Windows – Does Windows Firewall have the ability to log which exe is blocked

windowswindows-firewall

We would like to distribute a firewall program with our product.

I can configure the Windows Firewall to block outgoing connections (which it does not by default)

netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound

But then I need to know when one is blocked so it can ask if it should be unblocked.

I tried turning on logging, but it does not log the path to the exe. Is there a way to get that logged?

I posted a question on StackOverflow to try an event detection method, but if there was a way to turn on logging of the path to the exe, I wanted to know about it. I hope to stay with Java which is limited in event detection.

I don't mind calling any command-line programs, also don't mind using vbscripts. But what I need is to know as soon as an outgoing connection from an exe is blocked and which exe.

Best Answer

p0rkjello answered correctly but left key things, after struggling for hours I found the solution.

  1. Open CMD with administrator privilege, paste command auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:disable /failure:enable
  2. Open event viewer and go to Windows logs > Security
  3. From right side panel select Filter log > Keywords > Select "Audit failure"

Information that can be found here are application name, destination IP, connection direction and more

Edit: On 9th April 2020

I got an easier way to check event log using PowerShell command below

Get-EventLog security -newest 10 -InstanceId 5157 -Message *Destination* |  Select @{Name="message";Expression={ $_.ReplacementStrings[1] }}
  • Replace newest 10 with number of entries you want to search
  • Select @{Name="message";Expression={ $_.ReplacementStrings[1] }} extracts application name.
Related Topic