I'm considering making a small GUI application for Windows 10, which interacts with the Windows Firewall.
However i'm having trouble locating the relevant API for one desired action.
USE CASE (SITUATION)
When Windows 10 is being used in a fairly factory-default home-usage situation (picture: grandma reading her e-mails and browsing the web), it is common for the firewall to be configured in a way that resembles:
- Many rules being present which allow a wide range of windows-services and applications (such as the webbrowser, emailclient) various forms of network access.
- Perhaps a few rules blocking specific applications from having any internet access at all (or being subject to specific constraints).
- One of a couple possible profiles/policies being in effect, which determine what to do when a previously unknown application, attempts to use the network or internet.
My question revolves entirely around point #3.
MY OBJECTIVE
Normally, the windows firewalls' active profile will be set to deny such a "new" application's connections by default, but will also display a popup asking the user if they want to allow it or not. I wish to keep this functionality largely as is, but instead of the build-in popup coming up, i want windows to notify my custom application, and let me decide on the appropriate action (be it with or without userinteraction).
Screenshots:
WINDOWS FIREWALL APIs
As to what i found out so far: "Windows Defender Firewall" or just "Windows Firewall" (netfw.h) has many related APIs/functions. They're (mostly) well documented at: https://learn.microsoft.com/en-us/windows/win32/api/netfw/
The INetFwRule(|2|3) APIs deal with the individual firewallRules.
The INetFwProfile and INetFwPolicy(|2) APIs deal with the settings related to what i'm interested in, such as:
INetFwPolicy2::get_NotificationsDisabled
INetFwProfile::get_NotificationsDisabled
But nowhere nearby can i find anything related to registering a function to hook into any of that, only getter/setter methods for turning the notifications on or off.
The most promising APIs found so far, seem to be INetFwProduct(s); which contain
INetFwProducts::Register -> Allows an application or service to access the methods and properties for registering third-party firewall products with Windows Firewall.
INetFwProduct::get_RuleCategories -> For a third-party firewall product registration, indicates the rule categories for which the third-party firewall wishes to take ownership from Windows Firewall.
That's obviously related to registering a third-party program (im picturing Zone Alarm, Norton Security, ...) so that it can take over certain aspects of NETFW's workload. It's not unlikely that that is indeed the designation that my application would fall under, that of a security tool.
The INetFwProduct stuff brings some annoying constraints into the mix (Authenticode-signing and such), which isn't particularly relevant/important (but still, more on that later).
MY QUESTION
The main issue however, is that this still doesn't really give me any idea as to how my (imaginary INetFwProduct-registered) software would accomplish what i want.
I would expect there to be another API somewhere, which provides methods to hook up my INetFwProduct package to either NETFW or at the very least some networking layer API or the like.
Is anyone aware of where the trail that i am on, leads to ? or perhaps familiar with an easier way to accomplish the same thing.
INETFWPRODUCT SEEMS OVERKILL
I'm also starting to suspect this whole INetFwProduct-route involves my program taking on enormous responsibilities, when all i really want to do is replace/hookInto one tiny part of NETFW's workload. After all, i'm not looking to replace the entire ruleset/policy backend, nor change the way rules are interpreted, nor any other fancy stuff. I merely want my userland program to be called upon, instead of (or prior to) the user being bugged with a popup GUI. Ideally all my program would do is return a boolean on whether or not to allow the connection through (and if desired it could use the INetFwRule APIs to also add a permanent rule for future connections from the same program)
AUTHENTICODE REQUIREMENTS
Not directly related to my question, but the INetFwProduct functionality also does bring a bunch of new constraints into the picture, My application would then (seemingly) have to be Authenticode-signed and require a IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY header. I'm not very familiar with either of those things, though i did figure (and seem to have confirmed) that free Lets Encrypt certificates cannot be used for this, and the same is likely true for self-signed certificates. And since i wasn't planning on making this a very big (nor polished nor paid) product and wasn't particularly planning on releasing it as a FOSS project either, the result of which seems to be, you cannot make such a program without spending atleast 150€ or 350€ a year for the certification.