How to set up a rule for a Store app using the Windows Firewall API?

Question

So I already have a pretty good idea how to set up firewall rules programmatically using the INetFwPolicy2 and INetFwRule COM interface. However, how can I use the COM interop to set up a rule for a specific "Modern App"/"Metro App"/"Store App"?

If I use the Firewall MMC, I can go to:

rule -> Properties -> Programs and Services -> Application Packages

and allow/block specified packages there. But I have no idea how to do this in code. I have found the INetFwRule3 interface which provides LocalAppPackageId property, which is what I assume does all the magic. But the LocalAppPackageId contains an SID of the package rather than its name like microsoft.windows.photos_8wekyb3d8bbwe for example. So how can I block the package I want, when all I know is it's name? I guess I have to get the SID, so how do I find that? Is the SID's scope local (unique per machine), or can I just hard-code the SID once I find it and not bother looking up the SID dynamically?

Answer 1

SID for an app container can be found using the NetworkIsolationEnumAppContainers and ConvertSidToStringSid APIs. This is what Fiddler does in their AppContainer Loopback Exemption Utility (which is how I found the API).

If you care just about SID and nothing else, it's easier to use DeriveAppContainerSidFromAppContainerName/ConvertSidToStringSid combo. You don't even have to use ConvertSidToStringSid, .NET framework already provides the conversion:

private static string SidToString(IntPtr sid)
{
    return new SecurityIdentifier(sid).Value;
}

Curiously enough, the DeriveAppContainerSidFromAppContainerName does not check whether the app container exists on the system, it seems to just take whatever input you throw at it and generate the SID from that information alone (like a hash function).

So the complete code:

public static string AppContainerNameToSid(string appContainerName)
{
    var sid = IntPtr.Zero;
    try
    {
        if (DeriveAppContainerSidFromAppContainerName(appContainerName, out sid) == 0)
            return new SecurityIdentifier(sid).Value;
        else
            return null;
    }
    finally
    {
        if (sid != IntPtr.Zero)
            FreeSid(sid);
    }
}

[DllImport("userenv.dll", SetLastError = false, CharSet = CharSet.Unicode)]
private static extern int DeriveAppContainerSidFromAppContainerName(string appContainerName, out IntPtr sid);

[DllImport("advapi32.dll", SetLastError = false)]
private static extern IntPtr FreeSid(IntPtr sid);

Answer 2

Blocking internet connection for an UWP app is just like a traditional Desktop software.

Type "advanced security" in Windows 8/10 search then select "Windows Defender Firewall with Advanced Security". In the newly opened window and in the left panel, go to "Inbound Rules" then in the right panel, select "New Rule..." then tap "Next" when "Program" is selected. Then click on "Browse..." and go to this address:

*C:\Program Files\WindowsApps*

Now find your app's name and enter its folder then select the file with "Application" type. You'll be able to find the right "Application" type file just in a few seconds. As an example, the folder name for the "Google" app is this:

GoogleInc.GoogleSearch_2.1.19.0_x64__yfg5n0ztvskxp

And the name of its app "Application" file type is this:

GoogleSearchUniversal

However, after choosing the correct "Application" file type click on "Open" for it. Then tap "Next" and then choose "Block the connection" then "Next" then marking all types of connections then "Next" then call it and "Finish".

Just like a traditional Desktop software.