2

We are having a problem with our Windows 10 computers either not adding all of the Firewall rules from GPOs when the computer restarts or somewhere along the line.

We have multiple users that log onto the consoles (usually with a roaming profile) and a small percentage of them throw a firewall exception when trying to open necessary apps that should have been allowed through GPOs.

My questions are:

1.) Why is this happening?

2.) How to get information about the "USER" GUID that is returned from Get-NetFirewallRule?

Get-NetFirewallRule -Action Block

One partial result is:

TCP Query User{E2507D53-3CCE-4791-8BBF-9830003E90C5}

So how do i get information about this guid (E2507D53-3CCE-4791-8BBF-9830003E90C5)?

3.) Also, some of the computers that have this issue also block PSRemoting so I cannot fix this issue remotely, which is just as bad as the other issue!

Any ideas?

Thank you

PS: I have searched high and low for info about that GUID. It has become a personal goal to resolve the guid to an object name at this point.

Chris
  • 118
  • 1
  • 9
  • What property is giving you that User result – ArcSet Feb 11 '19 at 16:14
  • The "Name" Property – Chris Feb 11 '19 at 17:14
  • If you run Get-NetFirewallRule on your computer I think that you will find some of the firewall names contain only a GUID and nothing else. But, the "Blocked" rules usually have a name - User {GUID}. – Chris Feb 11 '19 at 17:17
  • Whats the DisplayName `Get-NetFirewallRule | ?{$_.Name -eq "TCP Query User{E2507D53-3CCE-4791-8BBF-9830003E90C5}"} | select name, DisplayName` – ArcSet Feb 11 '19 at 17:24
  • Name : TCP Query User{E2507D53-3CCE-4791-8BBF-9830003E90C5}E:\03_ip camera search tool\for windows os\ipcamera.exe DisplayName : IPCamera PSComputerName : pc-1 RunspaceId : 8aa79877-cecd-4e98-a5dd-ee664c59fc29 – Chris Feb 11 '19 at 17:43

1 Answers1

2

So what is happening is when Windows prompts you for a application to create a firewall exception (even if you hit cancel), 2 rules are created by windows. TCP Query User and UDP Query User

The rules are stored in the registry under the path HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

You might have this prompt with many applications. Which would mean the same name would be created over and over again. The GUID is just so that there is a unique name per application attempt.

ArcSet
  • 6,518
  • 1
  • 20
  • 34
  • Awesome, thank you! So any idea why this might be happening on Windows 10 machines when the exceptions are set on the computer (not user) by GPOs? I am starting to think that it has something to do with our roming profile setup from windows 7 (previous) to windows 10 (current). What do you think ArcSet? – Chris Feb 11 '19 at 17:53
  • Going to be honest that one might be out of my skillset to solve. But i do know why you get those firewall rules. Had to dig around the internet myself and test it out – ArcSet Feb 11 '19 at 17:57
  • Your answer works for me. Thank you! To be honest I was fixated from the name, which said "TCP User{guid}". I thought that the guid would relate to a "User" and I was wanting to trace it back to a username. But, I'm thinking straight now. Thanks again! – Chris Feb 11 '19 at 18:22
  • I have a similar situation with Quickbooks Database Server Manager 2017 on Win10. It is creating multiple identical rules for the same EXE with only a different GUID. This appears to be occurring every time I run the Tool Hub or File Doctor repair tools. I have not found anything yet that speaks to multiple identical rules that are active for a single EXE. – Bruce Gavin Apr 07 '21 at 11:53