Windows Firewall: Logging/Notifying on outgoing request attempts

In Windows 7 & 8 you need to first enable Auditing of failed connections.

Local Computer Policy (Run: GPEdit.msc) > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object access : Failure

Now dropped connections along with the corresponding executable name should show at:

Event log > Windows Logs > Security:

  1. The Windows Filtering Platform has blocked a packet : [Event Id: 5152]
  2. The Windows Filtering Platform has blocked a connection : [Event Id: 5157]

Here, you will find:

Application Name: \device\harddiskvolume2\program files\xyz.exe

I was looking for same problem, and neither the Event Viewer (no events) nor the pfirewall.log option (no name of the violating program) helped me to identify what's going on.

Looking around I fond Windows Firewall Notifier, which even provides a GUI that shows the offending program and allows to generate exception rules (you need to thell WFN to create rules, not exceptions when calling it for the first time).

You should be able to see this in Event Viewer. First you'll need to tweak the logging options in the Advanced Settings Console:

alt text

In the Event Viewer's left pane, expand to Applications and Services Log -> Microsoft -> Windows -> Windows Firewall with Advanced Security:

alt text

There, you can create a custom view and filter the log to only outbound connection attempts.