How to determine Windows firewall rule's program path using Powershell Get-NetFirewallRule

Asked 13/2, 2016 at 21:30 Answered 8/8 at 17:1

We define a new Windows firewall rule for some program to accept inbound TCP connections on some port. This can be done using either netsh.exe utility or Powershell New-NetFirewallRule cmdlet. For a example, here's a sample command to allow notepad.exe to accept TCP connections on port 5001 (I know, notepad can't do that):

New-NetFirewallRule  -program "C:\windows\System32\notepad.exe" -direction Inbound -Action Allow -Protocol tcp -LocalPort 5001 -Name "Testing Notepad on port 5001" -DisplayName "Testing Notepad on port 5001"

To retrieve/view this rule, one can again use netsh.exe or Get-NetFirewallRule cmdlet.

Ideally we'd like to use Powershell Get-NetFirewallRule, but we are not able to view the actual program path that was used when the rule was created.

Here's the output of netsh.exe:

netsh advfirewall firewall show rule name="Testing Notepad on port 5001" verbose

Rule Name:                            Testing Notepad on port 5001
----------------------------------------------------------------------
Enabled:                              Yes
Direction:                            In
Profiles:                             Domain,Private,Public
Grouping:
LocalIP:                              Any
RemoteIP:                             Any
Protocol:                             TCP
LocalPort:                            5001
RemotePort:                           Any
Edge traversal:                       No
Program:                              C:\windows\System32\notepad.exe
InterfaceTypes:                       Any
Security:                             NotRequired
Rule source:                          Local Setting
Action:                               Allow
Ok.

Here's the output of Get-NetFirewallRule cmdlet:

Get-NetFirewallRule -Name "Testing Notepad on port 5001" | Format-list *

Name                    : Testing Notepad on port 5001
ID                      : Testing Notepad on port 5001
Group                   :
Platform                : {}
LSM                     : False
DisplayName             : Testing Notepad on port 5001
Enabled                 : True
Profile                 : Any
Direction               : Inbound
Action                  : Allow
EdgeTraversalPolicy     : Block
PrimaryStatus           : OK
Status                  : The rule was parsed successfully from the store.
                          (65536)
EnforcementStatus       : NotApplicable
PolicyStoreSourceType   : Local
Caption                 :
Description             :
ElementName             : Testing Notepad on port 5001
InstanceID              : Testing Notepad on port 5001
CommonName              :
PolicyKeywords          :
PolicyDecisionStrategy  : 2
PolicyRoles             :
ConditionListType       : 3
CreationClassName       : MSFT|FW|FirewallRule|Testing Notepad on port 5001
ExecutionStrategy       : 2
Mandatory               :
PolicyRuleName          :
Priority                :
RuleUsage               :
SequencedActions        : 3
SystemCreationClassName :
SystemName              :
DisplayGroup            :
LocalOnlyMapping        : False
LooseSourceMapping      : False
Owner                   :
Platforms               : {}
PolicyStoreSource       : PersistentStore
Profiles                : 0
RuleGroup               :
StatusCode              : 65536
PSComputerName          :
CimClass                : root/standardcimv2:MSFT_NetFirewallRule
CimInstanceProperties   : {Caption, Description, ElementName, InstanceID...}
CimSystemProperties     : Microsoft.Management.Infrastructure.CimSystemPropertieses

Any suggestions or ideas on retrieving program path, port, protocol, etc., using Powershell cmdlet?

Pitiful answered 13/2, 2016 at 21:30 Comment(0)

You should use Get-NetFirewall*Filter cmdlets for this.

PS> Get-Command Get-NetFirewall*Filter

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Get-NetFirewallAddressFilter                       2.0.0.0    NetSecurity
Function        Get-NetFirewallApplicationFilter                   2.0.0.0    NetSecurity
Function        Get-NetFirewallInterfaceFilter                     2.0.0.0    NetSecurity
Function        Get-NetFirewallInterfaceTypeFilter                 2.0.0.0    NetSecurity
Function        Get-NetFirewallPortFilter                          2.0.0.0    NetSecurity
Function        Get-NetFirewallSecurityFilter                      2.0.0.0    NetSecurity
Function        Get-NetFirewallServiceFilter                       2.0.0.0    NetSecurity

All of that cmdlets have -AssociatedNetFirewallRule parameter, which accepts pipeline input.

In your case, you can use following command:

Get-NetFirewallRule -Name "Testing Notepad on port 5001" | Get-NetFirewallApplicationFilter

Debroahdebs answered 13/2, 2016 at 22:37 Comment(4)

Oh, that sucks. So you can't say, given a application filter, show me all firewall rules for that program? – Taeniacide 22/11, 2019 at 19:21

@JohnZabroski Did you find any solution to query list of rules by exe? – Flin 29/10, 2021 at 19:21

No, it turned out my specific problem was not application centric but due to the fact a network admin had configured the box to support multiple NICs in the event of a DNS issue/network outage on one subnet. So, I stopped there. – Taeniacide 3/11, 2021 at 19:43

You can probably do something like this:

Get-NetFirewallApplicationFilter -All | Select * | ? { $_.AppPath -eq "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" }

– Taeniacide 3/11, 2021 at 19:53

I know this is an old post but it took me a bit to find this:

Get-NetFirewallApplicationFilter | Where {$_.program -eq "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"} | Get-NetFirewallRule

Macaluso answered 8/8 at 17:1 Comment(0)

Recommended topics

Hot tags