排查 UWP 应用连接问题
本文档旨在帮助网络管理员、支持工程师和开发人员调查 UWP 应用网络连接问题。
本文档通过提供实际示例,指导你完成调试通用 Windows 平台 (UWP) 应用网络连接问题的步骤。
连接问题的典型原因
UWP 应用网络连接问题通常是由以下原因引起的:
- 不允许 UWP 应用程序接收环回流量。 必须配置此权限。 默认情况下,不允许 UWP 应用程序接收环回流量
- UWP 应用缺少适当的功能令牌
- 专用范围配置不正确。 例如,通过 GP/MDM 策略等错误地设置了专用范围。
若要更全面地了解这些原因,请查看几个概念。
Windows 上允许哪些内容和不) 的网络数据包流量 (由 Windows 筛选平台 (WFP) 确定。 当 UWP 应用或专用范围配置不正确时,会影响 WFP 处理 UWP 应用的网络流量的方式。
当 WFP 处理数据包时,该数据包的特征必须显式匹配筛选器的所有条件,以允许或丢弃到其目标地址。 当数据包与任何筛选条件都不匹配时,通常会发生连接问题,从而导致默认块筛选器丢弃数据包。 默认块筛选器的存在可确保 UWP 应用程序的网络隔离。 具体而言,它保证对尝试访问的资源没有正确功能的数据包的网络丢弃。 这种数据包丢弃可确保应用程序对每种资源类型的精细访问,并防止应用程序转义其环境。
有关筛选器仲裁算法和网络隔离的详细信息,请参阅 筛选器仲裁 和 隔离。
以下部分介绍环回和非环回 UWP 应用网络连接问题的调试案例示例。
注意
由于对 Windows 筛选平台中的调试和诊断进行了改进,本文档中的跟踪示例可能与以前版本的 Windows 上收集的跟踪不完全匹配。
调试 UWP 应用环回方案
如果需要在同一主机上的两个进程之间建立 TCP/IP 连接,其中一个进程是 UWP 应用,则必须启用环回。
若要为客户端出站连接启用环回,请在命令提示符处运行以下命令:
CheckNetIsolation.exe LoopbackExempt -a -n=<AppContainer or Package Family>
若要为服务器入站连接启用环回,请在命令提示符处运行以下命令:
CheckNetIsolation.exe LoopbackExempt -is -n=<AppContainer or Package Family>
可以通过检查发送方和接收方的 appx 清单来确保已启用环回。
有关环回方案的详细信息,请参阅 与 localhost (环回) 通信 。
注意
如果你正在开发 UWA 应用程序,并且想要测试其环回,请确保卸载并重新安装 UWA 应用,前提是网络功能因任何原因而更改。
另请参阅如何启用环回并排查 (Windows 运行时 应用) 的网络隔离问题。
调试实时放置
如果问题最近发生,但你发现无法重现该问题,请转到调试过去的 Drops 以获取相应的跟踪命令。
如果可以持续重现问题,则可以在管理员命令提示符下运行以下命令来收集新的跟踪:
Netsh wfp capture start keywords=19
<Run UWP app>
Netsh wfp capture stop
这些命令生成 wfpdiag.cab。 在 .cab 中存在一个 wfpdiag.xml,其中包含在该重现过程中存在的任何允许或删除 netEvent 和筛选器。 如果没有“keywords=19”,跟踪将仅收集 drop netEvents。
在 wfpdiag.xml 中,搜索FWPM_NET_EVENT_TYPE_CLASSIFY_DROP为 netEvent 类型的 netEvent。 若要查找相关的删除事件,请搜索目标 IP 地址、包 SID 或应用程序 ID 名称匹配的删除事件。 应用程序 ID 名称中的字符将按句点分隔:
(ex)
<asString>
\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e...
</asString>
netEvent 将具有有关已删除的数据包的详细信息,包括有关其功能的信息、丢弃数据包的筛选器等。
案例 1:UWP 应用使用所有功能连接到 Internet 目标地址
在此示例中,UWP 应用成功连接到 bing.com [2620:1ec:c11::200]。
来自 UWP 应用的数据包需要它尝试访问的资源的正确网络功能令牌。
在此方案中,应用可以成功将数据包发送到 Internet 目标,因为它具有 Internet 功能令牌。
以下代码显示了连接到目标 IP 的应用的 allow netEvent。 netEvent 包含有关数据包的信息,包括其本地地址、远程地址、功能等。
对 Allow netEvent 进行分类, Wfpdiag-Case-1.xml
<netEvent>
<header>
<timeStamp>2020-05-21T17:25:59.070Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V6</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV6.byteArray16>2001:4898:30:3:256c:e5ba:12f3:beb1</localAddrV6.byteArray16>
<remoteAddrV6.byteArray16>2620:1ec:c11::200</remoteAddrV6.byteArray16>
<localPort>52127</localPort>
<remotePort>443</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-2993214446-1947230185-131795049-1000</userId>
<addressFamily>FWP_AF_INET6</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW</type>
<classifyAllow>
<filterId>125918</filterId>
<layerId>50</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
</classifyAllow>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities numItems="3">
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT</item>
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER</item>
<item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>
</capabilities>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>125918</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
<item>
<filterId>121167</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</netEvent>
下面是允许根据 netEvent 中的终止FiltersInfo将数据包发送到目标地址的筛选器。 Filter #125918 从 InternetClient 默认规则允许此数据包。
InternetClient 默认规则筛选器 #125918, Wfpdiag-Case-1.xml
<item>
<filterKey>{3389708e-f7ae-4ebc-a61a-f659065ab24e}</filterKey>
<displayData>
<name>InternetClient Default Rule</name>
<description>InternetClient Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>ad2b000000000000</data>
<asString>.+......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V6</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="5">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_RANGE</matchType>
<conditionValue>
<type>FWP_RANGE_TYPE</type>
<rangeValue>
<valueLow>
<type>FWP_BYTE_ARRAY16_TYPE</type>
<byteArray16>::</byteArray16>
</valueLow>
<valueHigh>
<type>FWP_BYTE_ARRAY16_TYPE</type>
<byteArray16>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</byteArray16>
</valueHigh>
</rangeValue>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID<fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID<fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>125918</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>103079219136</uint64>
</effectiveWeight>
</item>
筛选器 #125918 中的功能条件, Wfpdiag-Case-1.xml
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
此条件启用此筛选器中的检查功能。
此条件的重要部分是 S-1-15-3-1,这是 用于INTERNET_CLIENT 特权的功能 SID。
从 netEvent 功能部分、netEvent 的功能 Wfpdiag-Case-1.xml。
<capabilities numItems="3">
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT</item>
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER</item>
<item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>
</capabilities>
这些功能显示数据包来自具有 Internet 客户端令牌的应用, (FWP_CAPABILITIES_FLAG_INTERNET_CLIENT) 与筛选器中的功能 SID 匹配。 筛选器还满足所有其他条件,因此允许数据包。 需要注意的是,数据包到达 bing.com 所需的唯一功能令牌是 Internet 客户端令牌,即使此示例显示了数据包具有所有功能。
案例 2:UWP 应用无法访问 Internet 目标地址,并且没有功能
在此示例中,UWP 应用无法连接到 [2620:1ec:c11::200] bing.com。
以下示例是跟踪中捕获的 drop netEvent 的示例。
分类 Drop netEvent, Wfpdiag-Case-2.xml
<netEvent>
<header>
<timeStamp>2020-03-30T23:53:09.720Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V6</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV6.byteArray16>2001:4898:1a:1045:8469:3351:e6e2:543</localAddrV6.byteArray16>
<remoteAddrV6.byteArray16>2620:1ec:c11::200</remoteAddrV6.byteArray16>
<localPort>63187</localPort>
<remotePort>443</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0034002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...4...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-2788718703-1626973220-3690764900-1000</userId>
<addressFamily>FWP_AF_INET6</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>68893</filterId>
<layerId>50</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities/>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>68893</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>68879</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</netEvent>
应在 netEvent 中检查的第一件事是功能字段。 在此示例中,“功能”字段为空,指示 UWP 应用未配置任何功能令牌,以允许其连接到网络。
netEvent 中的内部字段, Wfpdiag-Case-2.xml
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities/>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>68893</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>68879</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
netEvent 还显示有关显式删除此数据包的筛选器的信息,如 FilterId,在分类丢弃下列出。
从 netEvent 分类 Drop, Wfpdiag-Case-2.xml
<classifyDrop>
<filterId>68893</filterId>
<layerId>50</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
如果在 Wfpdiag-Case2.xml 中搜索筛选器 #68893,则会看到“阻止出站默认规则”筛选器删除了数据包。
阻止出站默认规则筛选器 #68893, Wfpdiag-Case-2.xml
<item>
<filterKey>{6d51582f-bcf8-42c4-afc9-e2ce7155c11b}</filterKey>
/t<displayData>
<name>**Block Outbound Default Rule**</name>
<description>Block Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>{4b153735-1049-4480-aab4-d1b9bdc03710}</providerKey>
<providerData>
<data>b001000000000000</data>
<asString>........</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V6</layerKey>
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2300}</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="1">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_BLOCK</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>68893</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>68719476736</uint64>
</effectiveWeight>
</item>
如果数据包无法匹配其他筛选器的任何条件,并且同一子层中的其他筛选器不允许,则数据包将到达默认块筛选器。
如果数据包具有正确的功能标记 ,FWP_CAPABILITIES_FLAG_INTERNET_CLIENT,它将匹配非默认块筛选器的条件,并被允许访问 bing.com。 如果没有正确的功能令牌,数据包将被默认的阻止出站筛选器显式删除。
案例 3:没有 Internet 客户端功能,UWP 应用无法访问 Internet 目标地址
在此示例中,应用无法连接到 [2620:1ec:c11::200] bing.com。
此方案中的应用仅具有专用网络功能 (客户端和服务器) 。 应用尝试 (bing.com) 连接到 Internet 资源,但只有专用网络令牌。 因此,数据包将被丢弃。
分类 Drop netEvent, Wfpdiag-Case-3.xml
<netEvent>
<header>
<timeStamp>2020-03-31T16:57:18.570Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V6</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV6.byteArray16>2001:4898:1a:1045:9c65:7805:dd4a:cc4b</localAddrV6.byteArray16>
<remoteAddrV6.byteArray16>2620:1ec:c11::200</remoteAddrV6.byteArray16>
<localPort>64086</localPort>
<remotePort>443</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0035002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...5...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-2788718703-1626973220-3690764900-1000</userId>
<addressFamily>FWP_AF_INET6</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>68893</filterId>
<layerId>50</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
**<capabilities numItems="1">**
**<item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>**
**</capabilities>**
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>68893</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>68879</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</netEvent>
案例 4:没有专用网络功能,UWP 应用无法访问 Intranet 目标地址
在此示例中,UWP 应用无法访问 Intranet 目标地址 10.50.50.50,因为它没有专用网络功能。
分类 Drop netEvent, Wfpdiag-Case-4.xml
<netEvent>
<header>
<timeStamp>2020-05-22T21:29:28.601Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV4>10.216.117.17</localAddrV4>
<remoteAddrV4>10.50.50.50</remoteAddrV4>
<localPort>52998</localPort>
<remotePort>53</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-2993214446-1947230185-131795049-1000</userId>
<addressFamily>FWP_AF_INET</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>121180</filterId>
<layerId>48</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities numItems="2">
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT</item>
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER</item>
</capabilities>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>121180</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>121165</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</netEvent>
案例 5:UWP 应用无法访问具有专用网络功能的“Intranet”目标地址
在此示例中,UWP 应用无法访问 Intranet 目标地址 10.1.1.1,即使它具有专用网络功能令牌也是如此。
分类 Drop netEvent, Wfpdiag-Case-5.xml
<netEvent>
<header>
<timeStamp>2020-05-22T20:54:53.499Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV4>10.216.117.17</localAddrV4>
<remoteAddrV4>10.1.1.1</remoteAddrV4>
<localPort>52956</localPort>
<remotePort>53</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-2993214446-1947230185-131795049-1000</userId>
<addressFamily>FWP_AF_INET</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>121180</filterId>
<layerId>48</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities numItems="1">
<item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>
</capabilities>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>121180</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>121165</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</netEvent>
下面显示了阻止事件的筛选器:
阻止出站默认规则筛选器 #121180, Wfpdiag-Case-5.xml
<item>
<filterKey>{e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}</filterKey>
<displayData>
<name>Block Outbound Default Rule</name>
<description>Block Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>c029000000000000</data>
<asString>.)......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="1">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_BLOCK</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>121180</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>274877906944</uint64>
</effectiveWeight>
</item>
如果目标在专用范围内,则 PrivateNetwork 出站默认规则筛选器应已允许该目标。
以下 PrivateNetwork 出站默认规则筛选器具有匹配 Intranet IP 地址的条件。 由于预期的 Intranet 目标地址 10.1.1.1 未包含在这些筛选器中,因此很明显该地址不在专用范围内。 检查在设备上配置专用范围的策略 (MDM、组策略等 ) ,并确保它包含要访问的专用目标地址。
PrivateNetwork 出站默认规则筛选器, Wfpdiag-Case-5.xml
<item>
<filterKey>{fd65507b-e356-4e2f-966f-0c9f9c1c6e78}</filterKey>
<displayData>
<name>PrivateNetwork Outbound Default Rule</name>
<description>PrivateNetwork Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>f22d000000000000</data>
<asString>.-......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="5">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1.1.1.1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>129656</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>144115600392724416</uint64>
</effectiveWeight>
</item>
<item>
<filterKey>{b11b4f8a-222e-49d6-8d69-02728681d8bc}</filterKey>
<displayData>
<name>PrivateNetwork Outbound Default Rule</name>
<description>PrivateNetwork Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>f22d000000000000</data>
<asString>.-......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="5">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_RANGE</matchType>
<conditionValue>
<type>FWP_RANGE_TYPE</type>
<rangeValue>
<valueLow>
<type>FWP_UINT32</type>
<uint32>172.16.0.0</uint32>
</valueLow>
<valueHigh>
<type>FWP_UINT32</type>
<uint32>172.31.255.255</uint32>
</valueHigh>
</rangeValue>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>129657</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>36029209335832512</uint64>
</effectiveWeight>
</item>
<item>
<filterKey>{21cd82bc-6077-4069-94bf-750e5a43ca23}</filterKey>
<displayData>
<name>PrivateNetwork Outbound Default Rule</name>
<description>PrivateNetwork Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>f22d000000000000</data>
<asString>.-......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="5">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_RANGE</matchType>
<conditionValue>
<type>FWP_RANGE_TYPE</type>
<rangeValue>
<valueLow>
<type>FWP_UINT32</type>
<uint32>192.168.0.0</uint32>
</valueLow>
<valueHigh>
<type>FWP_UINT32</type>
<uint32>192.168.255.255</uint32>
</valueHigh>
</rangeValue>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>129658</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>36029209335832512</uint64>
</effectiveWeight>
</item>
调试过去的丢弃
如果要从过去或远程计算机调试网络下降,则可能已经从反馈中心收集了跟踪,例如 nettrace.etl 和 wfpstate.xml。 转换 nettrace.etl 后,nettrace.txt 将具有重现事件的 netEvents,并且 wfpstate.xml 将包含当时计算机上存在的筛选器。
如果尚未收集实时重现或跟踪,在 UWP 网络连接问题发生后,仍可以通过在管理员命令提示符中运行以下命令来收集跟踪:
<Run UWP app>
Netsh wfp show netevents
Netsh wfp show state
Netsh wfp show neteventsnetevents.xml创建 ,其中包含过去的网络事件。 Netsh wfp show state 创建 wfpstate.xml,其中包含计算机上存在的当前筛选器。
遗憾的是,在 UWP 网络连接问题之后收集跟踪并不总是可靠的。
设备上的 NetEvent 存储在缓冲区中。 该缓冲区达到最大容量后,该缓冲区将覆盖较旧的网络事件。 由于缓冲区覆盖,收集的 netevents.xml 可能包含与 UWP 网络连接问题关联的网络事件。 它可能被覆盖。 此外,由于设备上的其他事件,设备上的筛选器可能会被删除并使用不同的 filterId 重新添加。 由于这些影响,来自 netsh wfp show netevents 的filterId 不一定与 netsh wfp show 状态中的任何筛选器匹配,因为该 filterId 可能已过时。
如果可以一致地重现 UWP 网络连接问题,建议改用调试实时放置中的命令。
此外,即使没有实时重现,也可以使用本部分中的跟踪命令按照调试实时放置部分中的示例进行操作。 netEvents 和筛选器存储在调试实时放置中的一个文件中,而不是以下调试过去放置示例中的两个单独的文件。
案例 7:调试过去放置 - UWP 应用无法访问 Internet 目标地址,并且没有功能
在此示例中,UWP 应用无法连接到 bing.com。
对 Drop Net 事件进行分类, NetEvents-Case-7.xml
<item>
<header>
<timeStamp>2020-05-04T22:04:07.039Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV4>10.195.36.30</localAddrV4>
<remoteAddrV4>204.79.197.200</remoteAddrV4>
<localPort>57062</localPort>
<remotePort>443</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-1578316205-4060061518-881547182-1000</userId>
<addressFamily>FWP_AF_INET</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>206064</filterId>
<layerId>48</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities/>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>206064</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>206049</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</item>
“内部”字段未列出任何活动功能,数据包在 nfilter 206064丢弃。
此筛选器是默认的阻止规则筛选器,这意味着通过可能允许它的每个筛选器传递的数据包,但由于其中任何筛选器的条件都不匹配,因此数据包会落到阻止安全描述符不匹配的任何数据包的筛选器。
阻止出站默认规则筛选器 #206064, FilterState-Case-7.xml
<item>
<filterKey>{f138d1ad-9293-478f-8519-c3368e796711}</filterKey>
<displayData>
<name>Block Outbound Default Rule</name>
<description>Block Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>2e65000000000000</data>
<asString>.e......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="1">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_BLOCK</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>206064</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>274877906944</uint64>
</effectiveWeight>
</item>
案例 8:调试过去放置 - UWP 应用使用所有功能连接到 Internet 目标地址
在此示例中,UWP 应用成功连接到 bing.com [204.79.197.200]。
对 Allow Net 事件进行分类, NetEvents-Case-8.xml
<item>
<header>
<timeStamp>2020-05-04T18:49:55.101Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV4>10.195.36.30</localAddrV4>
<remoteAddrV4>204.79.197.200</remoteAddrV4>
<localPort>61673</localPort>
<remotePort>443</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-1578316205-4060061518-881547182-1000</userId>
<addressFamily>FWP_AF_INET</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW</type>
<classifyAllow>
<filterId>208757</filterId>
<layerId>48</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
</classifyAllow>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities numItems="3">
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT</item>
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER</item>
<item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>
</capabilities>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>208757</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
<item>
<filterId>206049</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</item>
启用所有功能,并208757确定数据包流的结果筛选器。
上述具有操作许可的筛选器:
InternetClient 默认规则筛选器 #208757, FilterState-Case-8.xml
<item>
<filterKey>{e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}</filterKey>
<displayData>
<name>InternetClient Default Rule</name>
<description>InternetClient Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>e167000000000000</data>
<asString>.g......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="5">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_RANGE</matchType>
<conditionValue>
<type>FWP_RANGE_TYPE</type>
<rangeValue>
<valueLow>
<type>FWP_UINT32</type>
<uint32>0.0.0.0</uint32>
</valueLow>
<valueHigh>
<type>FWP_UINT32</type>
<uint32>255.255.255.255</uint32>
</valueHigh>
</rangeValue>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>208757</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>412316868544</uint64>
</effectiveWeight>
</item>
反馈
即将发布:在整个 2024 年,我们将逐步淘汰作为内容反馈机制的“GitHub 问题”,并将其取代为新的反馈系统。 有关详细信息,请参阅:https://aka.ms/ContentUserFeedback。
提交和查看相关反馈