Closed savchenko closed 3 years ago
Sorry if this is a stupid question, but if one blocks svchosts.exe, is there any other functionality that goes missing except Windows Update?
(Note: although in v3.x there is a separate "Allow" setting for Microsoft update servers under Blocklist, but you still have to allow svchost.exe for Windows Update to work.)
is there any other functionality that goes missing except Windows Update?
I would leave this to people familiar with NT systems.
but you still have to allow svchost.exe for Windows Update to work
That's the crux of it.
For my personal usage, I see no adverse effects apart from dysfunctional updates.
With svchost.exe
allowed network access:
> Get-WindowsUpdate -Verbose
VERBOSE: PC (08/08/2019 21:04:51): Connecting to Microsoft Update server. Please wait...
VERBOSE: Found [0] Updates in pre search criteria
>
Not allowed:
> Get-WindowsUpdate -Verbose
VERBOSE: WIN (08/08/2019 21:05:26): Connecting to Microsoft Update server. Please wait...
>
Hacked temporarily solution, see paragraph №21 at https://github.com/stoptracking/windows10.
Looking at https://www.binisoft.org/changelog.txt, Alexandru has managed to implement it in "Windows Firewall Control" which is, AFAIK, also uses WFP.
If someone has an account at "Wilders Security", might try asking him how. Creator of the TinyWall seems to hang out in the same thread.
I have blocked everything and if i ever need update then i temporary allow object that corresponds to updateable component.
@fcore117 , same here. Updates for example:
# Update Windows
function updatecmd {
$enabled = Get-NetFirewallRule -DisplayName block_service_host | Select-Object -Property Action
if ($enabled -like "*Block*") {
Set-NetFirewallRule -DisplayName block_service_host -Action Allow
}
else {
}
Get-WindowsUpdate -Verbose -Install -AcceptAll
Read-host “Press Enter to continue...”
Set-NetFirewallRule -DisplayName block_service_host -Action Block
}
function sudo_updatecmd {
Start-Process -FilePath powershell.exe -ArgumentList {updatecmd} -verb RunAs
}
Set-Alias -Name update -Value sudo_updatecmd
This seems to be resolved now. Running 10.0.19044 (21H2) svchost.exe
can stay blocked while Windows is updated with only the "Windows update service" enabled.
The system has "Delivery optimisation" disabled via GPO. @henrypp , attaching the log of TCP ops: winupdate.CSV
Perhaps it's worth to clarify this point in Simplewall docs?
@savchenko I still have to allow svchost.exe. Does this really work in your case with svchost.exe blocked?
As far as I can tell. I can additionally include the svchost
in the Procmon log if that is of any help.
False alarm, the problem is back after the reboot.
Sorry if this is a stupid question, but if one blocks svchosts.exe, is there any other functionality that goes missing except Windows Update?
Yes, if you block it, many things will not be able to connect and fail. Like cloning a git repo in a terminal.
This is old, but has anyone come up with a solution for this?
Now, blocking svchost.exe and allowing when needed was OK, but it is getting really annoying, yet not annoying enough to wholesale allow svchost.exe.
There has to be a solution to this. Like, if svchost.exe is started by "example program" allow svchost.exe for "some amount of time". Or, always allow it if started by some app you know and trust.
It almost seems like svchost was designed this way to annoy people to the point that they just allow it, which basically grants access to anything, anytime, to do whatever it wants.
At present, mostly due to Windows Update,
svchost.exe
needs to have Internet access allowed. This leads to:What are the options?
From the above, only №3 seems to be feasible unless https://github.com/henrypp/simplewall/issues/367 gets some traction. Which is, at present, unlikely to happen due to https://github.com/henrypp/simplewall/issues/88#issuecomment-345613787.
There is MSDN article about
INetFwServiceRestriction
interface, @henrypp do you think this is something that can be used to differentiate between svchost instances?Otherwise, I was thinking that maybe with the cooperation of @crazy-max (WindowsSpyBlocker), @henrypp and community, the following solution can be made:
svchost.exe
is whitelisted to these ranges via the existing interface.Thoughts?