out this is because Windows Update uses a thread pool to run the connection. Since there is only one thread pool per svchost [1], from the firewall point of view they all look the same and are not attached to any service [2]. I have no idea how to workaround this though.

    [1]: https://msdn.microsoft.com/en-us/library/windows/desktop/ms686760(v=vs.85).aspx
    [2]: https://en.wikipedia.org/wiki/Svchost.exe#Service_tags

    • Edited by Jani, Saturday, July 2, 2016 3:53 PM
    Saturday, July 2, 2016 3:32 PM
  • This is a bug in Windows 10 using the thread pool. It is a bug because the Microsoft application is not setting the security context individually per thread or is burying security setting and configuration for Windows update.  The Windows update team needs to explicitly set the security context on the Windows update port call through the firewall.  Otherwise, one hijack of credentials will affect all processes or functions called from the process host which happen to spawn a thread.

    Based on the link information about the thread pool, "the application must explicitly set the security context' so I would propose that you do not have control over the identity of the service host thread spawn.  If I wanted to limit usages of System services by giving them identity, say assigning RunAs parameters to the service host parent process, then how or why cannot either a) set an identity for the function called by that process creating the thread, or b) set the process identity itself.  This goes way back to process accounting, in my humble opinion, like at university or on mainframe or in any Linux processes.  In those operating systems and contexts you elect who runs the process and who is the thread owner and thus touching the port or stream.  Now that USA internet providers are counting bandwidth and setting throttles, I want to be able to tell what process runs as who, what functions are run as who, so that calls outside the state machine or operating system can be effectively measured by what is doing what when and by whom.


    Bob Kranson

    Sunday, July 3, 2016 11:55 PM
  • Would this be a feasible workaround?

    • Duplicate svchost.exe, call it svchost-wuauserv.exe
    • Set Windows Update Service startup bin path to C:\Windows\system32\svchost-wuauserv.exe -k netsvcs
    • Make sure wuauserv can't run in a shared process:  Cmd > sc config wuauserv type=own
    • Firewall > Allow process and services > C:\Windows\system32\svchost-wuauserv.exe

    Note: I have not tried this - no idea if it works, or what other security holes it might open.

    EDIT: It appears that this may work based on the following blog post:

    Creating an isolated Service Group - "An additional refinement to this method would be to create copies of SVCHOST.EXE that are appropriately named for the isolated service – for example copy %systemroot%\system32\svchost.exe to a new file named %systemroot%\system32\svchost_wuauserv.exe.  Remember that you will need to make the appropriate modifications to the ImagePath value in the registry that reflect the name of the executable file."

    https://blogs.technet.microsoft.com/askperf/2008/01/11/getting-started-with-svchost-exe-troubleshooting/

    • Edited by SamHillAu Tuesday, October 25, 2016 9:11 AM
    Tuesday, October 25, 2016 9:02 AM
  • Duplicate svchost.exe, call it svchost-wuauserv.exe

    Thanks for the thought, SamHillAu. The only problem is that copying svchost.exe under a different name might cause some instability if Microsoft decides to update it. If Microsoft adopted this, then it would be no problem, but as a user it is.

    I could think few workarounds:

    • Create the copy at boot time. This way the copy is at least a bit up-to-date, but it still will be out-of-date during the first boot after the updates. I guess I could write my own service doing the copying and add wuauserv depend on that so then the image would be up-to-date when wuauserv runs.
    • Create a hardlink to svchost.exe. Sadly this is not possible because svchost.exe is already a hardlink and as far as I know, there cannot be hardlinks to hardlinks.
    • Write a wrapper for svchost.exe. This still needs some investigation, but my initial thoughts are that the compatibility is hard to achieve, because Windows lacks the exec() equivalent of Linux.

    • Edited by Jani, Sunday, November 13, 2016 11:06 AM
    Sunday, November 13, 2016 11:06 AM
  • For example 186 svchost.exe services exist in my Windows 10 Professional 1703. I blocked all inbound rules of my firewall and allowed just to specified of outbound rules. The most important of them are:
    1) Host Process for Windows Services (svchost.exe)=C:\Windows\system32\svchost.exe=TCP=Local Ports: 49152-65535=Remote Port: 80, 443.
    Then, We must create some of rules for these (svchost.exe) services:
    2) DHCP Client Service=DHCP Client=UDP=Local & Remote Ports: 67-68, 546, 547
    3) DNS Client Service=DNS Client=UDP=Local Ports: 49152-65535=Remote Port: 53
    4) Windows Time Service=Windows Time=UDP=Local & Remote Port: 123
    Then, We must create some of rules for all Other (183 svchost.exe) services, except those mentioned above. Pay attention, we must create deny rules for all of theme on any protocols and any local & remote ports. I know, It's a little time consuming. Afterward, we must disable (just disable) some of theme:
    5) Background Intelligent Transfer Service
    6) Client License Service (ClipSVC)
    7) Device Setup Manager
    8) Microsoft Account Sign-in Assistant
    9) Network Connection Broker
    10) Security Center
    11) Sync Host
    12) Tile Data model server
    13) Update Orchestrator Service
    14) Windows Driver Foundation
    15) Windows Error Reporting Service
    16) Windows License Manager Service
    17) Windows Update Service

    As a result, only these sixteen svchost.exe services can access to the Internet and our system can function normally. It's worth noting, that all these sixteen svchost.exe services are not required. After doing all this, we can now only allow the programs that we want to access to the Internet: Each program on TCP local ports: 49152-65535 and TCP remote ports: 80, 443.

    If we can not stop the activity of one thing, then we have to limit it. For this reason, the United States is using sanctions against Iranian and North Korean regimes. Pay attention, 16 svchost.exe services versus 186 svchost.exe services. This is a big improvement.

       


    • Edited by Seeg Wun Friday, September 1, 2017 9:23 PM
    Friday, September 1, 2017 5:15 PM
  • I wonder if anyone found a solution for it? I figured it out untel the "netsvcs" process. I am not able to create a firewall rule which only allow "svchost" with "netsvcs".

    Any help are welcome.

    Regards

    dT4b

    Sunday, October 13, 2019 1:22 PM