Note: I have transferred this blog from my old blog site: http://dcarapic.blogspot.com/ so I am reposting most of the stuff from there
I am using the standard windows firewall and in several cases I wanted to quickly block an application from accessing the internet. Usually this would require me to start up the standard windows firewall configuration utility
%windir%\system32\WF.msc and manually add outgoing and/or incoming rules for the application main executable.
This can be a bit tedious so I've been searching for an utility to quickly add rules to the windows firewall. Unfortunately I've not been successful so I've decided to create an utility on my own. My goal was to get a new entry in the right click context menu for an application fiel which would add the blocking firewall rules (in/out). Luckily enough I did not need to do any programming since the required functionality could be achieved by standard windows batch scripting and utilities.
There are 3 parts to achieve the desired functionality:
- Creating a batch file that will block the application
Windows 7 already provides a command line utility (netsh.exe) to achieve this and the syntax is the following:
netsh advfirewall firewall add rule name="rule name" dir=in action=block program="some.exe" netsh advfirewall firewall add rule name="rule name" dir=out action=block program="some.exe"
With this command it is simple to create a batch file which will block the given application executable, lets call it
rem block.bat @set rulename = @set /p rulename= Rule name (%~n1): @if '%rulename%' == '' set rulename=%~n1 netsh advfirewall firewall add rule name="%rulename% (in)" dir=in action=block program=%1 netsh advfirewall firewall add rule name="%rulename% (out)" dir=out action=block program=%1
The batch file is simple enough. It is meant to be called with the full path and file name of the executable:
After it starts up it asks the user for the name of the rule. If the user just presses ENTER then the name of the executable will be used as a prefix of the name for two rules (incoming and outgoing). So in our case the actual executed commands (if user were to just press ENTER) would be:
netsh advfirewall firewall add rule name="some (in)" dir=in action=block program="c:\apps\some.exe" netsh advfirewall firewall add rule name="some (out)" dir=out action=block program="c:\apps\some.exe"
- Elevating the execution of the batch file
Unfortunately (or fortunately) it is not possible to invoke netsh as a normal user so we need to elevate the execution of the batch file. It should be possible to do this via the standard windows
runas command but at home my user does not have a password and
runas is not possible if you do not have the password set. Happily enough there are 3rd party utilities which can be used for elevation and the one I use -
elevate has the same command line options and
cmd.exe so it fits just fine.
- Enabling right click on file to invoke our new batch file
This is relatively simple. We just need to enter a registry entry which will add a new option when you right click on the file. New option will invoke the batch file in elevated mode. Batch file will start and asks us for the name of the rule and thats it. Here is the content of the .reg file which can be used to add necessary registry entry (lets call it
Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\*\shell\Firewall (block)\command] @="c:\\folder\\elevate.exe /c c:\\folder\\block.bat \"%1\""
This registry file assumes that you have the batch file and the elevate utility in
c:\\folder with the path to the actual files (do not forget to escape the folder separator
\ characters with
The drawback of the given registry file is that the right click context menu appears for every file type, not just executable. If somebody know how to make it appear for just .exe and .com files then please send me a note (and no, just changing the registry from
HKEY_CLASSES_ROOT\.exe does not do it :)).