Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, June 21, 2019 9:21 AM
Hello,
I understand that you can create rule based on application. I am trying to understand predefined rules. There are many rules which have defined "System" as program. My question is what is exactly "System"? It is pretty clear when predefined rule has some .exe defined for example. Can anyone explain?
Regards,
Dragan
All replies (4)
Monday, June 24, 2019 9:05 AM âś…Answered | 1 vote
Hello DragmanD,
"System" is the process called "System", typically with a process id of "4".
The "programs" that "implement" the functionality described by such a rule are typically (pseudo-) device drivers using the Winsock Kernel (WSK) interface. The WskSocket routine includes a parameter that allows the "owning process" to be specified.
I put "implement" in quotation marks because the full implementation of the functionality is often distributed across kernel and user mode components, as is the case with the rule that you showed (SMB-In), but the socket is owned/used by the kernel mode component.
Gary
Monday, June 24, 2019 2:21 AM
Hi Dragan,
The following content is the only information I can find out about Programs and Services Tab in rule properties, please check it.
Firewall Rule Properties Page: Programs and Services Tab
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Programs and Services tab.
All programs that meet the specified conditions:
Use this option to match network packets being sent or received by any program.
This program:
Use this option to match network packets going to or from a specified program. If the program is not running, then no packets match the rule. You can select the program in one of two ways:
Type the complete path to the program. You can include environment variables, where appropriate.
Do not use environment variable strings that resolve only in the context of a certain user (for example, %USERPROFILE%). When these strings are evaluated by the service at runtime, the service is not running in the context of the user. The use of these strings can produce unexpected results.
Click Browse and find the program in the directory.
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, June 24, 2019 5:53 AM
Hi,
Thanks for answer but it is not helping to determine what exactly is "System".
I tried with system variables, but there is no "System" variable.
Regards,
Dragan
Monday, June 24, 2019 10:30 AM
Thank you, it is clearer now.