按服务名称过滤 [英] Filtering by service name

问题描述

我想以Win32服务名称作为条件制作WFP过滤器。这似乎适用于某些服务，例如Windows更新。但是，如果我创建了可以阻止"Print Spooler"服务流量的过滤器，则打印到网络打印机仍然会成功。
以编程方式或通过Windows防火墙UI创建的过滤器的结果相同。对于打印案例，使用应用程序路径（％SystemRoot％\system32 \\\ spoolsv.exe）作为过滤条件。但在使用服务名称的相同用例中会更方便。

I would like to make WFP filter with Win32 Service name as condition. This seems to work fine for some services e.g. Windows Update. However, if I create filter that sould block 'Print Spooler' service traffic, printing to network printer still succeeds. Results are same for the filter created programmatically or through Windows Firewall UI. For the printing case, using application path (%SystemRoot%\system32\spoolsv.exe) as filter condition works. But in same use cases using service name would be more convenient.

以下是我的过滤器。知道我做错了什么吗？

Below is my filter. Any idea what I am doing wrong?

						<filterKey>{55fd92b4-d442-4d91-9a04-0359c8ae8c30}</filterKey>
						<displayData>
							<name>block spooler</name>
							<description/>
						</displayData>
						<flags/>
						<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
						<providerData>
							<data>7135000000000000</data>
							<asString>q5......</asString>
						</providerData>
						<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
						<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
						<weight>
							<type>FWP_UINT8</type>
							<uint8>10</uint8>
						</weight>
						<filterCondition numItems="1">
							<item>
								<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
								<matchType>FWP_MATCH_EQUAL</matchType>
								<conditionValue>
									<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
									<sd>O:SYG:SYD:(A;;CCRC;;;S-1-5-80-3951239711-1671533544-1416304335-3763227691-3930497994)</sd>
								</conditionValue>
							</item>
						</filterCondition>
						<action>
							<type>FWP_ACTION_BLOCK</type>
							<filterType/>
						</action>
						<rawContext>0</rawContext>
						<reserved/>
						<filterId>608548</filterId>
						<effectiveWeight>
							<type>FWP_UINT64</type>
							<uint64>11529215114787946496</uint64>
						</effectiveWeight>

- Antti

-- Antti

推荐答案

您需要使用sc.exe qsidtype< serviceName>。 如果SERVICE_SID_TYPE为NONE，那么sid将不会出现在服务的进程令牌中。

You need to use sc.exe qsidtype <serviceName>.  If the SERVICE_SID_TYPE is NONE, then the sid will not be present in the service's process token.

这是来自Win8：

   C：\> sc qsidtype假脱机程序

   [SC] QueryServiceConfig2 SUCCESS

   C:\>sc qsidtype spooler
   [SC] QueryServiceConfig2 SUCCESS

   SERVICE_NAME：假脱机程序

   SERVICE_SID_TYPE：&NBSP; UNRESTRICTED

   SERVICE_NAME: spooler
   SERVICE_SID_TYPE:  UNRESTRICTED

这是来自Win7：

   [SC] QueryServiceConfig2 SUCCESS

   [SC] QueryServiceConfig2 SUCCESS

   SERVICE_NAME：假脱机程序

   SERVICE_SID_TYPE：&NBSP; UNRESTRICTED

   SERVICE_NAME: spooler
   SERVICE_SID_TYPE:  UNRESTRICTED

您使用的是哪种操作系统？

Which OS are you using?

这篇关于按服务名称过滤的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！