Windows Server 2008, Windows Server 2008 R2
((This wiki page is part of a pilot program to remove topics such as this one from the TechNet and MSDN libraries and move them to the wiki.We plan to do a better job of helping customers than the repeated instructions to go to the forums seen in the thread history at the end of this article.)
Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future. This notification is turned on by default in Windows Vista, and turned off by default in Windows Server 2008.
When appropriate auditing events are enabled (http://go.microsoft.com/fwlink/?linkid=92666), Windows reports when applications are blocked by the firewall.
Product
Windows Operating System
Event ID
5032
Source
Microsoft-Windows-Security-Auditing
Version
6.0
Symbolic Name
SE_AUDITID_ETW_FIREWALL_UPCALL_NOTIFICATION_ERROR
Message
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. Error Code:%t%1
The presence of this event at or near the start of the computer or for non-interactive system processes is normal, and typically does not indicate an error condition.
If you want to determine which process triggered the event, you can perform the following procedure.
To determine the process that caused the event
If you turn notifications off, these messages no longer appear in the event log. However, doing so means that Windows no longer automatically creates firewall rules after notifying you and getting permission. This means that you must manually enable or create firewall rules for all applications that require inbound unsolicited network traffic.
To turn off block notifications by using the Firewall Microsoft Management Console (MMC) snap-in:
If you need to re-enable notifications, follow the same steps, but select Yes in step 7.
To turn off block notifications by using the netsh advfirewall command-line tool:
netsh advfirewall setprofile settings inboundusernotification disable
where profile is one of the following values: allprofiles, currentprofile, domainprofile, privateprofile, or publicprofile.
If you need to re-enable notifications, follow the same step, but change disable to enable.
Other possible causes
In rare situations, such as when memory resources are extremely low, Windows cannot display the notification, and you therefore cannot instruct the firewall to allow the program in the future. This failure is not considered a security risk because the firewall continues to block the program, but it might prevent a needed program from operating correctly. If memory resources are low, then you must reduce the memory load on your computer by closing programs that are not needed. If the problem occurs frequently, you might need to add memory to the computer to avoid the low resource situation.
By default, on Windows Server 2008, user notifications about blocked applications are disabled, and all notifications are made by using the security audit events only.
By default, on Windows Vista, Windows Firewall is configured to notify the user that an application has been blocked, and it prompts the user to take one of the following actions: "Keep Blocking," "Allow," or "Ask me later." The "Ask me later" option continues blocking the application, but causes the user prompt to display again the next time the application starts.
To verify the setting by using the Firewall Microsoft Management Console (MMC) snap-in:
To verify the setting by using the netsh advfirewall command-line tool:
netsh advfirewall show allprofiles settings
netsh advfirewall set profile settings inboundusernotification value
where profile is one of the following values: allprofiles, currentprofile, domainprofile, privateprofile, or publicprofile, and value is either enable or disable.
For more information
Firewall Service Block Notifications (TechNet Library)
Windows Firewall with Advanced Security (TechNet Library)
Richard Mueller edited Revision 4. Comment: Added tags, changed tag "WS08" to "Windows Server 2008"
Fernando Lugão Veltem edited Revision 3. Comment: added table and toc.
tony soper edited Original. Comment: removed community content and notified writer per project instructions
"We plan to do a better job " For 38 years, Never, though I'd here those words FROM Microsoft. Whatever happens, Thank you for wanting to do a reasonably good job.
Michael Vallino mvallino@hotmail.com
If I have a disk volume mounted as a directory by using the following command:
mountvol "C:\Applications\" \\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxx}\
and then disable the access to the volume by its own drive letter:
mountvol D:\ /d
("\\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxx}\" is drive D:'s volume name)
Then, any program in the mounted directory that attempts to listen for incoming network traffic won't trigger the firewall notification, and there's no way to configure the firewall to make such a program work properly, unless the firewall is entirely disabled.
How to resolve this problem?