4

I'm running into the issue disabling Windows 10 Firewall -- it gets disabled, but after several seconds something enables it back. There were no programs installed or configuration changes mage when this started to happen.

Here is a Screencast demonstrating the issue.

When I shutdown Firewall in a hard way via stopping the underlying service it gets disabled, however, Cortana stops working ... But that's yet another story.

Any ideas?

UPDATE 1. Event Log

After turning off I see two event log entries made.

A Windows Firewall setting in the Public profile has changed.
New Setting:
    Type:   Enable Windows Firewall
    Value:  No
    Modifying User: EUGENE-PC\nrj
    Modifying Application:  C:\Windows\System32\dllhost.exe

And the second after 13 seconds -- something reset the configuration to default...

Windows Firewall has been reset to its default configuration.

    ModifyingUser:  SYSTEM
    ModifyingApplication:   C:\Windows\SysWOW64\netsh.exe

UPDATE 2. Auditing process tracking results

After enabling audit process tracking here is the trail that the automatic firewall enabling leaves.

A new process has been created.

Creator Subject:
    Security ID:        SYSTEM
    Account Name:       EUGENE-PC$
    Account Domain:     NGROUP
    Logon ID:       0x3E7

Target Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Process Information:
    New Process ID:     0x1ae4
    New Process Name:   C:\Windows\SysWOW64\netsh.exe
    Token Elevation Type:   %%1936
    Mandatory Label:        Mandatory Label\System Mandatory Level
    Creator Process ID: 0x798
    Creator Process Name:   C:\Windows\SysWOW64\cmd.exe
    Process Command Line:

UPDATE 3. SOLUTION!

Using the Scott Chamberlain's advice I've finally figured out execution initiation path and found the culprit!

Here is Event log entries that allowed to figure this out.

A new process has been created.

Creator Subject:
    Security ID:        SYSTEM
    Account Name:       EUGENE-PC$
    Account Domain:     NGROUP
    Logon ID:       0x3E7

Target Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Process Information:
    New Process ID:     **0x1950**
    New Process Name:   C:\Windows\SysWOW64\cmd.exe
    Token Elevation Type:   %%1936
    Mandatory Label:        Mandatory Label\System Mandatory Level
    Creator Process ID: 0xca0
    Creator Process Name:   **C:\Program Files (x86)\TunnelBear\TBear.Maintenance.exe**
    Process Command Line:

Then entry for netsh run goes and it starts by Process with ID 0x1950!

Process Information:
    New Process ID:     0x21b4
    New Process Name:   C:\Windows\SysWOW64\netsh.exe
    Token Elevation Type:   %%1936
    Mandatory Label:        Mandatory Label\System Mandatory Level
    Creator Process ID: 0x1950
    Creator Process Name:   C:\Windows\SysWOW64\cmd.exe
    Process Command Line:

Here is our "hero" that made me go mad: https://www.tunnelbear.com/.

hero

Improve this question
6
  • 1
    Are you on a domain? And do you have any 3rd party anti-virus software installed?
    – Scott Chamberlain
    Commented Oct 3, 2016 at 19:49
  • @ScottChamberlain, no antivirus, even tried turn off Windows Defender -- with no difference. I'm in a working group, no domain, or domain policies applied.
    – Eugene D. Gubenkov
    Commented Oct 3, 2016 at 19:51
  • If you're not on a domain, then what's "NGROUP"?
    – Ƭᴇcʜιᴇ007
    Commented Oct 3, 2016 at 22:05
  • @Ƭᴇcʜιᴇ007, it's "workgroup" with 2 my computers inside.
    – Eugene D. Gubenkov
    Commented Oct 3, 2016 at 22:15
  • 1
    @Psycogeek, the thing is that I've marked Scott Chamberlain's advice as solution, because it is his advise - I just did last step myself.
    – Eugene D. Gubenkov
    Commented Oct 3, 2016 at 22:30

1 Answer 1

Reset to default
3

Not really a solution, but this may help you figure out what is causing it.

Check your event log by running the "Event Viewer" app. Go to Applications and Services logs -> Microsoft -> Windows -> Windows Firewall with Advanced Security and view the Firewall log.

That log should log a event whenever the firewall is enabled or disabled with a event similar to

A Windows Firewall setting in the Public profile has changed.
New Setting:
    Type:   Enable Windows Firewall
    Value:  Yes
    Modifying User: MyMachine\srchamberlain
    Modifying Application:  C:\Windows\System32\dllhost.exe

You can check the Modifying Application property to see which app initiated the firewall change.

UPDATE 1:

So it appears something is running netsh on a semi-regular basis. I would check Applications and Services logs -> Microsoft -> Windows -> TaskScheduler -> Operational in the event viewer to see if it is a scheduled task doing it.

If that does not show it being run run secpol.msc and and enable Audit process tracking to see who started netsh, once it is enabled you can go to the Windows Logs -> Security and find the "Audit Success" entry for that process.

Here is a example of me manually starting notepad.exe with it on.

A new process has been created.

Creator Subject:
    Security ID:        MyMachine\srchamberlain
    Account Name:       srchamberlain
    Account Domain:     MyMachine
    Logon ID:       0x71FA757

Target Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Process Information:
    New Process ID:     0x1510
    New Process Name:   C:\Windows\System32\notepad.exe
    Token Elevation Type:   %%1938
    Mandatory Label:        Mandatory Label\Medium Mandatory Level
    Creator Process ID: 0x938
    Creator Process Name:   C:\Windows\explorer.exe
    Process Command Line:

The thing we are most interested in is the Creator Process Name

Improve this answer
4
  • Thank you, really appreciate this advice. Please see the post updated.
    – Eugene D. Gubenkov
    Commented Oct 3, 2016 at 21:08
  • @EugeneD.Gubenkov see my update for the next step.
    – Scott Chamberlain
    Commented Oct 3, 2016 at 21:24
  • You rock, man! I've figured that out finally using your technique with Auditing -- writing the update in the post right now! Appreciate your helping hand!
    – Eugene D. Gubenkov
    Commented Oct 3, 2016 at 22:03
  • You need to follow the chain backward. Find out who started cmd.exe and keep going back till you find the beginning of the chain
    – Scott Chamberlain
    Commented Oct 3, 2016 at 22:04

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .