How to re-trigger "Windows firewall has blocked..." message?

How do I find out what program was blocked?

Changes to the Windows Firewall rule set are logged in the "Application and Services" event logs.

You can inspect this log (which includes the date/time of events) to see what rules were added around the time you installed this program.

With this information you can removed the rule or create an appropriate exception in the firewall.

Viewing Firewall and IPsec Events in Event Viewer

To view events for Windows Firewall with Advanced Security in Event Viewer

  1. Event Viewer is available as part of Computer Management. Click Start, right-click Computer, and then click Manage. Under System Tools, click Event Viewer.

  2. In the navigation tree, expand Event Viewer, expand Applications and Services, expand Microsoft, expand Windows, and then expand Windows Firewall with Advanced Security.

  3. There are four views of operational events provided:

    • ConnectionSecurity. This log maintains events that relate to the configuration of IPsec rules and settings. For example, when a connection security rule is added or removed or the settings of IPsec are modified, an event is added here.

    • ConnectionSecurityVerbose. This log maintains events that relate to the operational state of the IPsec engine. For example, when a connection security rule become active or when crypto sets are added or removed, an event is added here. This log is disabled by default. To enable this log, right-click ConnectionSecurityVerbose, and then click Enable Log.

    • Firewall. This log maintains events that relate to the configuration of Windows Firewall. For example, when a rule is added, removed, or modified, or when a network interface changes its profile, an event is added here.

    • FirewallVerbose. This log maintains events that relate to the operational state of the firewall. For example, when a firewall rule become active, or when the settings of a profile are changed, an event is added here. This log is disabled by default. To enable this log, right-click FirewallVerbose, and then click Enable Log.

  4. Each event includes a General tab that summarizes the information contained in the event. For more information about an event, click Event Log Online Help to open a web page in the Windows Server Technical Library that contains detailed information and prescriptive guidance.

    The event also includes a Details tab that displays the raw data associated with the event. You can copy and paste the information in the Details tab by selecting the text (CTRL+A selects it all) and then pressing CTRL-C.

Source Viewing Firewall and IPsec Events in Event Viewer

What event is triggered when a rule is added?

4946: A change has been made to Windows Firewall exception list. A rule was added.

Example:

A change has been made to Windows Firewall exception list. A rule was added.

Profile Changed: All
Added Rule:
   Rule ID: DNSSrv-UDP-Out
   Rule Name: @dns.exe,-1005

Source Windows Security Log Event ID 4946

Further Reading

  • Windows Security Log Events

In the Registry, the list of firewall rules is kept in this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

When a new program tries to start listening, a pair of Windows Firewall rules (one TCP, one UDP) is automatically created for it, either "allow" or "block" based on what the user chooses in response to that dialog. Conveniently, the value names for rules created in this way always start with the same strings: TCP Query User or UDP Query User.

some registry entries

After the GUID is the full path to the executable. Whether a given rule is "allow" or "block" is given near the start of the data. If you clicked Cancel, the rules will block. Once you've figured out which executable is probably your program, delete the pair of Registry entries (both TCP and UDP) and restart the Windows Firewall service (MpsSvc). Alternatively, open the Windows Firewall with Advanced Security window (wf.msc) and delete the two entries with the name given in the Name part of the Registry entries' data.

Once that's done, you'll get the Windows Firewall confirmation dialog next time the application tries to start its networking.


This may not be the most popular answer for some people, but it's by far the easiest and answers your question. Simply restore your Windows Firewall settings to default. It's the easiest solution because it will re-trigger the confirmation dialog the next time the application requires firewall permissions, and you don't have to go digging through logs for the exact program name. I like to do this at least once a year anyways so that I can remember exactly what is allowed.

Of course this may not be a good idea if you've spent hours configuring ports for a media server or something, but for most people it should be fine.

To do this, open the "Windows Firewall" page in Control Panel and click "Restore defaults".

enter image description here enter image description here

Tags:

Windows

Windows 7

Windows Firewall

Recent Posts