Powertoys installer fails if firewall is active

[IMNdi]

Microsoft PowerToys version

0.56

Running as admin

• [X] Yes

Area(s) with issue?

Installer

Steps to reproduce

When Powertoys says an updated version is available, click to update it

✔️ Expected Behavior

Installer fails with a retry button. After firewall asks permission for internet access, is granted, then Retry resumes the installation.

❌ Actual Behavior

Installer fails.

When Powertoys downloads an installer, it starts, attempts to access the internet as "temp\random GUID\random.exe" (or whatever, I can't check because I updated before I started this report) and gets told off because firewalls.

Because it always uses a new name or ID or both, it is never authorized and because it doesn't wait or allow a manual resume it never completes.

https://pastebin.com/RmMbjTdu

Other Software

Windows Filtering Platform firewall managed by Binisoft Windows Firewall Control (now Malwarebytes Firewall Control)

[crutkas]

We download two items, a webview2 runtime and dotnet 6 runtime. https://dotnet.microsoft.com/download/dotnet/thank-you/runtime-desktop-6.0.2-windows-x64-installer is where you can manually get it from.

https://github.com/microsoft/PowerToys#requirements is what we use

Here is the line we use https://github.com/microsoft/PowerToys/blob/main/installer/PowerToysSetup/PowerToys.wxs#L67 which is the same URL as https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/runtime-desktop-6.0.2-windows-x64-installer

I don't know if we can do much about this as this is more of a .NET issue at this point.

[IMNdi]

It's not that the runtime changes name, it's that the setup does. And an unknown executable should be regarded as at least potentially harmful and be blocked by default if not for security then at least for privacy.

Powertoys themselves is allowed through, since it can check for updates, download the setup and run it, it's the setup that is not allowed to link out.

A simple (relatively) workaround is for the powertoys exe itself to download all 3 files and run setup locally. This would bypass any firewalls.

I am (personally) of the opinion that online setups are a blight on humanity, because, as an administrator, I find them impossible to deploy since not all machines are allowed internet access. I understand that some redistributables HAVE to be deployed from the source for license reasons, but this makes them undeployable from sources like internal networks and physical media. I still run legacy IPX NetWare systems migrated to TCP/IP whose only defense is not being online.

Another workaround is for the setup to enter a fail state where it says "Can't download .NET (item) with a retry button and a "manual download" button that shellexecutes http:// so I can use whatever browser I need.

Another workaround would be to check to see if a sufficient requirement is already installed, I think every setup fails and I'm pretty sure not every update needed another .net. This would make deployment easier incrementally.

Another workaround is for setup to add itself to Windows firewall before downloading and then remove itself after it's done - while WFC has the ability to delete "foreign" rules I think this is edge case enough that a simple firewall rule addition to elegantly solve Windows Firewall issues.

[Jay-o-Way]

Is this still an issue?

[IMNdi]

I wouldn't know, Powertoys no longer runs on OSs 2+ years old. 0.6.0 stopped installing on mine and all my VMs.

I think the last few installs worked after firewall prompting. So I guess it's fixed?

[Vinfall]

I can confirm that the latest version (v0.60.1) of PowerToys setup install does not trigger a firewall prompt to access internet in the latest WIndows 11 Dev Channel (25163.1010). I've already installed the runtimes so I cannot confirm if there will be a fail state where it says "Can't download .NET (item) with a retry button and a "manual download" button that shellexecutes http:// like IMNdi suggested. But the setup executable does not ask internet access anyway.

In other words, yes, it's fixed.