Windows – How to disable ‘hidden’ Windows Firewall Filter

windows 7windows firewall

I have used the command "netsh WFP Show State" to dump to disk (wfpstate.xml) a list of all active windows filters, and found a filter called "Port Scanning Prevention Filter". For diagnostic purposes, I need to test disabling this particular filter, but I cannot find this within the UI for Windows Firewall (Windows 7 Ultimate x64 Sp1). Below is the full XML representation of the filter in question.

How do I disable this specific filter?
How would I re-enable this filter?

<item>
    <filterKey>{c06945c4-54f1-4b79-9523-71ad3ba2e3be}</filterKey>
    <displayData>
        <name>Port Scanning Prevention Filter</name>
        <description>This filter prevents port scanning.</description>
    </displayData>
    <flags/>
    <providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
    <providerData>
        <data>ffffffffffffffff</data>
        <asString>........</asString>
    </providerData>
    <layerKey>FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD</layerKey>
    <subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
    <weight>
        <type>FWP_UINT8</type>
        <uint8>12</uint8>
    </weight>
    <filterCondition numItems="1">
        <item>
            <fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
            <matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
            <conditionValue>
                <type>FWP_UINT32</type>
                <uint32>1</uint32>
            </conditionValue>
        </item>
    </filterCondition>
    <action>
        <type>FWP_ACTION_CALLOUT_TERMINATING</type>
        <calloutKey>FWPM_CALLOUT_WFP_TRANSPORT_LAYER_V4_SILENT_DROP</calloutKey>
    </action>
    <rawContext>0</rawContext>
    <reserved/>
    <filterId>230591</filterId>
    <effectiveWeight>
        <type>FWP_UINT64</type>
        <uint64>13835058055315718144</uint64>
    </effectiveWeight>
</item>

Best Answer

Ok so you can't shut down that particular rule; it is a system default!

Take a look at this TechNet article regarding the windows scanning prevention filter.

Any port that has been explicitly opened by the firewall but does not have an application listening on that port will still have its packets dropped silently by default. This helps to harden the windows installation.

To see which ports have active listeners type the following command into an administrative command prompt:

netstat -ab

If the target port you are trying to open does not have an active listener then you will see packets being dropped silently (I.E. not being added to the firewall logs). As you may have noticed the dropped packets will still show up in the Netsh diagnostic logs. See this technet article regarding Netsh diagnostic logging for more information.

So see if your application is listening on the appropriate port or functioning at all!

Related Question