windows

• Windows SSH Remote Login
• Understanding Windows Networking_WFP
• Understanding Windows Event Tracing (ETW)
• wireguard configuration
• Windows Blocking Network Traffic Capture
• Windows Firewall Management – netsh
• Windows Resources
• Windows Guide
• window-message
• Win-to-go

Windows SSH Remote Login

Enabling SSH remote access on Windows typically requires Windows’ built-in OpenSSH feature. Below are step-by-step instructions:

Check and Install OpenSSH

1. Check whether OpenSSH is already installed:

   • Open Settings > Apps > Apps & features > Manage optional features.
   • Look for OpenSSH Server in the list. If found, it is already installed.

2. Install OpenSSH:

   • If OpenSSH Server is not listed, click Add a feature, locate OpenSSH Server in the list, click it, then click Install.

Start and Configure the OpenSSH Service

1. Start the OpenSSH service:

   • After installation, open Command Prompt (run as administrator).
   • Type net start sshd to start the OpenSSH service. To make it start automatically at boot, run sc config sshd start= auto.

2. Configure the firewall:

   • Ensure the Windows firewall allows SSH connections. Go to Control Panel > System and Security > Windows Defender Firewall > Advanced settings, create an inbound rule to allow connections on TCP port 22.

Get the IP Address and Test the Connection

1. Get the IP address:

   • To connect from another machine, you’ll need the IP address of the Windows PC where SSH was enabled. Run ipconfig at the command prompt to find it.

2. Connection test:

   • Use an SSH client (e.g., PuTTY, Termius) from another computer or device to connect, using the format ssh username@your_ip_address, where username is the Windows account name and your_ip_address is the address you just obtained.

Modify Configuration

Avoid logging in with passwords—this is a must-avoid trap. Always use public keys to log in.
We need to disable password login and enable public-key login by adjusting the configuration.

Because the file is protected, editing it requires special privileges, and its folder and file permissions must be set to specific values. Using a script is strongly recommended.

# Check for admin rights
$elevated = [bool]([System.Security.Principal.WindowsPrincipal]::new(
    [System.Security.Principal.WindowsIdentity]::GetCurrent()
).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))

if (-not $elevated) {
    Write-Error "Please run this script with administrator rights"
    exit 1
}

# 1. Check and install the OpenSSH server if necessary
Write-Host "Checking OpenSSH server installation status..."
$capability = Get-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

if ($capability.State -ne 'Installed') {
    Write-Host "Installing OpenSSH server..."
    Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 | Out-Null
}

# 2. Start and set the OpenSSH service to auto-start
Write-Host "Configuring SSH service..."
$service = Get-Service sshd -ErrorAction SilentlyContinue
if (-not $service) {
    Write-Error "OpenSSH service failed to install"
    exit 1
}

if ($service.Status -ne 'Running') {
    Start-Service sshd
}
Set-Service sshd -StartupType Automatic

# 3. Edit the configuration file
$configPath = "C:\ProgramData\ssh\sshd_config"
if (Test-Path $configPath) {
    Write-Host "Backing up original configuration file..."
    Copy-Item $configPath "$configPath.bak" -Force
} else {
    Write-Error "Configuration file not found: $configPath"
    exit 1
}

Write-Host "Modifying SSH configuration..."
$config = Get-Content -Path $configPath -Raw

# Enable pubkey authentication and disable password login
$config = $config -replace '^#?PubkeyAuthentication .*$','PubkeyAuthentication yes' `
                  -replace '^#?PasswordAuthentication .*$','PasswordAuthentication no'

# Ensure necessary configs are present
if ($config -notmatch 'PubkeyAuthentication') {
    $config += "`nPubkeyAuthentication yes"
}
if ($config -notmatch 'PasswordAuthentication') {
    $config += "`nPasswordAuthentication no"
}

# Write the new configuration
$config | Set-Content -Path $configPath -Encoding UTF8

Confirm authorized_keys Permissions

# normal user
$authKeys = "$env:USERPROFILE\.ssh\authorized_keys"
icacls $authKeys /inheritance:r /grant "$($env:USERNAME):F" /grant "SYSTEM:F"
icacls "$env:USERPROFILE\.ssh" /inheritance:r /grant "$($env:USERNAME):F" /grant "SYSTEM:F"

# administrator
$adminAuth = "C:\ProgramData\ssh\administrators_authorized_keys"
icacls $adminAuth /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"

Set Firewall Rules

# Allow SSH port
New-NetFirewallRule -DisplayName "OpenSSH Server (sshd)" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Add Public Keys

Normal User

# normal user
$userProfile = $env:USERPROFILE
$sshDir = Join-Path $userProfile ".ssh"
$authorizedKeysPath = Join-Path $sshDir "authorized_keys"
$PublicKeyPath = "D:\public_keys\id_rsa.pub"

# Create .ssh directory
if (-not (Test-Path $sshDir)) {
    New-Item -ItemType Directory -Path $sshDir | Out-Null
}

# Set .ssh directory permissions
$currentUser = "$env:USERDOMAIN\$env:USERNAME"
$acl = Get-Acl $sshDir
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    $currentUser, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$acl.AddAccessRule($rule)
Set-Acl $sshDir $acl

# Add public key
if (Test-Path $PublicKeyPath) {
    $pubKey = Get-Content -Path $PublicKeyPath -Raw
    if ($pubKey) {
        # Ensure newline at end
        if (-not $pubKey.EndsWith("`n")) {
            $pubKey += "`n"
        }

        # Append key
        Add-Content -Path $authorizedKeysPath -Value $pubKey -Encoding UTF8

        # Set file permissions
        $acl = Get-Acl $authorizedKeysPath
        $acl.SetSecurityDescriptorRule(
            (New-Object System.Security.AccessControl.FileSystemAccessRule(
                $currentUser, "FullControl", "None", "None", "Allow"
            ))
        )
        Set-Acl $authorizedKeysPath $acl
    }
} else {
    Write-Error "Public key file not found: $PublicKeyPath"
    exit 1
}

# Restart SSH service
Write-Host "Restarting SSH service..."
Restart-Service sshd

Administrator User

# administrator
$adminSshDir = "C:\ProgramData\ssh"
$adminAuthKeysPath = Join-Path $adminSshDir "administrators_authorized_keys"
$adminPublicKeyPath = "D:\public_keys\id_rsa.pub"

# Create admin SSH directory
if (-not (Test-Path $adminSshDir)) {
    New-Item -ItemType Directory -Path $adminSshDir | Out-Null
}

# Set admin SSH directory permissions
$adminAcl = Get-Acl $adminSshDir
$adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "Administrators", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$adminAcl.AddAccessRule($adminRule)
Set-Acl $adminSshDir $adminAcl

# Add admin public key
if (Test-Path $adminPublicKeyPath) {
    $adminPubKey = Get-Content -Path $adminPublicKeyPath -Raw
    if ($adminPubKey) {
        # Ensure newline at end
        if (-not $adminPubKey.EndsWith("`n")) {
            $adminPubKey += "`n"
        }

        # Append key
        Add-Content -Path $adminAuthKeysPath -Value $adminPubKey -Encoding UTF8

        # Set file permissions
        $adminAcl = Get-Acl $adminAuthKeysPath
        $adminAcl.SetSecurityDescriptorRule(
            (New-Object System.Security.AccessControl.FileSystemAccessRule(
                "Administrators", "FullControl", "None", "None", "Allow"
            ))
        )
        Set-Acl $adminAuthKeysPath $adminAcl
    }
} else {
    Write-Error "Admin public key file not found: $adminPublicKeyPath"
    exit 1
}

# Restart SSH service
Write-Host "Restarting SSH service..."
Restart-Service sshd

Understanding Windows Networking_WFP

• Understanding Windows Networking_WFP

Understanding Windows Networking

• Understanding Windows Networking

WFP

Terminology

https://learn.microsoft.com/en-us/windows/win32/fwp/object-model
https://learn.microsoft.com/en-us/windows/win32/fwp/basic-operation
https://learn.microsoft.com/en-us/windows-hardware/drivers/network

callout: A callout provides functionality that extends the capabilities of the Windows Filtering Platform. A callout consists of a set of callout functions and a GUID key that uniquely identifies the callout.
callout driver: A callout driver is a driver that registers callouts with the Windows Filtering Platform. A callout driver is a type of filter driver.
callout function: A callout function is a function that is called by the Windows Filtering Platform to perform a specific task. A callout function is associated with a callout.
filter: A filter is a set of functions that are called by the Windows Filtering Platform to perform filtering operations. A filter consists of a set of filter functions and a GUID key that uniquely identifies the filter.
filter engine: The filter engine is the component of the Windows Filtering Platform that performs filtering operations. The filter engine is responsible for calling the filter functions that are registered with the Windows Filtering Platform.
filter layer: A filter layer is a set of functions that are called by the Windows Filtering Platform to perform filtering operations. A filter layer consists of a set of filter layer functions and a GUID key that uniquely identifies the filter layer.

The dispatcher queue triggers callbacks as soon as possible without waiting for the queue to fill, thus satisfying real-time requirements.
When the user callback is slow, blocked packets are inserted into the next queue whenever possible, up to a queue limit of 256. Any additional blocked packets are buffered by the system. Rough testing shows a buffer capacity of around 16,500; this system cache size can vary with machine performance and configuration.

When the user callback processes a packet, there are two packet entities:

• Kernel packet: Released in bulk after the callback finishes processing the queue. Therefore, when the callback is slow, one callback execution can lock up to 256 system packet buffers.
• Copy in callback: Released immediately after the individual packet is processed.

Copying and assembling packets in FwppNetEvent1Callback does not touch the original packets, so business operations remain unaffected.

Subscribing with template filters can reduce the number of packets that need processing:

https://learn.microsoft.com/en-us/windows/win32/api/fwpmtypes/ns-fwpmtypes-fwpm_net_event_enum_template0

filterCondition

An array of FWPM_FILTER_CONDITION0 structures containing distinct filter conditions (duplicate filter conditions will produce an error). All conditions must be true for the action to occur; in other words, the conditions are AND’ed together. If no conditions are provided, the action is always performed.

• Identical filters cannot be used.
• The relationship among all filters is logical AND—all must be satisfied.
• Microsoft documentation lists eight supported filters, but in practice many more are supported.

FWPM_CONDITION_IP_PROTOCOL
The IP protocol number, as specified in RFC 1700.

FWPM_CONDITION_IP_LOCAL_ADDRESS
The local IP address.

FWPM_CONDITION_IP_REMOTE_ADDRESS
The remote IP address.

FWPM_CONDITION_IP_LOCAL_PORT
The local transport protocol port number. For ICMP, this is the message type.

FWPM_CONDITION_IP_REMOTE_PORT
The remote transport protocol port number. For ICMP, this is the message code.

FWPM_CONDITION_SCOPE_ID
The interface IPv6 scope identifier; reserved for internal use.

FWPM_CONDITION_ALE_APP_ID
The full path of the application.

FWPM_CONDITION_ALE_USER_ID
The identification of the local user.

Enumerating registered subscriptions shows two existing ones. Their sessionKey GUIDs provide no clues about the registering identity. Analysis shows each implements:

• Subscription to all FWPM_NET_EVENT_TYPE_CLASSIFY_DROP packets to collect statistics on dropped packets.
• Subscription to all FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW packets for traffic accounting.

Both subscriptions use the condition filter FWPM_CONDITION_NET_EVENT_TYPE (206e9996-490e-40cf-b831-b38641eb6fcb), confirming that more filters can be applied than the eight listed in Microsoft’s documentation.

Further investigation indicates that the user-mode API can only capture drop events. Non-drop events must be obtained via kernel mode, so a micro-segmentation solution cannot use FWPM_CONDITION_NET_EVENT_TYPE to gather events.

Understanding Windows Event Tracing (ETW)

• Understanding Windows Event Tracing (ETW)

Understanding ETW

Some unnecessary information has been filtered out; see the complete documentation at: https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal

Understanding the Basics

https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing

Session

There are four kinds of sessions:

Tools

• logman
• wevtutil
  • XPath query example: wevtutil qe Security /c:2 /q:"*[System[EventID=5157]]" /f:text
• tracelog
  • To use the Visual Studio tracelog tool, you can dynamically add and remove ETW Providers and ETW Sessions at runtime.
• mc
• etw-providers-docs

wireguard configuration

• wireguard configuration

wireguard Configuration

Firewall Configuration

wireguard /installtunnelservice <wg_conf_path>
wg show
Get-NetConnectionProfile
Get-NetAdapter
Get-NetFirewallProfile
Set-NetFirewallProfile -Profile domain,public,private -DisabledInterfaceAliases <wg_config_name>
Set-NetIPInterface -ifindex <interface index> -Forwarding Enabled
New-NetFirewallRule -DisplayName "@wg1" -Direction Inbound  -RemoteAddress 10.66.66.1/24 -Action Allow
New-NetFirewallRule -DisplayName "@wg1" -Direction Outbound -RemoteAddress 10.66.66.1/24 -Action Allow

# Locate the blocking cause
auditpol /set /subcategory:"{0CCE9225-69AE-11D9-BED3-505054503030}" /success:disable /failure:enable
wevtutil qe Security /q:"*[System/EventID=5152]" /c:5 /rd:true /f:text
auditpol /set /subcategory:"{0CCE9225-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable

Windows Blocking Network Traffic Capture

• Windows Blocking Network Traffic Capture

Windows Blocking Network Traffic Capture

• Windows Blocking Network Traffic Capture
  • Setting Up a Test Project
  • Capturing Block Events via Auditing
    • Obtaining Provider Information
    • Triggering a Block Event
  • Monitoring Network Events (NET_EVENT)
  • Monitoring Network Connections (NetConnection)
  • Application Layer Enforcement (ALE) Introduction
  • Coding
  • Conclusion
  • Appendix
    • WFP Architecture
    • Data Flow
    • Reference Links

• Need to identify blocked traffic, including outbound and inbound.
• Two ways of blocking: by connection or by packet. Packet drops occur frequently and the reason must be audited; connection‐oriented blocks align better with real-world monitoring.
• Many normally processed packets may also be dropped, so we must distinguish drops from actual blocks—we focus on blocks.

Setting Up a Test Project

WFP mainly runs in user mode and partly in kernel mode, exposed as drivers. The test setup is complex.
Recommended: run a separate physical machine for testing, compile on the dev box, then copy and remotely debug on the test machine.
For those with limited resources, local debugging on the same machine is also possible.

• Microsoft WFP Sample Project
  • Focus only on: Windows-driver-samples\network\trans\WFPSampler
• WFPSampler Guide

Build Issues:

• Missing api-ms-win-net-isolation-l1-1-0
• wfpcalloutsclassreg-not-found

Other Issues:

• Driver Does Not Run
• How to Sign
• Preparing a Target Machine for Manual Driver Deployment

Capturing Block Events via Auditing

• Auditing Docs
• auditpol Docs

By default, auditing for WFP is off.

• Audit can be enabled by category (via Group Policy Object Editor MMC, Local Security Policy MMC, or auditpol.exe).
• Audit can also be enabled by subcategory with auditpol.exe.
• Always use GUIDs—otherwise localized display strings break cross-language systems.
• Audit uses circular logs of 128 KB—low resource impact.

Categories https://docs.microsoft.com/en-us/windows/win32/secauthz/auditing-constants

Object Access subcategories and their GUIDs https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d

Policy Change subcategories and GUIDs:

# auditpol reference: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol
# This section focuses on the 'Object Access' category
# List available fields
# -v shows GUID, -r produces CSV report
auditpol /list /category /v
auditpol /list /subcategory:* /v
# Get audit settings for a subcategory
auditpol /get /category:'Object Access' /r | ConvertFrom-Csv | Get-Member
# Query subcategory GUID
auditpol /get /category:'Object Access' /r | ConvertFrom-Csv | Format-Table Subcategory,'Subcategory GUID','Inclusion Setting'
# Lookup subcategory
auditpol /list /subcategory:"Object Access","Policy Change" -v
# Backup
auditpol /backup /file:d:\audit.bak
# Restore
auditpol /restore /file:d:\audit.bak
# Modify Policy
# **Policy Change**    | {6997984D-797A-11D9-BED3-505054503030}
auditpol /set /category:"{6997984D-797A-11D9-BED3-505054503030}" /success:disable /failure:disable
# Filtering Platform Policy Change | {0CCE9233-69AE-11D9-BED3-505054503030}
auditpol /set /subcategory:"{0CCE9233-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable

# **Object Access**    | {6997984A-797A-11D9-BED3-505054503030}
auditpol /get /category:"{6997984A-797A-11D9-BED3-505054503030}"
auditpol /set /category:"{6997984A-797A-11D9-BED3-505054503030}" /success:disable /failure:disable
# Filtering Platform Packet Drop | {0CCE9225-69AE-11D9-BED3-505054503030}
auditpol /set /subcategory:"{0CCE9225-69AE-11D9-BED3-505054503030}" /success:disable /failure:enable
# Filtering Platform Connection  | {0CCE9226-69AE-11D9-BED3-505054503030}
auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:disable /failure:enable

# Read audit logs
$Events = Get-WinEvent -LogName 'Security'
foreach ($event in $Events) {
    ForEach ($line in $($event.Message -split "`r`n")) {
        Write-Host $event.RecordId ':' $Line
        break
    }
}

Event Details:

Events to Focus On:

• Audit Filtering Platform Packet Drop

  • These events generate huge volumes; focus on 5157, which records almost the same data but per-connection rather than per-packet.

  • Failure volume is typically very high for this subcategory and mainly useful for troubleshooting. To monitor blocked connections, 5157(F): The Windows Filtering Platform has blocked a connection is recommended since it contains nearly identical information and generates per-connection instead of per-packet.

  • 5152

  • 5153

• Audit Filtering Platform Connection
  • It is best to monitor only failure events such as blocked connections; track allowed connections only when necessary.
  • 5031
    • If there are no firewall rules (Allow or Deny) for a specific application in Windows Firewall, traffic will be dropped at the WFP layer, which by default denies all inbound connections.
  • 5150
  • 5151
  • 5155
  • 5157
  • 5159

Obtaining Provider Information

# List security-related providers
Get-WinEvent -ListProvider "*Security*" | Select-Object ProviderName,Id
# Microsoft-Windows-Security-Auditing                             54849625-5478-4994-a5ba-3e3b0328c30d
# Show tasks for a provider
Get-WinEvent -ListProvider "Microsoft-Windows-Security-Auditing" | Select-Object -ExpandProperty tasks
# SE_ADT_OBJECTACCESS_FIREWALLCONNECTION       12810 Filtering Platform Connection          00000000-0000-0000-0000-000000000000

Triggering a Block Event

Warning: Creating block filters affects other software on the host!
You can immediately clean up with .\WFPSampler.exe -clean.

Steps:

1. Enable auditing for Filtering Platform Connection:
   auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable

2. Open Event Viewer, create a Custom View/filter for IDs 5155, 5157, 5159.

3. Add a WFP filter using WFPSampler.exe to block listening on port 80:
   .\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_LISTEN_V4 -iplp 80

4. Run a third-party (non-IIS) HTTP server—here we use nginx on port 80. Starting it triggers event 5155.

5. Clean up the filter:
   .\WFPSampler.exe -clean

6. Disable auditing:
   auditpol /set /category:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable

# 5155: an application or service was blocked from listening on a port
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_LISTEN_V4
# 5157: a connection was blocked
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_CONNECT_V4
# 5159: binding to a local port was blocked
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4

# Other
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4_DISCARD
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4_DISCARD
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD

# List a WFP filter by ID:
netsh wfp show filters
# Get layer IDs:
netsh wfp show state

Monitoring Network Events (NET_EVENT)

• Events support both enumeration and subscription.
• Enumeration allows filter criteria, querying events within a time window.
• Subscriptions inject a callback to deliver events in real time.

Supported event types:

typedef enum FWPM_NET_EVENT_TYPE_ {
  FWPM_NET_EVENT_TYPE_IKEEXT_MM_FAILURE = 0,
  FWPM_NET_EVENT_TYPE_IKEEXT_QM_FAILURE,
  FWPM_NET_EVENT_TYPE_IKEEXT_EM_FAILURE,
  FWPM_NET_EVENT_TYPE_CLASSIFY_DROP,
  FWPM_NET_EVENT_TYPE_IPSEC_KERNEL_DROP,
  FWPM_NET_EVENT_TYPE_IPSEC_DOSP_DROP,
  FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW,
  FWPM_NET_EVENT_TYPE_CAPABILITY_DROP,
  FWPM_NET_EVENT_TYPE_CAPABILITY_ALLOW,
  FWPM_NET_EVENT_TYPE_CLASSIFY_DROP_MAC,
  FWPM_NET_EVENT_TYPE_LPM_PACKET_ARRIVAL,
  FWPM_NET_EVENT_TYPE_MAX
} FWPM_NET_EVENT_TYPE;

Enumeration filter fields (FWPM_NET_EVENT_ENUM_TEMPLATE):

Outside of drivers, only basic drop events are returned.

Monitoring Network Connections (NetConnection)

Compared to monitoring network events, monitoring connections requires higher privileges.
callback approach

The caller needs FWPM_ACTRL_ENUM access to the connection objects’ containers and FWPM_ACTRL_READ access to the connection objects. See Access Control for more information.

Monitoring network connections has not yet succeeded.

I found a similar issue: Receiving in/out traffic stats using WFP user-mode API. It matches the behavior I observed—none of the subscribing functions receive any notifications, giving no events and no errors. Neither enabling auditing nor elevating privileges helped. Some noted that non-kernel mode can only receive drop events, which is insufficient for obtaining block events.

Example of adding a security descriptor: https://docs.microsoft.com/en-us/windows/win32/fwp/reserving-ports

Application Layer Enforcement (ALE) Introduction

• ALE comprises a set of kernel-mode filters that support stateful filtering.
• Filters at the ALE layer can authorize connection creation, port allocation, socket management, raw socket creation, and promiscuous-mode reception.
• Classification of ALE-layer filters is based on the connection or socket; filters in other layers can only classify based on individual packets.
• ALE filter reference: ale-layers
  • More filter reference: filtering-layer-identifiers

Coding Notes

Most WFP functions can be invoked from either user mode or kernel mode. However, user-mode functions return a DWORD representing a Win32 error code, whereas kernel-mode functions return an NTSTATUS representing an NT status code.
Therefore, functions share the same names and semantics across modes but have differing signatures. Separate user-mode and kernel-mode headers are required: user-mode header file names end with “u”, and kernel-mode ones end with “k”.

Conclusion

Our requirement is merely to know when events occur; real-time handling is unnecessary, and developing a kernel driver would introduce greater risk. Consequently, we’ll rely on event auditing and monitor event log generation to acquire block events.
A dedicated thread will use NotifyChangeEventLog to watch for new log records.

Appendix

WFP Architecture

WFP (Windows Filter Platform)

Data Flow

Data flow:

1. A packet enters the network stack.
2. The network stack finds and invokes a shim.
3. The shim initiates classification at a particular layer.
4. During classification, filters are matched, and the resulting action is applied. (See Filter Arbitration.)
5. If any callout filters match, their corresponding callouts are invoked.
6. The shim enforces the final filtering decision (e.g., drop the packet).

Reference Links

• Filter types
• Available filtering conditions per layer
• System error codes
• WFP error codes

Windows Firewall Management – netsh

• Windows Firewall Management – netsh

Windows Firewall Management – netsh

Management Tools

netsh advfirewall

# Export firewall rules
netsh advfirewall export advfirewallpolicy.wfw

# Import firewall rules
netsh advfirewall import advfirewallpolicy.wfw

# View firewall state
netsh advfirewall show allprofiles state

# View firewall default policy
netsh advfirewall show allprofiles firewallpolicy
# netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
# netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound

# View firewall settings
netsh advfirewall show allprofiles settings

# Enable firewall
netsh advfirewall set allprofiles state on

# Disable firewall
netsh advfirewall set allprofiles state off

# Display firewall rules
netsh advfirewall firewall show rule name=all

# View firewall status
netsh advfirewall monitor show firewall

netsh firewall (deprecated)

# Display firewall state
netsh firewall show state

netsh mbn (Mobile Broadband network)

netsh wfp

# Display firewall state
netsh wfp show state

# Display firewall filters
netsh wfp show filters

Windows Resources

• Windows Resources

Windows Resources Collection

• Windows Resources Collection
  • Tools
    • Monitoring & Analysis
    • AntiRootkit Tools
    • PE Tools
    • Reverse & Debug
    • Injection Tools
    • Network
    • Stress Testing Tools
    • Others
  • Code
    • Operating System
    • Kernel Examples
    • VT Technology
    • Miscellaneous
  • CTF Resources
  • Penetration Testing
  • Free Patent Search

This section lists only some common Windows tools for debugging, troubleshooting, and testing. Tools for packing/unpacking, encryption/decryption, file editors, and programming tools are omitted for brevity.

Tools

Monitoring & Analysis

AntiRootkit Tools

PE Tools

Reverse & Debug

Injection Tools

Network

Stress Testing Tools

Others

Code

Operating System

Kernel Examples

VT Technology

Miscellaneous

CTF Resources

Penetration Testing

Free Patent Search

Windows Guide

• Windows Guide

Windows

• [Win-to-go]
• [Understanding Windows File System]
• [Understanding Windows Processes]
• [Windows Related Resources]
• [Advanced Windows Management]
• [Windows Firewall Management - netsh]
• [Blocking Windows Network Traffic Acquisition]
• [Windows Troublesome Issues]
• [Understanding Windows Event Tracing (ETW)]
• [Understanding Windows Networking (WFP)]
• [windows-ipv6-management]
• [IPv6 Issues When Bridging Windows]
• [wireguard configuration]

window-message

• window-message

windows-message

• All windows messages as C# enum (github.com)
• List Of Windows Messages - WineHQ Wiki
• pinvoke.net: WM (Constants)
• pinvoke.net: WindowsMessages (Enums)
• Window Notifications

Win-to-go

===

Windows To Go is convenient for portability, but several traditional Windows features are restricted.

• Preface
• Windows To Go Overview
• Differences between Windows To Go and traditional Windows installation
• Using Windows To Go for mobile work
• Preparing to install Windows To Go
• Hardware requirements
• USB hard drive or flash drive
• Host computer
• Checking architecture compatibility between host PC and Windows To Go drive
• Common Windows To Go questions

Preface

Windows To Go has existed for many years, yet there are so few Chinese-language resources on it—one can’t help but worry about the state of domestic IT documentation. The author has limited experience but is exposed to plenty of English development docs and hopes to lay some groundwork for future readers; any mistakes pointed out will be welcomed. For those comfortable reading English, comprehensive official documentation is available at the links below:

• Windows To Go Overview
• Best practice recommendations for Windows To Go
• Deployment considerations for Windows To Go
• Prepare your organization for Windows To Go
• Security and data protection considerations for Windows To Go
• Windows To Go: frequently asked questions

This post covers the overview and some common questions—mostly translations with the occasional author note (indicated by [J] until the next full stop) to prevent misinformation.

Windows To Go Overview

Windows To Go is a feature of Windows Enterprise and Education editions; it is not available in the Home edition used by most general consumers. It allows you to create a portable Windows system on a USB drive or hard disk. Windows To Go is not intended to replace traditional installation methods; its main purpose is to let people who frequently switch workspaces do so more efficiently. Before using Windows To Go, you need to be aware of the following:

• Differences between Windows To Go and traditional Windows installation
• Using Windows To Go for mobile work
• Preparing to install Windows To Go
• Hardware requirements

Differences between Windows To Go and traditional Windows installation

Windows To Go behaves almost like a normal Windows environment except for these differences:

• All internal drives except the USB device you’re running from are offline by default—invisible in File Explorer—to safeguard data. [J]You still have ways to bring those drives online and change their files.
• The Trusted Platform Module (TPM) is unavailable. TPM is tied to an individual PC to protect business data. [J]Most consumer machines don’t have it, but if your corporate laptop is domain-joined, it’s best not to use Windows To Go on it; otherwise, freshen up your résumé first.
• Hibernation is disabled by default in Windows To Go but can be re-enabled via Group Policy. [J]Many machines break USB connections during hibernation and cannot resume—Microsoft anticipated this and disabled it; there’s usually no reason to change that setting.
• Windows Restore is disabled. If the OS breaks, you’ll need to reinstall.
• Factory reset and Windows Reset are unavailable.
• In-place upgrades are not supported. The OS stays at whatever version it was installed as—you cannot go from Windows 7 to 8 or from Windows 10 RS1 to RS2.

Using Windows To Go for mobile work

Windows To Go can boot on multiple machines; the OS will automatically determine the needed drivers. Apps tightly coupled to specific hardware may fail to run. [J]ThinkPad track-pad control apps or fingerprint utilities, for example.

Preparing to install Windows To Go

You can use System Center Configuration Manager or standard Windows deployment tools such as DiskPart and Deployment Image Servicing and Management (DISM). Consider:

• Do you need to inject any drivers into the Windows To Go image?
• How will you store and sync data when switching between machines?
• 32-bit or 64-bit? [J]All new hardware supports 64-bit; 64-bit CPUs can run 32-bit OSes, but 32-bit CPUs cannot run 64-bit OSes. 64-bit systems also consume more disk and memory. If any target machine has a 32-bit CPU or less than 4 GB RAM, stick with 32-bit.
• What resolution should you use when remoting in from external networks?

Hardware requirements

USB hard drive or flash drive

Windows To Go is specifically optimized for certified devices:

• Optimizes USB devices for high random read/write, ensuring smooth daily use.
• Can boot Windows 7 and later from certified devices.
• Continues to enjoy OEM warranty support even while running Windows To Go. [J]The host PC’s warranty wasn’t mentioned.

Uncertified USB devices are not supported. [J]Try it and you’ll learn quickly why—it just won’t work. [J]Non-standard hacks (e.g., spoofing device IDs) are out there but outside scope.

Host computer (Host computer)

• Certified for Windows 7 and later.
• Windows RT systems are unsupported.
• Apple Macs are unsupported. [J]Even though the web is full of success stories on using Windows To Go on a Mac, the official stance is clear: no support.

Minimum specs for a host computer:

Checking architecture compatibility between host PC and Windows To Go drive

Common Windows To Go questions

Windows To Go: frequently asked questions