This happens when a process gets started does a DNS query and terminates, before Windows's Event Tracking can process the event and relay it to priv10. I'm working on a solution to that by using yet an other ETW event that is fired on process creation. This way we should always know to which executable a particular PID belongs to.
> A "clean leftovers" There are already some cleanup functions in the current build: the normal clean up removes all programs which do no longer exist. the extended cleanup in addition also removes all programs which have no rules and no open sockets. > "All processes" The entry "All processes" contains all rules which are set to apply to any process running on the system, like for example block IP address 1.2.3.4 no mather what tryes to connect to it. The entry "Windows NT-Kernel/System" is the system process PID 4 which is in fact creating connections and the firewall can manage it, for example windows file sharing, build in VPN's and alike act from a thread in the system process. the user is not supposed to set a access option for these two entries. > Each time you want to "upgrade" an Private 10 That is odd.. it is supposed to auto start the service + there now is the installer which should stop the service update the files and than restart everything.
is priv10 setup as the system dns? without that checked the dns queries dont go through the priv10 dns proxy The DNS Inspector data are logged to the inspector tab on the firewall page.
Ah, you got me, I did not checked the second toggle "Setup DNS proxy as default DNS in Windows" that explains it. I set the DNS via network interface. Okay, that's on me then.
I cant reproduce that also even if I could i would have no odea how to fix that as the menu handling is done by the MSFT .NET framework code if local host was set for all adapters as dns proxy than it should work despite of the check box, the check box just sets this for you
Yeah, that's why I unchecked it. However, if I uncheck it but set e.g. Cloudflare in the network interface manually it still doesn't show anything, so I enabled the toggle and now it works. The only thing I noticed is that "auto refreshing" the list is not integrated. You actually have to switch to another entry like "whitelist" and then back to "Query log" to see the new/updated entries. That's maybe something for the next release. Hm, okay I might come up with something or report it, because this bug/glitch is annoying. I thought it's fixed in newer .NET Framework versions but apparently it's not. Anyway good work
If you set cloud flare it wil ofcause not work in the network interface it must be set to 127.0.0.1 for ipv4 and ::1 for ipv6 All the list handling in WPF seams a but bad performing, hence no auto refresh, but there is a refresh button at the bottom so that you don't need to switch views An other thing: I'm thinking of a feature, using the ETW process monitor, that would allow the user to flag processes as not permitted to run and if that start they would be killed imminently. like search_ui.exe (MSFT cortana) CompatTelRunner.exe (MSFT) or software_reporter_tool.exe (Google) or other corporate spyware. Currently you can use tweaks to disable CompatTelRunner.exe and tweak guard to ensure after a upgrade it stays disabled, but for example software_reporter_tool.exe changes directories with version updates. and also will depand on where chrome is installed. so its not easy to lust hardcode a path to block it. The process monitor would become active when a process with a blacklisted exe name starts no matehr the path and kill it or kill it and apply a tweak to prevent it from starting again. Do you think this deserves an own page or should be integrated into the firewall page?
An other issue: I need some input for the overview page. I would like it to instead of the log feature some more useful information. But well UI design is ot my strong side. things that come to mind: 1) list of undone tweaks that are to be re applyed 1b) list of tweaks which have been automatically re applyed if enabled 2) list of firewall rules modifyed outside of priv10 2b) list of removed/restored firewall rules probably some dnsinfos: 3) recently blocked domaind 3b) recently allowed domains? 4) domains with the most traffic? or more general things: 5) total network traffic with graph? 6) i think it would be usefull to be able to pin individual tweaks to that view, for example enabling/disabling MSFT account login to be able to use the store when neede 7) list of recently added programs to firewall 8) list of recently firewall blocked applciations 8b) list of recently firewall allowed applciations what else so what of that do you think is useful, or anything I forgot? any suggestions for the UI layout?
> 2) "list of firewall rules modified outside priv10" that might actually help, however my proposal is to drop the entire idea and introduce an option to block all rules which are not created via priv10. Then log could show that rule xyz was blocked by priv10. This option already exist "Undo Unauthorized rule changed" > 6) "pin individual tweaks to that view," I'm not sure what you mean by that. Would it not be better to explain what every tweak does in detail maybe with e.g. links to MS documentation or so?! So that a user know, "okay that might break MS Account login"?! I mean that for some tweaks you don't need to go to the twek page but you can do/undo them from the overview page > 7) "list of recently added programs to firewall" don't we have this already? I mean I can sort entries by timestamp or last access. there is a sort by last activity but no sort by first seen date column. the idea was to see what apps were added recently Somethign like "First network activity" list in GlassWire Like this: EDIT: I took a look at GlassWire and I'm quite puzzled by it, it seams to use the windows firewall as firewall in the same way as WFC, yet it comes with a kernel driver what for?! may be they are not aware of the ETW tricks hmm... will have to investigate that further
@DavidXanatos These would be useful along with the mouseovers for the icons and uniform layout using tabs as mentioned by @CHEF-KOCH . As you state for 6 above that would be convenient and knowing whether something has been reapplied. I have having a crash notice when closing using the X Unhandled Exception: System.Runtime.InteropServices.SEHException: External component has thrown an exception. at _CxxThrowException(Void* , _s__ThrowInfo* ) at krabs.error_check_common_conditions(UInt32 status) at krabs.details.trace_manager<krabs::trace<krabs:etails::kt> >.unregister_trace(trace_manager<krabs::trace<krabs:etails::kt> >* ) at Microsoft.O365.Security.ETW.KernelTrace.Stop() at PrivateWin10.NetworkMonitor.Dispose() in F:\Projects\Windows10_Tools\PrivateWin10\PrivateWin10\Core\NetworkMonitor.cs:line 91 at PrivateWin10.Priv10Engine.Run() in F:\Projects\Windows10_Tools\PrivateWin10\PrivateWin10\Core\Priv10Engine.cs:line 225 at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart() I note: F:\Projects\Windows10_Tools\PrivateWin10\PrivateWin10 this path is not on my system maybe it is on yours?