Windows Firewall: Logging/Notifying on outgoing request attempts

I'm trying to configure Windows firewall with Advanced Security to log and tell me when programs are trying to make outbound requests. I previously tried installing ZoneAlarm, which worked wonders for me with this in Windows XP. But now, I'm unable to install ZoneAlarm on Windows 7.

Is it possible to somehow monitor a log or get notifications when a program tries to do that if I set all outbound connections to auto-block, so that I can then create a specific rule for the program and block it?

Update
I've enabled all the logging options available through the properties windows of the Windows Firewall with Advanced Security Console. But I'm only seeing logs in the %systemroot%\system32\LogFiles\Firewall\pfirewall.log file, not in the Event Viewer, as the first answer suggested.

However, the logs that I can see only tell me the requests or response's destination IP and whether the connection was allowed or blocked. But it doesn't tell me what executable it comes from. I want to find out the file path of the executable that each blocked request comes from. So far, I haven't been able to.

Maxim Zaslavsky

Posted 2010-01-19T05:07:37.593

Reputation: 1 750

Answers

You should be able to see this in Event Viewer. First you'll need to tweak the logging options in the Advanced Settings Console:

alt text

In the Event Viewer's left pane, expand to Applications and Services Log -> Microsoft -> Windows -> Windows Firewall with Advanced Security:

alt text

There, you can create a custom view and filter the log to only outbound connection attempts.

John T

Posted 2010-01-19T05:07:37.593

Reputation: 149 037

Nothing in %windir%\system32\logfiles\firewall\firewall.log ? – John T – 2010-01-21T04:29:20.560

1I mentioned in my update of the original question that only destination IPs are listed. I'm looking for the file path of the executable that made the request. – Maxim Zaslavsky – 2010-01-21T04:59:35.450

1After you click "create a custom view", what do you pick? It wants "By log" or "By source". None of these seem to be what I want. What do I pick? How do I point it to "%systemroot%\system32\LogFiles\Firewall\pfirewall.log"? – Curtis Yallop – 2015-11-23T20:43:07.810

I suggest to take a look at Sysinternals' (http://technet.microsoft.com/en-us/sysinternals/default) Procmon or Procexp, or other; it was a long time ago I actually used, but it helps determining which low-level op takes a long time, and you can filter the IP. Also you may try Wireshark or alike to determine the process making the traffic.

– TWiStErRob – 2013-08-27T20:36:04.017

1Thanks! What do I need to tweak in particular in the Advanced Settings console? Are you referring to the logging options under Properties? If so, what do I need to change? – Maxim Zaslavsky – 2010-01-19T06:07:39.967

You can tweak the logging options depending on your liking, but you'll have to first set rules for outbound connections or else there is nothing seen as abnormal and nothing will be logged. – John T – 2010-01-19T13:20:24.747

How do I filter the log? I blocked all outbound connections but nothing is appearing in any of the logs there except for changes to the firewall settings. What should I do? – Maxim Zaslavsky – 2010-01-21T02:40:14.273

In Windows 7 & 8 you need to first enable Auditing of failed connections.

Local Computer Policy (Run: GPEdit.msc) > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object access : Failure

Now dropped connections along with the corresponding executable name should show at:

Event log > Windows Logs > Security:

The Windows Filtering Platform has blocked a packet : [Event Id: 5152]
The Windows Filtering Platform has blocked a connection : [Event Id: 5157]

Here, you will find:

Application Name: \device\harddiskvolume2\program files\xyz.exe

Ujjwal Singh

Posted 2010-01-19T05:07:37.593

Reputation: 1 550

I was looking for same problem, and neither the Event Viewer (no events) nor the pfirewall.log option (no name of the violating program) helped me to identify what's going on.

Looking around I fond Windows Firewall Notifier, which even provides a GUI that shows the offending program and allows to generate exception rules (you need to thell WFN to create rules, not exceptions when calling it for the first time).

fraber

Posted 2010-01-19T05:07:37.593

Reputation: 169

Try Sysmon utility from SysInternals. Its a simply installer and does a pretty good logging. The logs will give you all the details including the program, path of the file etc. that is initiating the connection. Hope it helps.

Chakradhar P

Posted 2010-01-19T05:07:37.593

Reputation: 1

Welcome to Super User! Please read the question again carefully. Your answer does not answer the original question, which is to configure logging in the Windows Firewall. So, no your answer doesn't help. – DavidPostill – 2016-08-01T18:27:36.757