1

I want to create a windows firewall rule that allow outbound tracert.exe connections. But when i:

  1. go in the 'windows firewall with advanced security' panel

  2. block all outboud connections

  3. create a rule to allow outbound connections for cmd.exe, and tracert.exe, allowing all protocols

  4. open command prompt and digit:

    c:\Users\Administrator>tracert xx.xx.xx.xx

it doesn't work, the windows firewall still block it.

P.S. When, in the firewall windows, i allow all outbound connections, tracert works well.

P.P.S. In past i also noticed that depending of some Windows o.s., if i set the rule with a path '%SystemRoot%\System32...' it doesn't works, and the rule MUST set as 'c:\Windows\System32...' to work well. But it's not my case, as i tried both the combinations, applying two rules, one for cmd.exe and one for TRACERT.EXE. And doesn't work in both ways.

P.P.P.S. I have some outbound rules about some .exe that allow the outbound connections (when all outbound connection that don't match a rule are blocked) and that programs works well.

...It seems to me that, when TRACERT.EXE it's launched from cmd.exe console, could be launched also another .exe, or could works throught a svchost.exe...

(i tried also executing it through sysinterinals tcpview.exe, but no tcp or udp connections are visible, so it seems protocol ICMP should be used)

Please, is there anyone that know what could be the cause of this behaviour?

Thank you.

Improve this question
3
  • Does this answer your question? tracert command is not working but able to access the same site through browsers
    – user1820994
    Commented Jul 26, 2023 at 16:02
  • Thanks @oxou, but i suppose that, in the other post, there is a rule that allow the browser outbound connections, but not the cmd.exe or tracert.exe connections. Anyway, that post don't speak about a custom windows firewall rule for cmd.exe or tracert.exe outbound connections.
    – Marcello
    Commented Jul 26, 2023 at 16:15
  • Make sure you select protocol ICMPv4, then verify that all ICMP types are selected under ICMP Settings > Customize. Try enabling the prebuilt rule named "Core Networking Diagnostics - ICMP Echo Request (ICMPv4-Out)". I see all the ICMP rules define SYSTEM as the application, so maybe you cannot specify a single .exe
    – Cpt.Whale
    Commented Jul 26, 2023 at 19:02

1 Answer 1

Reset to default
1

Ok, solved!

The problem is that, when TRACERT.EXE it's launched from cmd.exe console, it start a svchost.exe, that runs throught ICMP protocol (maybe also UDP and UDPv6 on newest Windows o.s.).

The problem is that, if i set a rule for generic program '$SystemDrive$\System32\svchost.exe', it appear a Windows alarm tab, that alert the user telling:

'Windows services has been restricted with rules that allow expected behavior only. Rules that specifies host processes, such has svchost.exe might not work as expected because they can conflict with Windows service-hardening rules...'

And if i create anyway the rule, and try to launch the command 'tracert.exe' throught cmd.exe console, it doesn't work.

But i have to create an outbound rule with 'generic' program name 'System', and allow ICMPv4 protocol (i tested on an old Windows Server 2008 R2 an it's enough, maybe in newest o.s. also other protocols could be needed).

N.B. I think a good behaviour could be to enable this rule only when it need to use it, and always remember to disable it after used.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .