本檔旨在協助網路管理員、支援工程師和開發人員調查 UWP 應用程式網路連線問題。
本檔會透過提供實際範例,引導您逐步偵錯 通用 Windows 平台 (UWP) 應用程式網路連線問題。
線上問題的一般原因
UWP 應用程式網路連線問題通常是由下列原因所造成:
- 不允許 UWP 應用程式接收回送流量。 必須設定此許可權。 根據預設,UWP 應用程式不允許接收回送流量
- UWP 應用程式遺漏適當的功能令牌
- 私用範圍的設定不正確。 例如,私人範圍是透過 GP/MDM 原則等不正確設定。
若要更徹底地了解這些原因,有幾個概念需要檢閱。
Windows 篩選平臺 (WFP) 會決定網路封包 (允許的流量,以及 Windows 上未) 的流量。 當 UWP 應用程式或私人範圍設定不正確時,會影響 WFP 處理 UWP 應用程式網路流量的方式。
當 WFP 處理封包時,該封包的特性必須明確符合篩選條件的所有條件,才能允許或卸除至其目標位址。 連線問題通常會在封包不符合任何篩選條件時發生,導致預設區塊篩選器卸除封包。 默認區塊篩選器的存在可確保UWP應用程式的網路隔離。 具體而言,它可保證未針對嘗試連線的資源具有正確功能的封包進行網路捨棄。 這類封包卸除可確保應用程式對每個資源類型的細微存取,並防止應用程式逸出其環境。
如需篩選仲裁演算法和網路隔離的詳細資訊,請參 閱篩選仲裁 和 隔離。
下列各節涵蓋回送和非回送 UWP 應用程式網路連線問題的偵錯案例範例。
注意
隨著 Windows 篩選平臺中偵錯和診斷的改善,本檔中的追蹤範例可能不完全符合在舊版 Windows 上收集的追蹤。
偵錯 UWP 應用程式回送案例
如果您需要在其中一個進程是 UWP 應用程式的相同主機上建立兩個進程之間的 TCP/IP 連線,您必須啟用回送。
若要啟用客戶端輸出連線的回送,請在命令提示字元中執行下列命令:
CheckNetIsolation.exe LoopbackExempt -a -n=<AppContainer or Package Family>
若要啟用伺服器輸入連線的回送,請在命令提示字元中執行下列命令:
CheckNetIsolation.exe LoopbackExempt -is -n=<AppContainer or Package Family>
您可以檢查傳送者和接收者的 appx 指令清單,以確保已啟用回送。
如需回送案例的詳細資訊, 請參閱與localhost (回送) 通訊。
注意
如果您正在開發 UWA 應用程式,並想要測試其回送,請務必在網路功能因任何原因而變更時卸載並重新安裝 UWA 應用程式。
此外,請參閱如何啟用回送和疑難解答 (Windows 執行階段 應用程式) 的網路隔離。
偵錯即時卸除
如果最近發生問題,但您發現無法重現問題,請移至 [偵錯過去卸除] 以取得適當的追蹤命令。
如果您可以一致地重現問題,您可以在系統管理員命令提示字元中執行下列命令,以收集全新的追蹤:
Netsh wfp capture start keywords=19
<Run UWP app>
Netsh wfp capture stop
這些命令會產生 wfpdiag.cab。 .cab 內有一個 wfpdiag.xml,其中包含在該重現期間存在的任何允許或卸除 netEvents 和篩選條件。 如果沒有 “keywords=19”,追蹤只會收集 drop netEvents。
在 wfpdiag.xml 中,搜尋FWPM_NET_EVENT_TYPE_CLASSIFY_DROP為 netEvent 類型的 netEvent。 若要尋找相關的置放事件,請搜尋目的地 IP 位址、套件 SID 或應用程式識別碼名稱相符的置放事件。 應用程式識別碼名稱中的字元會以句號分隔:
(ex)
<asString>
\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e...
</asString>
netEvent 會有有關已卸除封包的詳細資訊,包括其功能的相關信息、卸除封包的篩選等等。
案例 1:UWP 應用程式連線到具有所有功能的因特網目標位址
在此範例中,UWP 應用程式成功連線到 bing.com [2620:1ec:c11::200]。
來自UWP應用程式的封包需要正確的網路功能令牌,以供其嘗試連線的資源使用。
在此案例中,應用程式可以成功將封包傳送至因特網目標,因為它具有因特網功能令牌。
下列程式代碼顯示連線到目標IP的應用程式允許 netEvent。 netEvent 包含封包的相關信息,包括其本機位址、遠端位址、功能等。
分類允許 netEvent、 Wfpdiag-Case-1.xml
<netEvent>
<header>
<timeStamp>2020-05-21T17:25:59.070Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V6</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV6.byteArray16>2001:4898:30:3:256c:e5ba:12f3:beb1</localAddrV6.byteArray16>
<remoteAddrV6.byteArray16>2620:1ec:c11::200</remoteAddrV6.byteArray16>
<localPort>52127</localPort>
<remotePort>443</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-2993214446-1947230185-131795049-1000</userId>
<addressFamily>FWP_AF_INET6</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW</type>
<classifyAllow>
<filterId>125918</filterId>
<layerId>50</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
</classifyAllow>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities numItems="3">
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT</item>
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER</item>
<item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>
</capabilities>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>125918</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
<item>
<filterId>121167</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</netEvent>
下列篩選條件允許根據 netEvent 中的 terminatingFiltersInfo 將封包傳送至目標位址。 此封包是由 InternetClient 預設規則的 Filter #125918 所允許。
InternetClient 預設規則篩選器 #125918、 Wfpdiag-Case-1.xml
<item>
<filterKey>{3389708e-f7ae-4ebc-a61a-f659065ab24e}</filterKey>
<displayData>
<name>InternetClient Default Rule</name>
<description>InternetClient Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>ad2b000000000000</data>
<asString>.+......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V6</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="5">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_RANGE</matchType>
<conditionValue>
<type>FWP_RANGE_TYPE</type>
<rangeValue>
<valueLow>
<type>FWP_BYTE_ARRAY16_TYPE</type>
<byteArray16>::</byteArray16>
</valueLow>
<valueHigh>
<type>FWP_BYTE_ARRAY16_TYPE</type>
<byteArray16>ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</byteArray16>
</valueHigh>
</rangeValue>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID<fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID<fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>125918</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>103079219136</uint64>
</effectiveWeight>
</item>
篩選中的功能條件 #125918、 Wfpdiag-Case-1.xml
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
此條件可讓您在此篩選中檢查功能。
此條件的重要部分是 S-1-15-3-1,這是 INTERNET_CLIENT 許可權的功能 SID。
從 [netEvent 功能] 區段中,來自 netEvent 的功能 Wfpdiag-Case-1.xml。
<capabilities numItems="3">
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT</item>
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER</item>
<item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>
</capabilities>
這些功能顯示封包來自具有因特網用戶端令牌的應用程式, (FWP_CAPABILITIES_FLAG_INTERNET_CLIENT) 符合篩選條件中的功能 SID。 篩選條件也符合所有其他條件,因此允許封包。 需要注意的是,封包到達 bing.com 的唯一必要功能令牌是因特網用戶端令牌,即使此範例顯示封包具有所有功能也一樣。
案例 2:UWP APP 無法連線到因特網目標位址,而且沒有功能
在此範例中,UWP 應用程式無法連線到 bing.com [2620:1ec:c11::200]。
下列範例是追蹤中所擷取之 drop netEvent 的 。
分類Drop netEvent、 Wfpdiag-Case-2.xml
<netEvent>
<header>
<timeStamp>2020-03-30T23:53:09.720Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V6</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV6.byteArray16>2001:4898:1a:1045:8469:3351:e6e2:543</localAddrV6.byteArray16>
<remoteAddrV6.byteArray16>2620:1ec:c11::200</remoteAddrV6.byteArray16>
<localPort>63187</localPort>
<remotePort>443</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0034002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...4...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-2788718703-1626973220-3690764900-1000</userId>
<addressFamily>FWP_AF_INET6</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>68893</filterId>
<layerId>50</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities/>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>68893</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>68879</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</netEvent>
您應該在 netEvent 中檢查的第一件事是功能欄位。 在此範例中,功能字段是空的,表示 UWP 應用程式未設定任何功能令牌,以允許它連線到網路。
netEvent 的內部欄位、 Wfpdiag-Case-2.xml
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities/>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>68893</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>68879</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
netEvent 也會顯示明確卸除此封包之篩選的相關信息,例如分類卸除下所列的 FilterId。
從 netEvent 分類 Drop、 Wfpdiag-Case-2.xml
<classifyDrop>
<filterId>68893</filterId>
<layerId>50</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
如果您在 Wfpdiag-Case2.xml 中搜尋篩選 #68893,您會看到封包已由封鎖輸出默認規則篩選器捨棄。
封鎖輸出默認規則篩選 #68893、 Wfpdiag-Case-2.xml
<item>
<filterKey>{6d51582f-bcf8-42c4-afc9-e2ce7155c11b}</filterKey>
/t<displayData>
<name>**Block Outbound Default Rule**</name>
<description>Block Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>{4b153735-1049-4480-aab4-d1b9bdc03710}</providerKey>
<providerData>
<data>b001000000000000</data>
<asString>........</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V6</layerKey>
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2300}</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="1">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_BLOCK</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>68893</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>68719476736</uint64>
</effectiveWeight>
</item>
如果封包無法符合其他篩選條件的任何條件,而且相同子層中的其他篩選器不允許封包,封包就會到達預設區塊篩選。
如果封包具有正確的功能令牌, FWP_CAPABILITIES_FLAG_INTERNET_CLIENT,則其會符合非預設區塊篩選條件,且已允許連線到 bing.com。 如果沒有正確的功能令牌,預設區塊輸出篩選器將會明確卸載封包。
案例 3:沒有因特網用戶端功能,UWP 應用程式無法連線到因特網目標位址
在此範例中,應用程式無法連線到 [2620:1ec:c11::200] bing.com。
此案例中的應用程式只有客戶端和伺服器) (專用網功能。 應用程式嘗試連線到因特網資源 (bing.com) ,但只有專用網令牌。 因此,將會卸除封包。
分類Drop netEvent、 Wfpdiag-Case-3.xml
<netEvent>
<header>
<timeStamp>2020-03-31T16:57:18.570Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V6</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV6.byteArray16>2001:4898:1a:1045:9c65:7805:dd4a:cc4b</localAddrV6.byteArray16>
<remoteAddrV6.byteArray16>2620:1ec:c11::200</remoteAddrV6.byteArray16>
<localPort>64086</localPort>
<remotePort>443</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0035002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...5...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-2788718703-1626973220-3690764900-1000</userId>
<addressFamily>FWP_AF_INET6</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>68893</filterId>
<layerId>50</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
**<capabilities numItems="1">**
**<item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>**
**</capabilities>**
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>68893</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>68879</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</netEvent>
案例 4:沒有專用網功能,UWP 應用程式無法連線到內部網路目標位址
在此範例中,UWP 應用程式無法連線到內部網路目標位址 10.50.50.50,因為它沒有專用網功能。
分類Drop netEvent、 Wfpdiag-Case-4.xml
<netEvent>
<header>
<timeStamp>2020-05-22T21:29:28.601Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV4>10.216.117.17</localAddrV4>
<remoteAddrV4>10.50.50.50</remoteAddrV4>
<localPort>52998</localPort>
<remotePort>53</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-2993214446-1947230185-131795049-1000</userId>
<addressFamily>FWP_AF_INET</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>121180</filterId>
<layerId>48</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities numItems="2">
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT</item>
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER</item>
</capabilities>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>121180</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>121165</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</netEvent>
案例 5:UWP 應用程式無法連線到具有專用網功能的「內部網路」目標位址
在此範例中,UWP 應用程式無法連線到內部網路目標位址 10.1.1.1,即使它有專用網功能令牌也一樣。
分類Drop netEvent、 Wfpdiag-Case-5.xml
<netEvent>
<header>
<timeStamp>2020-05-22T20:54:53.499Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV4>10.216.117.17</localAddrV4>
<remoteAddrV4>10.1.1.1</remoteAddrV4>
<localPort>52956</localPort>
<remotePort>53</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-2993214446-1947230185-131795049-1000</userId>
<addressFamily>FWP_AF_INET</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>121180</filterId>
<layerId>48</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities numItems="1">
<item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>
</capabilities>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>121180</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>121165</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</netEvent>
下列顯示封鎖事件的篩選條件:
封鎖輸出默認規則篩選 #121180、 Wfpdiag-Case-5.xml
<item>
<filterKey>{e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}</filterKey>
<displayData>
<name>Block Outbound Default Rule</name>
<description>Block Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>c029000000000000</data>
<asString>.)......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="1">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_BLOCK</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>121180</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>274877906944</uint64>
</effectiveWeight>
</item>
如果目標位於私人範圍中,則 PrivateNetwork 輸出預設規則篩選器應該允許該目標。
下列 PrivateNetwork 輸出預設規則篩選條件適用於比對內部網路 IP 位址。 由於預期的內部網路目標位址 10.1.1.1 未包含在這些篩選中,因此位址不在私人範圍中變得很明顯。 檢查在裝置上設定私人範圍的原則, (MDM、群組原則 等 ) ,並確定其中包含您想要連線的私人目標位址。
PrivateNetwork 輸出預設規則篩選器、 Wfpdiag-Case-5.xml
<item>
<filterKey>{fd65507b-e356-4e2f-966f-0c9f9c1c6e78}</filterKey>
<displayData>
<name>PrivateNetwork Outbound Default Rule</name>
<description>PrivateNetwork Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>f22d000000000000</data>
<asString>.-......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="5">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1.1.1.1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>129656</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>144115600392724416</uint64>
</effectiveWeight>
</item>
<item>
<filterKey>{b11b4f8a-222e-49d6-8d69-02728681d8bc}</filterKey>
<displayData>
<name>PrivateNetwork Outbound Default Rule</name>
<description>PrivateNetwork Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>f22d000000000000</data>
<asString>.-......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="5">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_RANGE</matchType>
<conditionValue>
<type>FWP_RANGE_TYPE</type>
<rangeValue>
<valueLow>
<type>FWP_UINT32</type>
<uint32>172.16.0.0</uint32>
</valueLow>
<valueHigh>
<type>FWP_UINT32</type>
<uint32>172.31.255.255</uint32>
</valueHigh>
</rangeValue>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>129657</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>36029209335832512</uint64>
</effectiveWeight>
</item>
<item>
<filterKey>{21cd82bc-6077-4069-94bf-750e5a43ca23}</filterKey>
<displayData>
<name>PrivateNetwork Outbound Default Rule</name>
<description>PrivateNetwork Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>f22d000000000000</data>
<asString>.-......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="5">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_RANGE</matchType>
<conditionValue>
<type>FWP_RANGE_TYPE</type>
<rangeValue>
<valueLow>
<type>FWP_UINT32</type>
<uint32>192.168.0.0</uint32>
</valueLow>
<valueHigh>
<type>FWP_UINT32</type>
<uint32>192.168.255.255</uint32>
</valueHigh>
</rangeValue>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>129658</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>36029209335832512</uint64>
</effectiveWeight>
</item>
偵錯過去的卸除
如果您要偵錯過去或從遠端電腦卸除的網路,您可能已經從意見反應中樞收集追蹤,例如 nettrace.etl 和 wfpstate.xml。 一旦轉換 nettrace.etl,nettrace.txt 就會有重現事件的 netEvents,而 wfpstate.xml 會包含當時計算機上存在的篩選條件。
如果您尚未收集即時重現或追蹤,您仍然可以在發生 UWP 網路連線問題之後,在系統管理員命令提示字元中執行下列命令來收集追蹤:
<Run UWP app>
Netsh wfp show netevents
Netsh wfp show state
Netsh wfp show netevents 會建立 netevents.xml,其中包含過去的 net 事件。
Netsh wfp show state 會建立 wfpstate.xml,其中包含計算機上目前的篩選條件。
不幸的是,在UWP網路連線問題之後收集追蹤不一定可靠。
裝置上的 NetEvent 會儲存在緩衝區中。 一旦該緩衝區達到最大容量,緩衝區將會覆寫較舊的 net 事件。 由於緩衝區覆寫,收集的 netevents.xml 可能不會包含與UWP網路連線問題相關聯的網路事件。 可能已被覆寫。 此外,裝置上的篩選條件可能會因為裝置上其他事件,而以不同的 filterId 刪除並重新新增。 由於這些含意,來自 netsh wfp 的 filterId 顯示 netevents 可能不一定符合 netsh wfp show 狀態中的任何篩選,因為該 filterId 可能已過期。
如果您可以一致地重現 UWP 網路連線問題,建議您改用偵錯即時卸除中的命令。
此外,即使您沒有即時重現,您仍然可以使用本節中的追蹤命令,遵循偵錯即時卸除一節中的範例。 netEvents 和篩選器會儲存在偵錯即時卸除中的一個檔案中,而不是下列偵錯過去卸除範例中的兩個個別檔案。
案例 7:偵錯過去的卸除 - UWP 應用程式無法連線到因特網目標位址,而且沒有功能
在此範例中,UWP 應用程式無法連線到 bing.com。
分類Drop Net事件、 NetEvents-Case-7.xml
<item>
<header>
<timeStamp>2020-05-04T22:04:07.039Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV4>10.195.36.30</localAddrV4>
<remoteAddrV4>204.79.197.200</remoteAddrV4>
<localPort>57062</localPort>
<remotePort>443</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-1578316205-4060061518-881547182-1000</userId>
<addressFamily>FWP_AF_INET</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>206064</filterId>
<layerId>48</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities/>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>206064</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>206049</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</item>
[內部] 字段不會列出任何作用中的功能,而且封包會在 nfilter 206064卸除。
此篩選條件是預設的區塊規則篩選,這表示封包會通過可能允許它的每一個篩選條件,但由於條件不符合任何篩選條件,封包會落在封鎖安全描述項不相符之任何封包的篩選條件中。
封鎖輸出預設規則篩選 #206064、 FilterState-Case-7.xml
<item>
<filterKey>{f138d1ad-9293-478f-8519-c3368e796711}</filterKey>
<displayData>
<name>Block Outbound Default Rule</name>
<description>Block Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>2e65000000000000</data>
<asString>.e......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="1">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_BLOCK</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>206064</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>274877906944</uint64>
</effectiveWeight>
</item>
案例 8:偵錯過去卸除 - UWP 應用程式連線到具有所有功能的因特網目標位址
在此範例中,UWP 應用程式成功連線到 bing.com [204.79.197.200]。
分類允許 Net 事件, NetEvents-Case-8.xml
<item>
<header>
<timeStamp>2020-05-04T18:49:55.101Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV4>10.195.36.30</localAddrV4>
<remoteAddrV4>204.79.197.200</remoteAddrV4>
<localPort>61673</localPort>
<remotePort>443</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000</data>
<asString>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...</asString>
</appId>
<userId>S-1-5-21-1578316205-4060061518-881547182-1000</userId>
<addressFamily>FWP_AF_INET</addressFamily>
<packageSid>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW</type>
<classifyAllow>
<filterId>208757</filterId>
<layerId>48</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
</classifyAllow>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities numItems="3">
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT</item>
<item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER</item>
<item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item>
</capabilities>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="2">
<item>
<filterId>208757</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
<item>
<filterId>206049</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</item>
已啟用所有功能,並208757決定封包流程的結果篩選條件。
上面所述的篩選條件具有動作允許:
InternetClient 預設規則篩選器 #208757、 FilterState-Case-8.xml
<item>
<filterKey>{e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}</filterKey>
<displayData>
<name>InternetClient Default Rule</name>
<description>InternetClient Default Rule</description>
</displayData>
<flags/>
<providerKey>FWPM_PROVIDER_MPSSVC_WSH</providerKey>
<providerData>
<data>e167000000000000</data>
<asString>.g......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_MPSSVC_WSH</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="5">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_RANGE</matchType>
<conditionValue>
<type>FWP_RANGE_TYPE</type>
<rangeValue>
<valueLow>
<type>FWP_UINT32</type>
<uint32>0.0.0.0</uint32>
</valueLow>
<valueHigh>
<type>FWP_UINT32</type>
<uint32>255.255.255.255</uint32>
</valueHigh>
</rangeValue>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>1</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>208757</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>412316868544</uint64>
</effectiveWeight>
</item>