Firewall Rule Properties Page: Programs and Services Tab
Updated: January 20, 2009
Applies To: Windows 7, Windows Server 2008 R2
Use this tab to specify the way in which Windows Firewall with Advanced Security matches criteria based on which program or service on the local computer is sending the packets to the peer computer. If this and all other criteria are matched, Windows Firewall with Advanced Security will take the action that you specify in Action on the General tab.
To get to this tab
- In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Programs and Services tab.
This section contains information about how network packets from a program will be matched.
All programs that meet the specified conditions
Use this option to match network packets being sent or received by any program.
Use this option to match network packets going to or from a specified program. If the program is not running, then no packets match the rule. You can select the program in one of two ways:
- Type the complete path to the program. You can include environment variables, where appropriate.
Do not use environment variable strings that resolve only in the context of a certain user (for example, %USERPROFILE%). When these strings are evaluated by the service at runtime, the service is not running in the context of the user. The use of these strings can produce unexpected results.
- Click Browse and find the program in the directory.
Click Settings to match packets from all program and services on the computer (the default), services only, or a specified service.
More about program and service settings
To add a program to the rule, you must specify the executable (.exe) file used by the program. A system service that runs within its own unique .exe file and is not hosted by a service container is considered to be a program and can be added to the rule. In the same way, a program that behaves like a system service and runs whether or not a user is logged on to the computer is also considered a program as long as it runs within its own unique .exe file.
|Do not add service containers or programs that host services, such as Svchost.exe, Dllhost.exe, and Inetinfo.exe, to the rules list without specifying the individual service that is to be allowed or blocked. Specifying only the service container as a program might compromise the security of the computer.|
When you add a program to the rule, Windows Firewall with Advanced Security dynamically opens (unblocks) and closes (blocks) the ports required by the program. When the program is running and listening for incoming traffic, Windows Firewall with Advanced Security opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall with Advanced Security closes the ports. Because of this dynamic behavior, adding programs to a rule is the recommended method for allowing unsolicited incoming traffic through Windows Firewall with Advanced Security.
You can use program rules to allow unsolicited incoming traffic through Windows Firewall with Advanced Security only if the program uses the Windows Sockets (Winsock) application programming interface (API) to create port assignments. If a program does not use Winsock to assign ports, you must determine which ports the program uses and add those ports to the rules list.