Revisiting Fiddler and Win8+ Immersive applications

Back in September, I blogged about the configuration steps required to debug Windows 8 Immersive (“Metro-style”) apps using Fiddler. Since that post was originally written, I’ve made available a new version of Fiddler which runs natively on the .NETv4 Framework, enabling Windows 8 users to run Fiddler without installing older versions of the Framework.

As I mentioned in that post, Immersive applications (and IE11 on the Desktop) run inside isolated processes known as “AppContainers.” By default, AppContainers are forbidden from sending network traffic to the local computer (loopback). This is, of course, problematic when debugging with Fiddler, as Fiddler is a proxy server which runs on the local computer. The post went on to explain how the CheckNetIsolation tool can be used to permit an AppContainer to send traffic to the local computer. However, using CheckNetIsolation is pretty cumbersome—it requires that you know the AppContainer’s name or security ID, and you must configure each AppContainer individually. To resolve those difficulties, I have built a GUI tool that allows you to very easily reconfigure an AppContainer to enable loopback traffic. This tool requires Windows 8 and runs on the .NET Framework v4. When launched, the utility scans your computer’s AppContainers and displays them in a list view. Each entry has a checkbox to the left of it, indicating whether the AppContainer may send loopback traffic. You can toggle these checkboxes individually, or use the buttons at the top to set all of the checkboxes at once. Click Save Changes to commit the configuration changes you’ve made, or click Refresh to reload the current configuration settings.

In current versions of Fiddler, you can launch the configuration tool described below by clicking the Win8 Config button in Fiddler's toolbar.

If you are not running Fiddler, you can install a standalone version of the EnableLoopback Utility. To make changes to the exemption list, you must elevate to Administrator.

EnableLoopback Utility screenshot

Note: When you run Unit Tests in Visual Studio 2012, an ephemeral AppContainer is created for the duration of the unit test, and removed later. In order to ensure that this temporary container is shown in the EnableLoopback utility, you must click the Refresh button while the Unit Test is running. Learn more here



Update 6/14/2013: An open-source utility is now available which shows how to use the Firewall APIs mentioned below. Check it out at

PS: For the technically-inclined, this tool relies on calling the new Network Isolation APIs introduced with Windows 8. Their .NET declarations (as of the BUILD conference) are as follows:

 // Call this API to enumerate all of the AppContainers on the system 
 internal static extern uint NetworkIsolationEnumAppContainers(out uint pdwCntPublicACs, out IntPtr ppACs); 
 // Call this API to free the memory returned by the Enumeration API 
 internal static extern void NetworkIsolationFreeAppContainers(IntPtr pACs); 
 // Call this API to load the current list of Loopback-enabled AppContainers
 internal static extern uint NetworkIsolationGetAppContainerConfig(out uint pdwCntACs, out IntPtr appContainerSids); 
 // Call this API to set the Loopback-exemption list 
 internal static extern uint NetworkIsolationSetAppContainerConfig(uint pdwCntACs, SID_AND_ATTRIBUTES[] appContainerSids); 
 // Use this API to convert a string SID into an actual SID 
 [DllImport("advapi32.dll", SetLastError=true)]
 internal static extern bool ConvertStringSidToSid(string strSid, out IntPtr pSid); 
 // Use this API to convert a string reference (e.g. "@{blah.pri?ms-resource://whatever}") into a plain string 
 [DllImport("shlwapi.dll", CharSet=CharSet.Unicode, ExactSpelling=true)] 
 internal static extern int SHLoadIndirectString(string pszSource, StringBuilder pszOutBuf, int cchOutBuf, IntPtr ppvReserved);