Registry script for WinPatrol to warn if Windows Firewall is turned off

[hackerman1]

Hi !

Since there is no taskbar-icon when you use windows firewall you don´t know if a nasty malware manages to turn it off.

But if you have WinPatrol (PLUS-version) you can get a warning thanks to it´s registrymonitoring.

Run the following reg-script and WinPatrol will give you warning if windows firewall is tuned off.

Code:

REGEDIT4

[HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\RegOptions]
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\\EnableFirewall" =dword:00000001

save this file as fx. "Winpatrol.reg"
run the script, click on them just like any other program, then say "Yes" when you are asked if you really want to run them.


There is also the corresponding settings for “Domain profile” & “Private profile”:
"HKLM\SYSTEM\CurrentControlSet\services\SharedAcce ss\Parameters\FirewallPolicy”

however the “Private profile” seems to be named “StandardProfile” in registry.
There is some information on Winpatrol.com:

"Security Center Settings

• These values are those reminder balloons that let you know if you have Firewall and AntiVirus software installed. Some of you might want these disabled but in most cases you'll want to be notified if these values change from 0 to 1. If the value is 1 you won't be notified if your AntiVirus or Firewall software is disabled. When some programs infiltrate your system they'll change these values to 1 so you don't know. You can add these values so WinPatrol can auto protect you or let you know if someone is changing them.

HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Security Center
Change Value Type to "REG_DWORD"
Add each of the following and click the Add button
Name: AntiVirusDisableNotify Value: 0
Name: FirewallDisableNotify Value: 0
"

But unfortunately that does not work.
Not on WS2008-R2, and not on W7.
You will not get any warning.

My script above works....

If you have WinPatrol-PLUS and W8 you can first try the settings from WinPatrol.com
If it doesn´t work, try my reg-script.
Then report back to this thread.
It would be interesting to hear what happens on W8....

[HappyAndyK]

I was under the impression, the Action Center warned if the Windows Firewall was turned off... but I guess I was mistaken!

Nice post ... and useful!

[hackerman1]

Doublechecked yesterday, it took about 60 seconds to get a warning, with no internet connection.
If i remember correctly the warning came a bit earlier, maybe after 30 seconds ,with an actice internet connection.
I wish the warning would come quicker, but 30-60 seconds delay is better then no warning at all....
I´m running WS2008-R2, but i have previously also tested the script on W7.
If you have WinPatrol-PLUS and windows firewall then try it.

[Corrine]

I did get a warning when disabling the firewall through the Action Center. However, the notice does not stay long and could be missed.

Using "PublicProfile" in the reg-script didn't work for me. I changed it to "StandardProfile" and received the WinPatrol warning. Unlike the Action Center warning, there is no way to miss the WinPatrol warning.

Code:

REGEDIT4

[HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\RegOptions]
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\\EnableFirewall" =dword:00000001

Of course this only works with WinPatrol PLUS. If you don't have PLUS, Bill is offering a limited time 1/2 price discount for a lifetime license. Information at Security Garden here.

[hackerman1]

I did get a warning when disabling the firewall through the Action Center. However, the notice does not stay long and could be missed.

Using "PublicProfile" in the reg-script didn't work for me. I changed it to "StandardProfile" and received the WinPatrol warning. Unlike the Action Center warning, there is no way to miss the WinPatrol warning.

Code:

REGEDIT4

[HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\RegOptions]
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\\EnableFirewall" =dword:00000001

Of course this only works with WinPatrol PLUS. If you don't have PLUS, Bill is offering a limited time 1/2 price discount for a lifetime license. Information at Security Garden here.

I think you missed what i wrote above:

"There is also the corresponding settings for “Domain profile” & “Private profile”:
"HKLM\SYSTEM\CurrentControlSet\services\Shared Access\Parameters\FirewallPolicy”

however the “Private profile” seems to be named “StandardProfile” in registry.
"

If you have "classified" your internet-connection as "Private" instead of "Public",
and are not using a "Public profile" for the firewall then you have to change the script accordingly.

And, the “Private profile” seems to be named “StandardProfile” in registry.

[edee]

What about those that forgo the Windows Firewall for some other security suite firewall?
Like myself, I have mine turned off in lieu of using the Panda Internet Security Pro firewall.
Just wondering if the script can be modified to show that there is no firewall at all running, not just the Windows firewall.

[hackerman1]

Other 3rd-party internetsecurity-suites with firewalls usually warns you if an important component like the firewall is turned off.
There is no reliable warning for windows firewall, that´s why i created the script.
Yes, i suppose you could create your own script for another firewall, the only problem is to find the registrysetting to monitor.

[oklajohn]

Doesn't Windows 8 Action Center show an issue if Windows Firewall is turned off? I was under the impression that it does.

[hackerman1]

I don´t use W8, i´m running Windows Server 2008-R2, so i can´t say how it works on W8.
But probably the same as on W7.
Read what Corrine said above:

I did get a warning when disabling the firewall through the Action Center.
However, the notice does not stay long and could be missed.