Gary Davis' Blog

DotNET/PayPal Development and other Techie Stuff
posts - 45, comments - 129, trackbacks - 0

How I Lost My Windows 7 Firewall Rules

I run a Windows 7 Web Server on a Media PC (see here) as my home server and from work, I connected to it using Remote Desktop. I ran Windows Update and part way through the 19 updates, the Remote Desktop connection froze. I figured the updates needed a reboot and but the server never came back up. I’d have to wait till I got home to figure out what happened.Updates1

When I got home, the server was pretty much how I left it from work. It had completed the updates and was just ready to reboot. The problem was that I could not connect to the server remotely. Outgoing connections were working fine (web pages, etc.). It turned out that the Firewall was blocking everything. I disabled the firewall and was then able to connect to the server (web pages, Remote Desktop, SQL Server).

I went into the Windows Firewall advanced settings and all inbound and outbound rules were missing!

First I ran MalwareBytes Anti-Malware and it showed no viruses or threats. Next I went to restore back to before the updates but my System Restore was not turned on! I do run Windows Backup and the last backup of the system image was a few days earlier. I could get my firewall rules from the SYSTEM registry on that backup.

FirewallRegThe backup creates a VHD virtual drive for the system and the program files. I mounted the system VHD as a drive and located the registry (\windows\system32\config\SYSTEM). I ran regedit and attached the SYSTEM registry file hive to get to the registry settings for the firewall. I located the firewall settings at this location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess. I attached the backup hive to HKEY_LOCAL_MACHINE\SYSTEMBackup (focus on HKEY_LOCAL_MACHINE then File->Load Hive). I drilled down to SharedAccess on the SYSTEMBackup (see image).

Comparing this structure on SYSTEMBackup to SYSTEM, I noticed that on SYSTEM the entire Defaults key was missing and the Parameters\FirewallPolicy\FirewallRules key was there but there were no rules within it. The Default is probably not required but is the firewall reset info if needed.

I exported the SYSTEMBackup keys to a .reg file. I edited the file to change the location of the keys from SYSTEMBackup to SYSTEM. I then saved the file back (save as ANSI, not unicode). I then right-clicked the file and selected Merge to restore my firewall rules. NOTE: This is potentially very dangerous since you are modifying the registry!

Going back into the Windows Firewall advanced settings showed my inbound and outbound rules in place.

The rules seem to need a bit more tweaking since my HTTP ports are still blocked.

A good place to test out your firewall is at www.grc.com – navigate to the Shields Up page to verify your ports are blocked as expected. Note that your router may be doing most of the port blocking for you.

Print | posted on Tuesday, January 15, 2013 8:50 PM |

Feedback

Gravatar

# re: How I Lost My Windows 7 Firewall Rules

Hate to say it, but after testing our machine at grc.com (and receiving STEALTH status), some unknown IP#s have been traversing our connections, including a lot of 1e100.net (google) connections. WHY IS THAT? What is grc.com (or somebody connected with his site) doing, while scanning only the first thousand or so ports, with higher ports, one wonders?
2/23/2014 9:57 PM | FiredUp
Gravatar

# re: How I Lost My Windows 7 Firewall Rules

Did you ever find out how the rules got deleted in the first place?

Looks like mine got wiped and I have no idea what triggered it. I was debugging a vanilla post to my IIS instance when traffic stopped hitting the endpoint. After some head scratching I got around to looking at my inbound rules and both inbound and outbound were empty.

I just restored defaults, but W.T.F?
3/19/2015 6:16 PM | mark
Gravatar

# re: How I Lost My Windows 7 Firewall Rules

DUuuuhDE !!! You saved ma buttt !

I tried TinyWall... it's a gimmick... but it did one thing right... lay waste to over 50 custom rules.
I got them back from the RegBack folder. Windows Backup had time to run while I was testing that dangerous piece of code.

Thank You.
8/15/2016 12:57 AM | NetWeezurd

Post Comment

Title  
Name  
Email
Url
Comment   
Please add 1 and 8 and type the answer here:

Powered by:
Powered By Subtext Powered By ASP.NET