How can I track which software/process stops the windows firewall?












1















Something stops the windows firewall.
If I restart it, it is again stopped within 2 minutes.



How can I track which software/process stops it?



Or how to configure the event manager in order to track what is stopping the firewall?



Thanks in advance






windows-10 firewall event-log trojan







share|improve this question





























    1















    Something stops the windows firewall.
    If I restart it, it is again stopped within 2 minutes.



    How can I track which software/process stops it?



    Or how to configure the event manager in order to track what is stopping the firewall?



    Thanks in advance






    windows-10 firewall event-log trojan







    share|improve this question



























      1












      1








      1








      Something stops the windows firewall.
      If I restart it, it is again stopped within 2 minutes.



      How can I track which software/process stops it?



      Or how to configure the event manager in order to track what is stopping the firewall?



      Thanks in advance






      windows-10 firewall event-log trojan







      share|improve this question
















      Something stops the windows firewall.
      If I restart it, it is again stopped within 2 minutes.



      How can I track which software/process stops it?



      Or how to configure the event manager in order to track what is stopping the firewall?



      Thanks in advance






      windows-10 firewall event-log trojan




      windows-10 firewall event-log trojan






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 25 at 9:33







      Alex

















      asked Jan 2 '17 at 9:36









      AlexAlex

      86




      86






















          2 Answers
          2






          active

          oldest

          votes


















          0














          you can see the events here:



          Application and Services Logs > Microsoft > Windows > Windows Firewall With Advanced Security



          Here you can check who and what has disabled your firewall, in my case I did it myself just to test. It should look something like this, you can see that Value = No. That means firewall is turned off.



          Firewall off






          share|improve this answer
























          • Thanks a lot: The application is this one C:WindowsSysWOW64netsh.exe Is it that some script is launching it? I have now to track what is launching netsh, no?

            – Alex
            Jan 2 '17 at 11:32













          • And modifying user is the System S-1-5-18 which is not the current user S-1-5-21-4001752...

            – Alex
            Jan 2 '17 at 11:37













          • Are you on a home network or in a work/domain network? If you're in a work network I would advise you to call your IT-Administrator immediately and let him know that someone or something is messing with your firewall. If you are on your home network I would advise you to give us some more information. Which antivirus you use etc.

            – Bungicasse
            Jan 2 '17 at 13:53











          • Computer is on the home network, with various Windows and Linux machines on this network. The only protection is the Windows Defender.

            – Alex
            Jan 2 '17 at 16:27











          • A scan searching for advfirewall only found a gatherNetworkInfo.vbs script and AuthFWSnapIn and MIGUIControls.resources DLLs. No other scripts or executable

            – Alex
            Jan 2 '17 at 16:29



















          0














          Finally I installed an anti-virus "Avira" and launched a scan several times. First it found the Trojan "TR/Crypt.XPACK.e5637e" in various files:



          C:WINDOWSurzivdfs.exe 
          
C:WINDOWSjupkeyptbl.exe
          
C:WINDOWSurzivdfs.exe


          Second the "TR/BitCoinMiner.fopp" in



          C:Windowsp2p_05win32win32blot2.exe


          Now everything is fine: the firewall remains ON.



          Thanks Bungicasse, your help led me to the conclusion that something stopped maliciously the firewall using the command netsh.



          Thanks again,



          Alex






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1162502%2fhow-can-i-track-which-software-process-stops-the-windows-firewall%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            you can see the events here:



            Application and Services Logs > Microsoft > Windows > Windows Firewall With Advanced Security



            Here you can check who and what has disabled your firewall, in my case I did it myself just to test. It should look something like this, you can see that Value = No. That means firewall is turned off.



            Firewall off






            share|improve this answer
























            • Thanks a lot: The application is this one C:WindowsSysWOW64netsh.exe Is it that some script is launching it? I have now to track what is launching netsh, no?

              – Alex
              Jan 2 '17 at 11:32













            • And modifying user is the System S-1-5-18 which is not the current user S-1-5-21-4001752...

              – Alex
              Jan 2 '17 at 11:37













            • Are you on a home network or in a work/domain network? If you're in a work network I would advise you to call your IT-Administrator immediately and let him know that someone or something is messing with your firewall. If you are on your home network I would advise you to give us some more information. Which antivirus you use etc.

              – Bungicasse
              Jan 2 '17 at 13:53











            • Computer is on the home network, with various Windows and Linux machines on this network. The only protection is the Windows Defender.

              – Alex
              Jan 2 '17 at 16:27











            • A scan searching for advfirewall only found a gatherNetworkInfo.vbs script and AuthFWSnapIn and MIGUIControls.resources DLLs. No other scripts or executable

              – Alex
              Jan 2 '17 at 16:29
















            0














            you can see the events here:



            Application and Services Logs > Microsoft > Windows > Windows Firewall With Advanced Security



            Here you can check who and what has disabled your firewall, in my case I did it myself just to test. It should look something like this, you can see that Value = No. That means firewall is turned off.



            Firewall off






            share|improve this answer
























            • Thanks a lot: The application is this one C:WindowsSysWOW64netsh.exe Is it that some script is launching it? I have now to track what is launching netsh, no?

              – Alex
              Jan 2 '17 at 11:32













            • And modifying user is the System S-1-5-18 which is not the current user S-1-5-21-4001752...

              – Alex
              Jan 2 '17 at 11:37













            • Are you on a home network or in a work/domain network? If you're in a work network I would advise you to call your IT-Administrator immediately and let him know that someone or something is messing with your firewall. If you are on your home network I would advise you to give us some more information. Which antivirus you use etc.

              – Bungicasse
              Jan 2 '17 at 13:53











            • Computer is on the home network, with various Windows and Linux machines on this network. The only protection is the Windows Defender.

              – Alex
              Jan 2 '17 at 16:27











            • A scan searching for advfirewall only found a gatherNetworkInfo.vbs script and AuthFWSnapIn and MIGUIControls.resources DLLs. No other scripts or executable

              – Alex
              Jan 2 '17 at 16:29














            0












            0








            0







            you can see the events here:



            Application and Services Logs > Microsoft > Windows > Windows Firewall With Advanced Security



            Here you can check who and what has disabled your firewall, in my case I did it myself just to test. It should look something like this, you can see that Value = No. That means firewall is turned off.



            Firewall off






            share|improve this answer













            you can see the events here:



            Application and Services Logs > Microsoft > Windows > Windows Firewall With Advanced Security



            Here you can check who and what has disabled your firewall, in my case I did it myself just to test. It should look something like this, you can see that Value = No. That means firewall is turned off.



            Firewall off







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jan 2 '17 at 10:08









            BungicasseBungicasse

            670413




            670413













            • Thanks a lot: The application is this one C:WindowsSysWOW64netsh.exe Is it that some script is launching it? I have now to track what is launching netsh, no?

              – Alex
              Jan 2 '17 at 11:32













            • And modifying user is the System S-1-5-18 which is not the current user S-1-5-21-4001752...

              – Alex
              Jan 2 '17 at 11:37













            • Are you on a home network or in a work/domain network? If you're in a work network I would advise you to call your IT-Administrator immediately and let him know that someone or something is messing with your firewall. If you are on your home network I would advise you to give us some more information. Which antivirus you use etc.

              – Bungicasse
              Jan 2 '17 at 13:53











            • Computer is on the home network, with various Windows and Linux machines on this network. The only protection is the Windows Defender.

              – Alex
              Jan 2 '17 at 16:27











            • A scan searching for advfirewall only found a gatherNetworkInfo.vbs script and AuthFWSnapIn and MIGUIControls.resources DLLs. No other scripts or executable

              – Alex
              Jan 2 '17 at 16:29



















            • Thanks a lot: The application is this one C:WindowsSysWOW64netsh.exe Is it that some script is launching it? I have now to track what is launching netsh, no?

              – Alex
              Jan 2 '17 at 11:32













            • And modifying user is the System S-1-5-18 which is not the current user S-1-5-21-4001752...

              – Alex
              Jan 2 '17 at 11:37













            • Are you on a home network or in a work/domain network? If you're in a work network I would advise you to call your IT-Administrator immediately and let him know that someone or something is messing with your firewall. If you are on your home network I would advise you to give us some more information. Which antivirus you use etc.

              – Bungicasse
              Jan 2 '17 at 13:53











            • Computer is on the home network, with various Windows and Linux machines on this network. The only protection is the Windows Defender.

              – Alex
              Jan 2 '17 at 16:27











            • A scan searching for advfirewall only found a gatherNetworkInfo.vbs script and AuthFWSnapIn and MIGUIControls.resources DLLs. No other scripts or executable

              – Alex
              Jan 2 '17 at 16:29

















            Thanks a lot: The application is this one C:WindowsSysWOW64netsh.exe Is it that some script is launching it? I have now to track what is launching netsh, no?

            – Alex
            Jan 2 '17 at 11:32







            Thanks a lot: The application is this one C:WindowsSysWOW64netsh.exe Is it that some script is launching it? I have now to track what is launching netsh, no?

            – Alex
            Jan 2 '17 at 11:32















            And modifying user is the System S-1-5-18 which is not the current user S-1-5-21-4001752...

            – Alex
            Jan 2 '17 at 11:37







            And modifying user is the System S-1-5-18 which is not the current user S-1-5-21-4001752...

            – Alex
            Jan 2 '17 at 11:37















            Are you on a home network or in a work/domain network? If you're in a work network I would advise you to call your IT-Administrator immediately and let him know that someone or something is messing with your firewall. If you are on your home network I would advise you to give us some more information. Which antivirus you use etc.

            – Bungicasse
            Jan 2 '17 at 13:53





            Are you on a home network or in a work/domain network? If you're in a work network I would advise you to call your IT-Administrator immediately and let him know that someone or something is messing with your firewall. If you are on your home network I would advise you to give us some more information. Which antivirus you use etc.

            – Bungicasse
            Jan 2 '17 at 13:53













            Computer is on the home network, with various Windows and Linux machines on this network. The only protection is the Windows Defender.

            – Alex
            Jan 2 '17 at 16:27





            Computer is on the home network, with various Windows and Linux machines on this network. The only protection is the Windows Defender.

            – Alex
            Jan 2 '17 at 16:27













            A scan searching for advfirewall only found a gatherNetworkInfo.vbs script and AuthFWSnapIn and MIGUIControls.resources DLLs. No other scripts or executable

            – Alex
            Jan 2 '17 at 16:29





            A scan searching for advfirewall only found a gatherNetworkInfo.vbs script and AuthFWSnapIn and MIGUIControls.resources DLLs. No other scripts or executable

            – Alex
            Jan 2 '17 at 16:29













            0














            Finally I installed an anti-virus "Avira" and launched a scan several times. First it found the Trojan "TR/Crypt.XPACK.e5637e" in various files:



            C:WINDOWSurzivdfs.exe 
            
C:WINDOWSjupkeyptbl.exe
            
C:WINDOWSurzivdfs.exe


            Second the "TR/BitCoinMiner.fopp" in



            C:Windowsp2p_05win32win32blot2.exe


            Now everything is fine: the firewall remains ON.



            Thanks Bungicasse, your help led me to the conclusion that something stopped maliciously the firewall using the command netsh.



            Thanks again,



            Alex






            share|improve this answer




























              0














              Finally I installed an anti-virus "Avira" and launched a scan several times. First it found the Trojan "TR/Crypt.XPACK.e5637e" in various files:



              C:WINDOWSurzivdfs.exe 
              
C:WINDOWSjupkeyptbl.exe
              
C:WINDOWSurzivdfs.exe


              Second the "TR/BitCoinMiner.fopp" in



              C:Windowsp2p_05win32win32blot2.exe


              Now everything is fine: the firewall remains ON.



              Thanks Bungicasse, your help led me to the conclusion that something stopped maliciously the firewall using the command netsh.



              Thanks again,



              Alex






              share|improve this answer


























                0












                0








                0







                Finally I installed an anti-virus "Avira" and launched a scan several times. First it found the Trojan "TR/Crypt.XPACK.e5637e" in various files:



                C:WINDOWSurzivdfs.exe 
                
C:WINDOWSjupkeyptbl.exe
                
C:WINDOWSurzivdfs.exe


                Second the "TR/BitCoinMiner.fopp" in



                C:Windowsp2p_05win32win32blot2.exe


                Now everything is fine: the firewall remains ON.



                Thanks Bungicasse, your help led me to the conclusion that something stopped maliciously the firewall using the command netsh.



                Thanks again,



                Alex






                share|improve this answer













                Finally I installed an anti-virus "Avira" and launched a scan several times. First it found the Trojan "TR/Crypt.XPACK.e5637e" in various files:



                C:WINDOWSurzivdfs.exe 
                
C:WINDOWSjupkeyptbl.exe
                
C:WINDOWSurzivdfs.exe


                Second the "TR/BitCoinMiner.fopp" in



                C:Windowsp2p_05win32win32blot2.exe


                Now everything is fine: the firewall remains ON.



                Thanks Bungicasse, your help led me to the conclusion that something stopped maliciously the firewall using the command netsh.



                Thanks again,



                Alex







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jan 5 '17 at 20:31









                AlexAlex

                86




                86






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1162502%2fhow-can-i-track-which-software-process-stops-the-windows-firewall%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Index of /

                    This page is only for reference, If you need detailed information, please check here
                    Read more

                    Tribalistas

                    Image
                      Nota: Para o álbum homônimo, veja Tribalistas (álbum de 2002). Para o segundo álbum homônimo, veja Tribalistas (álbum de 2017). Para o tipo de organização tribal, veja Tribalismo. Tribalistas Informação geral Origem Salvador e Rio de Janeiro País   Brasil Gênero(s) MPB Pop Samba Período em atividade 2002–2004 2017–atualmente Gravadora(s) EMI Phonomotor Records Universal Music Afiliação(ões) Dadi Pretinho da Serrinha Margareth Menezes Integrantes Arnaldo Antunes Carlinhos Brown Marisa Monte Página oficial www2.uol.com.br/tribalistas/ ...
                    Read more

                    Listed building

                    Image
                    Listed building (literalmente: prédio listado ) é toda estrutura protegida por lei pelo complexo sistema de tombamento do Reino Unido. Um listed building é qualquer estrutura oficialmente designada como tendo especial interesse arquitetônico, histórico ou cultural. É um estatuto amplamente usado, aplicado a centenas de milhares de estruturas. Estruturas tombadas não podem ser alteradas sem permissão especial, e desfrutam de isenções fiscais e outros benefícios. Cada um dos países do Reino Unido trata tombamento de forma diferente: Índice 1 Inglaterra 2 País de Gales 3 Irlanda do Norte 4 Escócia 5 Referências Inglaterra | O Palácio de Buckingham, Londres. As estruturas tombadas são listadas no Statutory List of Buildings of Special Architectural or Historic Interest , e incluem campos, sinais de trânsito, piers e áreas geográficas. A principal legislação pertinente é o Ancient Monuments and Archaeological Areas Act 1979 , [ 1 ] embora legisla...
                    Read more