I'm running into the issue disabling Windows 10 Firewall -- it gets disabled, but after several seconds something enables it back. There were no programs installed or configuration changes mage when this started to happen.
Here is a Screencast demonstrating the issue.
When I shutdown Firewall in a hard way via stopping the underlying service it gets disabled, however, Cortana stops working ... But that's yet another story.
Any ideas?
UPDATE 1. Event Log
After turning off I see two event log entries made.
A Windows Firewall setting in the Public profile has changed.
New Setting:
Type: Enable Windows Firewall
Value: No
Modifying User: EUGENE-PC\nrj
Modifying Application: C:\Windows\System32\dllhost.exe
And the second after 13 seconds -- something reset the configuration to default...
Windows Firewall has been reset to its default configuration.
ModifyingUser: SYSTEM
ModifyingApplication: C:\Windows\SysWOW64\netsh.exe
UPDATE 2. Auditing process tracking results
After enabling audit process tracking here is the trail that the automatic firewall enabling leaves.
A new process has been created.
Creator Subject:
Security ID: SYSTEM
Account Name: EUGENE-PC$
Account Domain: NGROUP
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1ae4
New Process Name: C:\Windows\SysWOW64\netsh.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x798
Creator Process Name: C:\Windows\SysWOW64\cmd.exe
Process Command Line:
UPDATE 3. SOLUTION!
Using the Scott Chamberlain's advice I've finally figured out execution initiation path and found the culprit!
Here is Event log entries that allowed to figure this out.
A new process has been created.
Creator Subject:
Security ID: SYSTEM
Account Name: EUGENE-PC$
Account Domain: NGROUP
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: **0x1950**
New Process Name: C:\Windows\SysWOW64\cmd.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xca0
Creator Process Name: **C:\Program Files (x86)\TunnelBear\TBear.Maintenance.exe**
Process Command Line:
Then entry for netsh run goes and it starts by Process with ID 0x1950!
Process Information:
New Process ID: 0x21b4
New Process Name: C:\Windows\SysWOW64\netsh.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1950
Creator Process Name: C:\Windows\SysWOW64\cmd.exe
Process Command Line:
Here is our "hero" that made me go mad: https://www.tunnelbear.com/.