0

I try to export full info about certain Windows Defender Firewall with following code:

 $rule = (Get-NetFirewallRule -DisplayName "Start")[0]
 $ApplicationFilter   = @($rule | Get-NetFirewallApplicationFilter)
 $AddressFilter       = @($rule | Get-NetFirewallAddressFilter)
 $PortFilter          = @($rule | Get-NetFirewallPortFilter)
 $SecurityFilter      = @($rule | Get-NetFirewallSecurityFilter)
 $ServiceFilter       = @($rule | Get-NetFirewallServiceFilter)
 $InterfaceFilter     = @($rule | Get-NetFirewallInterfaceFilter)
 $InterfaceTypeFilter = @($rule | Get-NetFirewallInterfaceTypeFilter)

Problem is that command $rule | Get-NetFirewallApplicationFilter gives answer in following form:

 Program : Any
 Package : S-1-15-2-283421221-..........-..........-.........-..........-..........-..........

instead of name of package and username like in Windows Defender Firewall console.

I spent a few hours on searching how to convert this special SID to usable form, but I've had no luck. I know, that the rule which has app package configured get value of 'Owner' property - this value is SID of user who owned package which SID is mentioned in

($rule | Get-NetFirewallApplicationFilter).Package

but I still don't know how to get name of package Does anybody know how to do it?

LukiD

ŁukaszD
  • 3
  • 2
  • I like using for debugging Format-Table which does a great job of enumerating through objects. Try : $rule | format-Table – jdweng Dec 28 '22 at 19:22
  • I know it's the appxpackage microsoft.windows.startmenuexperiencehost from the gui at least. – js2010 Dec 28 '22 at 19:43
  • @js2010: I know it, but when you export full set of FW rules it could be difficult to remember which Application Package SID has which human-readable name. – ŁukaszD Jan 09 '23 at 17:34
  • I couldn't find an obvious way to go from one to the other in powershell. It's a good question. I even looked in the appx manifest. – js2010 Jan 09 '23 at 17:44
  • @jdweng: format-table doesn't help at all because wanted information is not part of object produced by Get-NetFirewallRule. To get information about programs / application packages associated with certain FW rule you have to run another cmdlet Get-NetFirewallApplicationFilter. I suppose that this second cmdlet lookup in other "FW internal array" – ŁukaszD Jan 09 '23 at 17:51
  • How about `Get-NetFirewallRule -DisplayName Start | select Group`. That seems to have the program name. – js2010 Jan 09 '23 at 17:53
  • @js2010: I also have looked up in package manifest files. – ŁukaszD Jan 09 '23 at 17:53
  • Then use Get-NetFirewallRule | Format-Table – jdweng Jan 09 '23 at 18:02
  • @js2010: in this case it is true, but look at FW rules from group "Work or school account" - they are associated with package microsoft.aad.brokerplugin – ŁukaszD Jan 09 '23 at 18:03
  • I guess that's right? – js2010 Jan 09 '23 at 18:26
  • The program string has `@{ }` around the name. – js2010 Jan 09 '23 at 18:33
  • @jdweng: I've checked once more your suggestion and when I use `$rule | ft -Property Group` I get quite promising result: – ŁukaszD Jan 09 '23 at 18:36
  • `Group ----- @{Microsoft.Windows.StartMenuExperienceHost_10.0.20348.1_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExpe rienceHost/PkgDisplayName}` – ŁukaszD Jan 09 '23 at 18:36
  • But I cannot pass this result into any variable to draw essential info – ŁukaszD Jan 09 '23 at 18:36
  • `$_.group -replace '@{|\?ms-resource:.*'` to get the name. – js2010 Jan 09 '23 at 18:43
  • ok - I found the way to put output of format-table or format-list to variable – ŁukaszD Jan 09 '23 at 18:53
  • @js2010: when you use `$ftrule = $rule | ft -Property Group` you get garbage in variable $ftrule - you can't use in any simple manner content of this variable, but when you use `$ftrule = $rule | ft -Property Group | out-string` you get simple string in variable $ftrule. With simple string you can make everything, almost... ;-) – ŁukaszD Jan 09 '23 at 19:22
  • Don't use format-table in calculations. – js2010 Jan 09 '23 at 19:26

1 Answers1

0

It looks like the group has the name if it's an appx program? (appx is the enemy of administrators)

$rule = (Get-NetFirewallRule -DisplayName "Start")[0]
if ($rule.group -match '@{.*') { 
  $appxname = $rule.group -replace '@{|_.*' 
}
$appxname

Microsoft.Windows.StartMenuExperienceHost

Here's 90 appx firewall rules. Sometimes the funny @{ } string is in the Displayname as well. An Intel program even has a unicode '®' in the title.

get-netfirewallrule | % {
  if ($_.group -match '@{.*') { 
    $appxname = $_.group -replace '@{|_.*' 
    $displayname2 = $_.displayname -replace '@{|_.*' 
    $_ | select @{n='displayname2';e={$displayname2}},@{n='appxname';e={$appxname}}
  }
}

displayname2                               appxname
------------                               --------
Microsoft.Windows.ContentDeliveryManager   Microsoft.Windows.ContentDeliveryManager
Microsoft.Windows.CloudExperienceHost      Microsoft.Windows.CloudExperienceHost
Microsoft.Windows.CloudExperienceHost      Microsoft.Windows.CloudExperienceHost
Start                                      Microsoft.Windows.StartMenuExperienceHost
Work or school account                     Microsoft.AAD.BrokerPlugin
Intel® Graphics Command Center             AppUp.IntelGraphicsExperience
Windows Feature Experience Pack            MicrosoftWindows.Client.CBS
...
js2010
  • 23,033
  • 6
  • 64
  • 66
  • Your solution is almost ok - on my server I found one group of FW rules which does not contain name of app package - Group has name: "Windows Feature Experience Pack" - app package name: MicrosoftWindows.Client.cbs_cw5n1h2txyewy – ŁukaszD Jan 09 '23 at 20:57
  • But generally it makes job – ŁukaszD Jan 09 '23 at 20:58