{"componentChunkName":"component---src-templates-post-template-js","path":"/a-part-of-anti-virus-3-02-en","result":{"data":{"markdownRemark":{"id":"ba160964-c618-5515-b5d9-7249f2e919b0","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/a-part-of-anti-virus-3-02\">original page</a>.</p>\n</blockquote>\n<p>In this chapter, we will actually verify how the communication filtering functionality using WFP, explained in the previous chapter, works.</p>\n<p>To verify the behavior, we will use a user-mode program that can add various filters to a specified layer.</p>\n<p>The source code for the user-mode program used in this sample is published in the following repository.</p>\n<p>URL: <a href=\"https://github.com/kash1064/book06-wfp-samples\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://github.com/kash1064/book06-wfp-samples</a></p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#overview-of-the-sample-program\">Overview of the Sample Program</a></p>\n<ul>\n<li><a href=\"#defining-the-filters-added-by-the-program\">Defining the Filters Added by the Program</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#registering-filters-using-bfe\">Registering Filters Using BFE</a></p>\n<ul>\n<li><a href=\"#opening-a-session-to-the-filter-engine\">Opening a Session to the Filter Engine</a></li>\n<li><a href=\"#starting-a-transaction\">Starting a Transaction</a></li>\n<li><a href=\"#registering-a-custom-provider\">Registering a Custom Provider</a></li>\n<li><a href=\"#registering-filters\">Registering Filters</a></li>\n<li><a href=\"#committing-the-transaction\">Committing the Transaction</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#checking-how-filter-arbitration-works\">Checking How Filter Arbitration Works</a></p>\n<ul>\n<li><a href=\"#blocking-connections-to-a-specific-port-number\">Blocking Connections to a Specific Port Number</a></li>\n<li><a href=\"#checking-the-effect-of-filter-weight-within-the-same-sublayer\">Checking the Effect of Filter Weight Within the Same Sublayer</a></li>\n<li><a href=\"#checking-the-effect-of-weight-across-different-sublayers\">Checking the Effect of Weight Across Different Sublayers</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n<li><a href=\"#table-of-contents-for-this-book\">Table of Contents for This Book</a></li>\n</ul>\n<h2 id=\"overview-of-the-sample-program\" style=\"position:relative;\"><a href=\"#overview-of-the-sample-program\" aria-label=\"overview of the sample program permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Overview of the Sample Program</h2>\n<p>The code for the sample program (<code class=\"language-text\">UserModeWFPFilter</code>) downloaded from the repository above can be built with Visual Studio 2022.</p>\n<p>This program has the following two functions.</p>\n<ol>\n<li>Add filters to a specific layer according to settings hardcoded in the program</li>\n<li>Delete all filters registered by the program</li>\n</ol>\n<p>All filters registered by this program are associated with its own WFP provider, <code class=\"language-text\">Simple WFP User-Mode Provider</code>.\nTo restore the configuration, the program deletes all filters associated with this provider.</p>\n<p>The following is a screenshot of adding and deleting filters with this sample program.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 838px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9f8314318c27e798a9baaa4c49ee5270/a1dd2/02-wfp-001.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 65.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAABYlAAAWJQFJUiTwAAABqUlEQVQ4y2WT147CUAxE7yOQUBR6C53QexHi/7/L6IzWWVb7MPLNLePx2Amr1cp2u50RT6eTZVlm4/HYJpOJTadTxTRNtV4sFgLfw+FQqFarFkWRxXEshPl8LsLD4SBsNhuRlMtlK5VK+cVKpaKH7BG/wbnHsFwuRYS6/X5v6/XajsejksxmM5GPRiMpbzabViwW/xHlawgvl4tIAOp47GTb7dZIyLrRaOiMMjlvt9t5BSKMYiG8Xi8DEJ7PZxHc73eRPx4Pez6f2ucb4n6/r4o6nY7UuiVSGkcWOMDkVqulrK6C/cFgIALWlF6v161Wq+We+vpPyXQNf2gOJaKCBN+d9m/uUol3nsSQ/vr50xSagJdEGgOJX0QJHXc1hUJB3jm85HxsUMQM4hEgAab7PGIBpXOPkiEkEf5BSPQ1+4EGXK9XqWN03AKMhxxCFBOxxcslmYN77FFJSJJERP6XQMwFiFF1u93k2/v9FqF/YxETwCSQDDKVDAljgXeUjFqi28AjCFBA8m63q2no9Xr5FOCv+6lfj4d0DHIeUyKAlHOAAvcL4KXje8A/xxpbOdsbCVEAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9f8314318c27e798a9baaa4c49ee5270/8ac56/02-wfp-001.webp 240w,\n/static/9f8314318c27e798a9baaa4c49ee5270/d3be9/02-wfp-001.webp 480w,\n/static/9f8314318c27e798a9baaa4c49ee5270/7820a/02-wfp-001.webp 838w\"\n              sizes=\"(max-width: 838px) 100vw, 838px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9f8314318c27e798a9baaa4c49ee5270/8ff5a/02-wfp-001.png 240w,\n/static/9f8314318c27e798a9baaa4c49ee5270/e85cb/02-wfp-001.png 480w,\n/static/9f8314318c27e798a9baaa4c49ee5270/a1dd2/02-wfp-001.png 838w\"\n            sizes=\"(max-width: 838px) 100vw, 838px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9f8314318c27e798a9baaa4c49ee5270/a1dd2/02-wfp-001.png\"\n            alt=\"Adding and deleting filters with the sample program\"\n            title=\"Adding and deleting filters with the sample program\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"defining-the-filters-added-by-the-program\" style=\"position:relative;\"><a href=\"#defining-the-filters-added-by-the-program\" aria-label=\"defining the filters added by the program permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Defining the Filters Added by the Program</h3>\n<p>In this sample program, filters can be added by adding elements to the <code class=\"language-text\">rules</code> array of the <code class=\"language-text\">FILTER_RULES</code> structure defined as a global variable.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">struct</span> <span class=\"token class-name\">FILTER_RULES</span>\n<span class=\"token punctuation\">{</span>\n\t<span class=\"token keyword\">const</span> GUID filterKey<span class=\"token punctuation\">;</span>\n\t<span class=\"token keyword\">const</span> GUID layerKey<span class=\"token punctuation\">;</span>\n\t<span class=\"token keyword\">const</span> GUID subLayerKey<span class=\"token punctuation\">;</span>\n\t<span class=\"token keyword\">const</span> <span class=\"token class-name\">wchar_t</span><span class=\"token operator\">*</span> name<span class=\"token punctuation\">;</span>\n\t<span class=\"token keyword\">const</span> <span class=\"token class-name\">wchar_t</span><span class=\"token operator\">*</span> description<span class=\"token punctuation\">;</span>\n\tUINT16 port<span class=\"token punctuation\">;</span>\n\t<span class=\"token keyword\">const</span> <span class=\"token class-name\">wchar_t</span><span class=\"token operator\">*</span> appPath<span class=\"token punctuation\">;</span>\n\tFWP_ACTION_TYPE action<span class=\"token punctuation\">;</span>\n\tUINT64 weight<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">const</span> FILTER_RULES rules<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n\t<span class=\"token punctuation\">{</span> FILTER_KEY_1<span class=\"token punctuation\">,</span> FWPM_LAYER_ALE_AUTH_CONNECT_V4<span class=\"token punctuation\">,</span> FWPM_SUBLAYER_UNIVERSAL<span class=\"token punctuation\">,</span> L<span class=\"token string\">\"Block HTTPS(443)\"</span><span class=\"token punctuation\">,</span> L<span class=\"token string\">\"Block HTTPS(443)\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">443</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> FWP_ACTION_BLOCK<span class=\"token punctuation\">,</span> <span class=\"token number\">0xFFFFFFFFFFFFFFF1</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n\n\t<span class=\"token punctuation\">{</span> FILTER_KEY_2<span class=\"token punctuation\">,</span> FWPM_LAYER_ALE_AUTH_CONNECT_V4<span class=\"token punctuation\">,</span> FWPM_SUBLAYER_UNIVERSAL<span class=\"token punctuation\">,</span> L<span class=\"token string\">\"Allow HTTPS(443)\"</span><span class=\"token punctuation\">,</span> L<span class=\"token string\">\"Allow HTTPS(443)\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">443</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> FWP_ACTION_PERMIT<span class=\"token punctuation\">,</span> <span class=\"token number\">0xFFFFFFFFFFFFFFF2</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Members of <code class=\"language-text\">FILTER_RULES</code> such as <code class=\"language-text\">filterKey</code>, <code class=\"language-text\">layerKey</code>, and <code class=\"language-text\">subLayerKey</code> correspond to members of the <code class=\"language-text\">FWPM_FILTER0</code> structure, which stores information associated with a WFP filter.<sup id=\"fnref-1\"><a href=\"#fn-1\" class=\"footnote-ref\">1</a></sup></p>\n<p>The <code class=\"language-text\">FWPM_FILTER0</code> structure is defined as follows and contains the information required to register a filter.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">typedef</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">FWPM_FILTER0_</span> <span class=\"token punctuation\">{</span>\n  GUID                   filterKey<span class=\"token punctuation\">;</span>\n  FWPM_DISPLAY_DATA0     displayData<span class=\"token punctuation\">;</span>\n  UINT32                 flags<span class=\"token punctuation\">;</span>\n  GUID                   <span class=\"token operator\">*</span>providerKey<span class=\"token punctuation\">;</span>\n  FWP_BYTE_BLOB          providerData<span class=\"token punctuation\">;</span>\n  GUID                   layerKey<span class=\"token punctuation\">;</span>\n  GUID                   subLayerKey<span class=\"token punctuation\">;</span>\n  FWP_VALUE0             weight<span class=\"token punctuation\">;</span>\n  UINT32                 numFilterConditions<span class=\"token punctuation\">;</span>\n  FWPM_FILTER_CONDITION0 <span class=\"token operator\">*</span>filterCondition<span class=\"token punctuation\">;</span>\n  FWPM_ACTION0           action<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">union</span> <span class=\"token punctuation\">{</span>\n    UINT64 rawContext<span class=\"token punctuation\">;</span>\n    GUID   providerContextKey<span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n  GUID                   <span class=\"token operator\">*</span>reserved<span class=\"token punctuation\">;</span>\n  UINT64                 filterId<span class=\"token punctuation\">;</span>\n  FWP_VALUE0             effectiveWeight<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> FWPM_FILTER0<span class=\"token punctuation\">;</span></code></pre></div>\n<p>In the example above, <code class=\"language-text\">FILTER_KEY_1</code>, a GUID hardcoded in the program, is used as <code class=\"language-text\">filterKey</code>.\nThis <code class=\"language-text\">filterKey</code> is used to uniquely identify the filter.</p>\n<p>The next members, <code class=\"language-text\">layerKey</code> and <code class=\"language-text\">subLayerKey</code>, indicate the GUIDs of the layer and sublayer to which the filter will be added, respectively.</p>\n<p>The layers to which filters can be added in WFP and their identifiers are organized in the public documentation.<sup id=\"fnref-2\"><a href=\"#fn-2\" class=\"footnote-ref\">2</a></sup>\n<code class=\"language-text\">FWPM_LAYER_ALE_AUTH_CONNECT_V4</code>, used in the example above, specifies an inspectable ALE layer for outbound TCP connection requests using IPv4.</p>\n<p>Also, <code class=\"language-text\">FWPM_SUBLAYER_UNIVERSAL</code> is the identifier of the default sublayer, which hosts all filters that are not assigned to any other sublayer.<sup id=\"fnref-3\"><a href=\"#fn-3\" class=\"footnote-ref\">3</a></sup></p>\n<p>Both the <code class=\"language-text\">name</code> and <code class=\"language-text\">description</code> members are used for the filter’s <code class=\"language-text\">displayData</code>. This is defined as the <code class=\"language-text\">FWPM_DISPLAY_DATA0</code> structure.<sup id=\"fnref-4\"><a href=\"#fn-4\" class=\"footnote-ref\">4</a></sup></p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">typedef</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">FWPM_DISPLAY_DATA0_</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token class-name\">wchar_t</span> <span class=\"token operator\">*</span>name<span class=\"token punctuation\">;</span>\n  <span class=\"token class-name\">wchar_t</span> <span class=\"token operator\">*</span>description<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> FWPM_DISPLAY_DATA0<span class=\"token punctuation\">;</span></code></pre></div>\n<p>Names specified here, such as <code class=\"language-text\">Block HTTPS(443)</code>, are registered as filter names and can be checked by viewing the list of filters with tools such as WFP Explorer.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 742px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9bf3b23e36d2edc6559fef4fd4d797dc/0f2bc/02-wfp-002.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 34.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAABYlAAAWJQFJUiTwAAABT0lEQVQoz3WR2Y7bMAxF/f8/0of+RPvWpwIDTNMZ2PEiWfK+TeQkXpJT2sEADdASuBAlEEfkpWdtRlmW5HlOWeQYY6jrmkLuVVUy3+8s68r9duMuObse+b/k5QLJBGqMpRBwEBz3D3RqeXsPWaqKTBnmFVYBTwtcRcv6gG9vz0CX0TcdWVnz7SXlNSnwS0tQdBxSx8+vX5h+f2dIXnjLL6jW8iNIaNoC13dYa2mahi12YKwtSRTTyJhH6TSOFSo1BHbAStcHrYkyi40ClDbY9gPfD8jlbatRcULf9zvsJrZ4YaiZ54nL9cr5OnIeR5xztB9n3MkxuhPlcGI8XzgNA5GydINjWWR8GXtZFqZpFsZDnq+OtFWDTpR4mXPbTP9PbH4Z6bgWXz/Vdf1TjXc8/NoX4r/7hGG0b/TTj7+1xTRNGLHD6BStNFrOLMuf6v8AHdMUblhfcG0AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9bf3b23e36d2edc6559fef4fd4d797dc/8ac56/02-wfp-002.webp 240w,\n/static/9bf3b23e36d2edc6559fef4fd4d797dc/d3be9/02-wfp-002.webp 480w,\n/static/9bf3b23e36d2edc6559fef4fd4d797dc/28367/02-wfp-002.webp 742w\"\n              sizes=\"(max-width: 742px) 100vw, 742px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9bf3b23e36d2edc6559fef4fd4d797dc/8ff5a/02-wfp-002.png 240w,\n/static/9bf3b23e36d2edc6559fef4fd4d797dc/e85cb/02-wfp-002.png 480w,\n/static/9bf3b23e36d2edc6559fef4fd4d797dc/0f2bc/02-wfp-002.png 742w\"\n            sizes=\"(max-width: 742px) 100vw, 742px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9bf3b23e36d2edc6559fef4fd4d797dc/0f2bc/02-wfp-002.png\"\n            alt=\"Viewing registered filter names\"\n            title=\"Viewing registered filter names\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The <code class=\"language-text\">port</code> and <code class=\"language-text\">appPath</code> members are used to specify the port number and application path used as filter conditions, respectively.</p>\n<p>In the example above, only port 443 is used as a filter condition, and because the application path is not included in the conditions, <code class=\"language-text\">NULL</code> is specified for <code class=\"language-text\">appPath</code>.</p>\n<p>The final members, <code class=\"language-text\">action</code> and <code class=\"language-text\">weight</code>, are values used to specify the action when the filter condition matches and the filter’s weight, respectively.</p>\n<p><code class=\"language-text\">action</code> specifies a value of the <code class=\"language-text\">FWP_ACTION_TYPE</code> enumeration included in <code class=\"language-text\">FWPM_ACTION0</code>, which defines the action to take when the filter condition matches. <code class=\"language-text\">FWP_ACTION_BLOCK</code> means blocking traffic, and <code class=\"language-text\">FWP_ACTION_PERMIT</code> means allowing traffic.<sup id=\"fnref-5\"><a href=\"#fn-5\" class=\"footnote-ref\">5</a></sup></p>\n<p>Although the sample program used in this chapter does not handle them, if you use a callout driver, values such as <code class=\"language-text\">FWP_ACTION_CALLOUT_TERMINATING</code>, <code class=\"language-text\">FWP_ACTION_CALLOUT_INSPECTION</code>, or <code class=\"language-text\">FWP_ACTION_CALLOUT_UNKNOWN</code> may be used as the <code class=\"language-text\">type</code>.</p>\n<p>The <code class=\"language-text\">weight</code> member is used as the <code class=\"language-text\">weight</code> of the <code class=\"language-text\">FWPM_FILTER0</code> structure and specifies the filter’s priority (weight) within a sublayer.\nTypes such as <code class=\"language-text\">FWP_UINT64</code> and <code class=\"language-text\">FWP_UINT8</code> can be used for <code class=\"language-text\">weight</code>, but this sample program uses <code class=\"language-text\">FWP_UINT64</code>.</p>\n<p>That completes the definition of the <code class=\"language-text\">FILTER_RULES</code> structure used by the sample program in this chapter.</p>\n<p>In this chapter, to observe how WFP filters network traffic, we will register various filters in the system by adding or removing rules from the <code class=\"language-text\">rules</code> array of the <code class=\"language-text\">FILTER_RULES</code> structure and then rebuilding the program.</p>\n<p>For example, if you want to add a filter that blocks all outbound access by Microsoft Edge in the <code class=\"language-text\">FWPM_SUBLAYER_UNIVERSAL</code> sublayer of the <code class=\"language-text\">FWPM_LAYER_ALE_AUTH_CONNECT_V4</code> layer, add the following element to the <code class=\"language-text\">rules</code> array.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token punctuation\">{</span> FILTER_KEY_3<span class=\"token punctuation\">,</span> FWPM_LAYER_ALE_AUTH_CONNECT_V4<span class=\"token punctuation\">,</span> FWPM_SUBLAYER_UNIVERSAL<span class=\"token punctuation\">,</span> L<span class=\"token string\">\"Block Edge\"</span><span class=\"token punctuation\">,</span> L<span class=\"token string\">\"Block Edge\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> L<span class=\"token string\">\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\"</span><span class=\"token punctuation\">,</span> FWP_ACTION_BLOCK<span class=\"token punctuation\">,</span> <span class=\"token number\">0xFFFFFFFFFFFFFFF1</span> <span class=\"token punctuation\">}</span></code></pre></div>\n<h2 id=\"registering-filters-using-bfe\" style=\"position:relative;\"><a href=\"#registering-filters-using-bfe\" aria-label=\"registering filters using bfe permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Registering Filters Using BFE</h2>\n<p>Adding and deleting filters used by WFP are performed mainly by the Base Filtering Engine (BFE), a user-mode service.</p>\n<p>Applications communicate with the BFE through the management functions provided by the platform and can perform various operations such as adding and deleting filters.<sup id=\"fnref-6\"><a href=\"#fn-6\" class=\"footnote-ref\">6</a></sup></p>\n<p>The following summarizes the sequence of operations the sample program in this chapter performs when it adds or deletes filters.</p>\n<ol>\n<li>Use the <code class=\"language-text\">FwpmEngineOpen0</code> function to open a session to the filter engine.</li>\n<li>Start a transaction in the session.</li>\n<li>Register a custom provider.</li>\n<li>Register filters associated with the registered custom provider.</li>\n<li>After all filters are registered, commit the transaction to apply the changes.</li>\n</ol>\n<p>The details of each step are explained below.</p>\n<h3 id=\"opening-a-session-to-the-filter-engine\" style=\"position:relative;\"><a href=\"#opening-a-session-to-the-filter-engine\" aria-label=\"opening a session to the filter engine permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Opening a Session to the Filter Engine</h3>\n<p>To register filters for communication filtering in WFP, you first need to open a session to the filter engine.</p>\n<p>Most WFP function calls are executed within the context of a session.\nA session is destroyed when the client calls <code class=\"language-text\">FwpmEngineClose0</code> or when the client process exits.<sup id=\"fnref-7\"><a href=\"#fn-7\" class=\"footnote-ref\">7</a></sup></p>\n<p>In the sample program, the operation of opening a session to the filter engine is implemented as the <code class=\"language-text\">OpenFilterEngine</code> function, and the handle to the session opened with <code class=\"language-text\">FwpmEngineOpen0</code> is stored in <code class=\"language-text\">engineHandle</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">DWORD <span class=\"token function\">OpenFilterEngine</span><span class=\"token punctuation\">(</span>\n    HANDLE<span class=\"token operator\">*</span> engineHandle\n<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n\t<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>engineHandle <span class=\"token operator\">==</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\t\t<span class=\"token keyword\">return</span> ERROR_INVALID_PARAMETER<span class=\"token punctuation\">;</span>\n\t<span class=\"token punctuation\">}</span>\n\n\t<span class=\"token keyword\">return</span> <span class=\"token function\">FwpmEngineOpen0</span><span class=\"token punctuation\">(</span>\n\t\t<span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span>\n\t\tRPC_C_AUTHN_WINNT<span class=\"token punctuation\">,</span>\n\t\t<span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span>\n\t\t<span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span>\n\t\tengineHandle<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p><code class=\"language-text\">FwpmEngineOpen0</code> is a function used to open a session to the filter engine and is defined as follows.<sup id=\"fnref-8\"><a href=\"#fn-8\" class=\"footnote-ref\">8</a></sup></p>\n<p>The handle to the opened session to the filter engine is returned in <code class=\"language-text\">engineHandle</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">DWORD <span class=\"token function\">FwpmEngineOpen0</span><span class=\"token punctuation\">(</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">,</span> optional<span class=\"token punctuation\">]</span> <span class=\"token keyword\">const</span> <span class=\"token class-name\">wchar_t</span>             <span class=\"token operator\">*</span>serverName<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span>           UINT32                    authnService<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">,</span> optional<span class=\"token punctuation\">]</span> SEC_WINNT_AUTH_IDENTITY_W <span class=\"token operator\">*</span>authIdentity<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">,</span> optional<span class=\"token punctuation\">]</span> <span class=\"token keyword\">const</span> FWPM_SESSION0       <span class=\"token operator\">*</span>session<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>out<span class=\"token punctuation\">]</span>          HANDLE                    <span class=\"token operator\">*</span>engineHandle\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>The second parameter, <code class=\"language-text\">authnService</code>, specifies the authentication service to use.</p>\n<p>Also, <code class=\"language-text\">authIdentity</code> is a parameter that can specify the authentication and authorization credentials used to access the filter engine, but it can be set to <code class=\"language-text\">NULL</code>; if <code class=\"language-text\">NULL</code> is specified, the credentials of the calling thread are used.</p>\n<h3 id=\"starting-a-transaction\" style=\"position:relative;\"><a href=\"#starting-a-transaction\" aria-label=\"starting a transaction permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Starting a Transaction</h3>\n<p>After opening a session to the filter engine, use the <code class=\"language-text\">FwpmTransactionBegin0</code> function to explicitly start a transaction in the current session.</p>\n<p>This transaction enforces strict ACID properties (atomicity, consistency, isolation, and durability), and if the session ends while the transaction is being executed, the transaction is automatically aborted.<sup id=\"fnref-9\"><a href=\"#fn-9\" class=\"footnote-ref\">9</a></sup></p>\n<p><code class=\"language-text\">FwpmTransactionBegin0</code>, which starts a transaction, is defined as follows and is executed by passing it the <code class=\"language-text\">engineHandle</code> obtained with <code class=\"language-text\">FwpmEngineOpen0</code>.<sup id=\"fnref-10\"><a href=\"#fn-10\" class=\"footnote-ref\">10</a></sup></p>\n<p>Also, the second parameter, <code class=\"language-text\">flags</code>, is a value that specifies whether the transaction is a “read/write transaction” or a “read-only transaction.”</p>\n<p>In the sample program, <code class=\"language-text\">0</code> is used for <code class=\"language-text\">flags</code> because it starts a read/write transaction.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">DWORD <span class=\"token function\">FwpmTransactionBegin0</span><span class=\"token punctuation\">(</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span> HANDLE engineHandle<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span> UINT32 flags\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<h3 id=\"registering-a-custom-provider\" style=\"position:relative;\"><a href=\"#registering-a-custom-provider\" aria-label=\"registering a custom provider permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Registering a Custom Provider</h3>\n<p>This sample program registers a custom provider named <code class=\"language-text\">Simple WFP User-Mode Provider</code>.</p>\n<p>The provider is registered using the <code class=\"language-text\">FwpmProviderAdd0</code> function.<sup id=\"fnref-11\"><a href=\"#fn-11\" class=\"footnote-ref\">11</a></sup>\nThis function takes as an argument the provider information defined by the <code class=\"language-text\">FWPM_PROVIDER0</code> structure.<sup id=\"fnref-12\"><a href=\"#fn-12\" class=\"footnote-ref\">12</a></sup></p>\n<p>Also, the third parameter, <code class=\"language-text\">sd</code>, can specify a security descriptor for the provider object to be added, but in this sample program, <code class=\"language-text\">NULL</code> is specified to use the default security descriptor.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">typedef</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">FWPM_PROVIDER0_</span> <span class=\"token punctuation\">{</span>\n  GUID               providerKey<span class=\"token punctuation\">;</span>\n  FWPM_DISPLAY_DATA0 displayData<span class=\"token punctuation\">;</span>\n  UINT32             flags<span class=\"token punctuation\">;</span>\n  FWP_BYTE_BLOB      providerData<span class=\"token punctuation\">;</span>\n  <span class=\"token class-name\">wchar_t</span>            <span class=\"token operator\">*</span>serviceName<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> FWPM_PROVIDER0<span class=\"token punctuation\">;</span>\n\nDWORD <span class=\"token function\">FwpmProviderAdd0</span><span class=\"token punctuation\">(</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span>           HANDLE               engineHandle<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span>           <span class=\"token keyword\">const</span> FWPM_PROVIDER0 <span class=\"token operator\">*</span>provider<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">,</span> optional<span class=\"token punctuation\">]</span> PSECURITY_DESCRIPTOR sd\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>The following is an excerpt from the part of the sample program that registers the custom provider.</p>\n<p>In the <code class=\"language-text\">DefineProvider</code> function, information such as the GUID defined as <code class=\"language-text\">PROVIDER_KEY</code> and the provider name is assigned to <code class=\"language-text\">provider</code>, an object of the <code class=\"language-text\">FWPM_PROVIDER0</code> structure.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">DefineProvider</span><span class=\"token punctuation\">(</span>FWPM_PROVIDER0<span class=\"token operator\">*</span> provider<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n\t<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>provider <span class=\"token operator\">==</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\t\t<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token punctuation\">}</span>\n\n\tprovider<span class=\"token operator\">-></span>providerKey <span class=\"token operator\">=</span> PROVIDER_KEY<span class=\"token punctuation\">;</span>\n\tprovider<span class=\"token operator\">-></span>displayData<span class=\"token punctuation\">.</span>name <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">wchar_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>L<span class=\"token string\">\"Simple WFP User-Mode Provider\"</span><span class=\"token punctuation\">;</span>\n\tprovider<span class=\"token operator\">-></span>displayData<span class=\"token punctuation\">.</span>description <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">wchar_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>L<span class=\"token string\">\"Provider for simple WFP user-mode filter example.\"</span><span class=\"token punctuation\">;</span>\n\tprovider<span class=\"token operator\">-></span>flags <span class=\"token operator\">=</span> FWPM_PROVIDER_FLAG_PERSISTENT<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token comment\">/* 省略 */</span>\n\n<span class=\"token function\">DefineProvider</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>provider<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nresult <span class=\"token operator\">=</span> <span class=\"token function\">FwpmProviderAdd0</span><span class=\"token punctuation\">(</span>engineHandle<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>provider<span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>result <span class=\"token operator\">==</span> FWP_E_ALREADY_EXISTS<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\t<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Provider already exists. Continuing...\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\tresult <span class=\"token operator\">=</span> ERROR_SUCCESS<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">else</span> <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>result <span class=\"token operator\">!=</span> ERROR_SUCCESS<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\t<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Error: ProviderAdd failed (0x%x)\\n\"</span><span class=\"token punctuation\">,</span> result<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token function\">CleanupWfp</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>engineHandle<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token keyword\">return</span> result<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h3 id=\"registering-filters\" style=\"position:relative;\"><a href=\"#registering-filters\" aria-label=\"registering filters permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Registering Filters</h3>\n<p>After registering the custom provider, the filters are registered based on the information in the <code class=\"language-text\">rules</code> array of the <code class=\"language-text\">FILTER_RULES</code> structure described earlier.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">const</span> <span class=\"token keyword\">auto</span><span class=\"token operator\">&amp;</span> rule <span class=\"token operator\">:</span> rules<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\n   FWPM_FILTER0 filter <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span> <span class=\"token number\">0</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n   FWPM_FILTER_CONDITION0 condition<span class=\"token punctuation\">[</span><span class=\"token number\">9</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span> <span class=\"token number\">0</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n   UINT32 conditionCount <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n\n   <span class=\"token function\">DefineFilterConditions</span><span class=\"token punctuation\">(</span>\n      condition<span class=\"token punctuation\">,</span> \n      rule<span class=\"token punctuation\">.</span>port<span class=\"token punctuation\">,</span> \n      rule<span class=\"token punctuation\">.</span>appPath<span class=\"token punctuation\">,</span> \n      <span class=\"token operator\">&amp;</span>conditionCount\n   <span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n   <span class=\"token function\">BuildFilter</span><span class=\"token punctuation\">(</span>\n      <span class=\"token operator\">&amp;</span>filter<span class=\"token punctuation\">,</span> \n      condition<span class=\"token punctuation\">,</span> \n      conditionCount<span class=\"token punctuation\">,</span> \n      rule<span class=\"token punctuation\">,</span> \n      PROVIDER_KEY\n   <span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n   UINT64 filterId <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n   result <span class=\"token operator\">=</span> <span class=\"token function\">AddFilterObject</span><span class=\"token punctuation\">(</span>\n      engineHandle<span class=\"token punctuation\">,</span> \n      <span class=\"token operator\">&amp;</span>filter<span class=\"token punctuation\">,</span> \n      <span class=\"token operator\">&amp;</span>filterId\n   <span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n   <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>result <span class=\"token operator\">!=</span> ERROR_SUCCESS<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n   <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Error: FwpmFilterAdd0 failed. Code: 0x%x\\n\"</span><span class=\"token punctuation\">,</span> result<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n   <span class=\"token function\">FwpmTransactionAbort0</span><span class=\"token punctuation\">(</span>engineHandle<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n   <span class=\"token function\">CleanupWfp</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>engineHandle<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n   <span class=\"token keyword\">return</span> result<span class=\"token punctuation\">;</span>\n   <span class=\"token punctuation\">}</span>\n\n   <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Added filter '%S' (ID: %llu)\\n\"</span><span class=\"token punctuation\">,</span> rule<span class=\"token punctuation\">.</span>name<span class=\"token punctuation\">,</span> filterId<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>In the loop, the <code class=\"language-text\">DefineFilterConditions</code> function, which is called first, creates objects of the <code class=\"language-text\">FWPM_FILTER_CONDITION0</code> structure that defines filter conditions.<sup id=\"fnref-13\"><a href=\"#fn-13\" class=\"footnote-ref\">13</a></sup></p>\n<p>This structure is defined as follows and includes members of the <code class=\"language-text\">FWP_MATCH_TYPE</code> enumeration<sup id=\"fnref-14\"><a href=\"#fn-14\" class=\"footnote-ref\">14</a></sup> and the <code class=\"language-text\">FWP_CONDITION_VALUE0</code> structure<sup id=\"fnref-15\"><a href=\"#fn-15\" class=\"footnote-ref\">15</a></sup>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">typedef</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">FWPM_FILTER_CONDITION0_</span> <span class=\"token punctuation\">{</span>\n  GUID                 fieldKey<span class=\"token punctuation\">;</span>\n  FWP_MATCH_TYPE       matchType<span class=\"token punctuation\">;</span>\n  FWP_CONDITION_VALUE0 conditionValue<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> FWPM_FILTER_CONDITION0<span class=\"token punctuation\">;</span></code></pre></div>\n<p>For <code class=\"language-text\">fieldKey</code>, the first member of the <code class=\"language-text\">FWPM_FILTER_CONDITION0</code> structure, you specify the GUID to use as a condition for the filter being registered.</p>\n<p>The keys available here are defined as filtering condition identifiers.<sup id=\"fnref-16\"><a href=\"#fn-16\" class=\"footnote-ref\">16</a></sup></p>\n<p>For example, if you use the destination port number as a filter condition, you can use <code class=\"language-text\">FWPM_CONDITION_IP_REMOTE_PORT</code>; if you use the path of the source application as a condition, you can use <code class=\"language-text\">FWPM_CONDITION_ALE_APP_ID</code>.</p>\n<p>The <code class=\"language-text\">FWP_MATCH_TYPE</code> enumeration defines various kinds of matching used for filter conditions.</p>\n<p>The filters added in the sample program basically use <code class=\"language-text\">FWP_MATCH_EQUAL</code>, so they function as simple filters that determine whether the configured value matches the condition.</p>\n<p>Depending on the <code class=\"language-text\">FWP_MATCH_TYPE</code> enumeration used for the filter condition, you can also flexibly create filters that determine whether a value is greater than or less than the value set as the condition.</p>\n<p>On the other hand, the <code class=\"language-text\">FWP_CONDITION_VALUE0</code> structure contains information about the value used when matching filter conditions.</p>\n<p>If <code class=\"language-text\">FWPM_CONDITION_IP_REMOTE_PORT</code> is used for <code class=\"language-text\">fieldKey</code>, for example, the integer value of the destination port number used for the condition is registered as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">conditionValue<span class=\"token punctuation\">.</span>type <span class=\"token operator\">=</span> FWP_UINT16<span class=\"token punctuation\">;</span>\nconditionValue<span class=\"token punctuation\">.</span>uint16 <span class=\"token operator\">=</span> remotePort<span class=\"token punctuation\">;</span></code></pre></div>\n<p>After creating objects of the <code class=\"language-text\">FWPM_FILTER_CONDITION0</code> structure that define the filter conditions, the next step is to create an object of the <code class=\"language-text\">FWPM_FILTER0</code> structure.</p>\n<p>This structure contains the state of the filter and is defined as follows.<sup id=\"fnref-17\"><a href=\"#fn-17\" class=\"footnote-ref\">17</a></sup></p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">typedef</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">FWPM_FILTER0_</span> <span class=\"token punctuation\">{</span>\n  GUID                   filterKey<span class=\"token punctuation\">;</span>\n  FWPM_DISPLAY_DATA0     displayData<span class=\"token punctuation\">;</span>\n  UINT32                 flags<span class=\"token punctuation\">;</span>\n  GUID                   <span class=\"token operator\">*</span>providerKey<span class=\"token punctuation\">;</span>\n  FWP_BYTE_BLOB          providerData<span class=\"token punctuation\">;</span>\n  GUID                   layerKey<span class=\"token punctuation\">;</span>\n  GUID                   subLayerKey<span class=\"token punctuation\">;</span>\n  FWP_VALUE0             weight<span class=\"token punctuation\">;</span>\n  UINT32                 numFilterConditions<span class=\"token punctuation\">;</span>\n  FWPM_FILTER_CONDITION0 <span class=\"token operator\">*</span>filterCondition<span class=\"token punctuation\">;</span>\n  FWPM_ACTION0           action<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">union</span> <span class=\"token punctuation\">{</span>\n    UINT64 rawContext<span class=\"token punctuation\">;</span>\n    GUID   providerContextKey<span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n  GUID                   <span class=\"token operator\">*</span>reserved<span class=\"token punctuation\">;</span>\n  UINT64                 filterId<span class=\"token punctuation\">;</span>\n  FWP_VALUE0             effectiveWeight<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> FWPM_FILTER0<span class=\"token punctuation\">;</span></code></pre></div>\n<p>In the sample program, the <code class=\"language-text\">BuildFilter</code> function is used to create <code class=\"language-text\">filter</code>, an object of the <code class=\"language-text\">FWPM_FILTER0</code> structure.</p>\n<p>Most of the values registered here, such as the filter name and description, the GUIDs of the layer and sublayer, and the filter action, are values defined as global variables as members of <code class=\"language-text\">FILTER_RULES</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">BuildFilter</span><span class=\"token punctuation\">(</span>\n\tFWPM_FILTER0<span class=\"token operator\">*</span> filter<span class=\"token punctuation\">,</span>\n\tFWPM_FILTER_CONDITION0<span class=\"token operator\">*</span> condition<span class=\"token punctuation\">,</span>\n\tUINT32 conditionCount<span class=\"token punctuation\">,</span>\n\t<span class=\"token keyword\">const</span> FILTER_RULES<span class=\"token operator\">&amp;</span> rule<span class=\"token punctuation\">,</span>\n\t<span class=\"token keyword\">const</span> GUID<span class=\"token operator\">&amp;</span> providerKey<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n\t<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>filter <span class=\"token operator\">==</span> <span class=\"token constant\">NULL</span> <span class=\"token operator\">||</span> condition <span class=\"token operator\">==</span> <span class=\"token constant\">NULL</span> <span class=\"token operator\">||</span> conditionCount <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\t\t<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token punctuation\">}</span>\n\n\tfilter<span class=\"token operator\">-></span>displayData<span class=\"token punctuation\">.</span>name <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">wchar_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>rule<span class=\"token punctuation\">.</span>name<span class=\"token punctuation\">;</span>\n\tfilter<span class=\"token operator\">-></span>displayData<span class=\"token punctuation\">.</span>description <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">wchar_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>rule<span class=\"token punctuation\">.</span>description<span class=\"token punctuation\">;</span>\n\tfilter<span class=\"token operator\">-></span>filterKey <span class=\"token operator\">=</span> rule<span class=\"token punctuation\">.</span>filterKey<span class=\"token punctuation\">;</span>\n\tfilter<span class=\"token operator\">-></span>providerKey <span class=\"token operator\">=</span> const_cast<span class=\"token operator\">&lt;</span>GUID<span class=\"token operator\">*</span><span class=\"token operator\">></span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>providerKey<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\tfilter<span class=\"token operator\">-></span>layerKey <span class=\"token operator\">=</span> rule<span class=\"token punctuation\">.</span>layerKey<span class=\"token punctuation\">;</span>\n\tfilter<span class=\"token operator\">-></span>subLayerKey <span class=\"token operator\">=</span> rule<span class=\"token punctuation\">.</span>subLayerKey<span class=\"token punctuation\">;</span>\n\tfilter<span class=\"token operator\">-></span>action<span class=\"token punctuation\">.</span>type <span class=\"token operator\">=</span> rule<span class=\"token punctuation\">.</span>action<span class=\"token punctuation\">;</span>\n\tfilter<span class=\"token operator\">-></span>weight<span class=\"token punctuation\">.</span>type <span class=\"token operator\">=</span> FWP_UINT64<span class=\"token punctuation\">;</span>\n\tfilter<span class=\"token operator\">-></span>weight<span class=\"token punctuation\">.</span>uint64 <span class=\"token operator\">=</span> const_cast<span class=\"token operator\">&lt;</span>UINT64<span class=\"token operator\">*</span><span class=\"token operator\">></span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>rule<span class=\"token punctuation\">.</span>weight<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\tfilter<span class=\"token operator\">-></span>numFilterConditions <span class=\"token operator\">=</span> conditionCount<span class=\"token punctuation\">;</span>\n\tfilter<span class=\"token operator\">-></span>filterCondition <span class=\"token operator\">=</span> condition<span class=\"token punctuation\">;</span>\n\tfilter<span class=\"token operator\">-></span>flags <span class=\"token operator\">=</span> FWPM_FILTER_FLAG_PERSISTENT<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>After creating the <code class=\"language-text\">FWPM_FILTER0</code> structure object, the final step is to register the filter using the <code class=\"language-text\">FwpmFilterAdd0</code> function.</p>\n<p><code class=\"language-text\">FwpmFilterAdd0</code> is a function provided to register a new filter in the system and is called with a session handle and a <code class=\"language-text\">FWPM_FILTER0</code> structure object as parameters.<sup id=\"fnref-18\"><a href=\"#fn-18\" class=\"footnote-ref\">18</a></sup></p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">DWORD <span class=\"token function\">FwpmFilterAdd0</span><span class=\"token punctuation\">(</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span>            HANDLE               engineHandle<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">]</span>            <span class=\"token keyword\">const</span> FWPM_FILTER0   <span class=\"token operator\">*</span>filter<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>in<span class=\"token punctuation\">,</span> optional<span class=\"token punctuation\">]</span>  PSECURITY_DESCRIPTOR sd<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">[</span>out<span class=\"token punctuation\">,</span> optional<span class=\"token punctuation\">]</span> UINT64               <span class=\"token operator\">*</span>id\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<h3 id=\"committing-the-transaction\" style=\"position:relative;\"><a href=\"#committing-the-transaction\" aria-label=\"committing the transaction permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Committing the Transaction</h3>\n<p>After all filter registrations are complete, call the <code class=\"language-text\">FwpmTransactionCommit0</code> function to commit the transaction you started.<sup id=\"fnref-19\"><a href=\"#fn-19\" class=\"footnote-ref\">19</a></sup></p>\n<p>This completes filter registration by the user-mode program.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">result <span class=\"token operator\">=</span> <span class=\"token function\">FwpmTransactionCommit0</span><span class=\"token punctuation\">(</span>engineHandle<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>result <span class=\"token operator\">!=</span> ERROR_SUCCESS<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\t<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Error: Commit failed (0x%x)\\n\"</span><span class=\"token punctuation\">,</span> result<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\t<span class=\"token function\">FwpmTransactionAbort0</span><span class=\"token punctuation\">(</span>engineHandle<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n\t<span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"SUCCESS: Persistent filters added.\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h2 id=\"checking-how-filter-arbitration-works\" style=\"position:relative;\"><a href=\"#checking-how-filter-arbitration-works\" aria-label=\"checking how filter arbitration works permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Checking How Filter Arbitration Works</h2>\n<p>Now that we have confirmed the behavior of adding filters with the user-mode sample program, we will use this sample program to check various filtering behaviors in practice.</p>\n<h3 id=\"blocking-connections-to-a-specific-port-number\" style=\"position:relative;\"><a href=\"#blocking-connections-to-a-specific-port-number\" aria-label=\"blocking connections to a specific port number permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Blocking Connections to a Specific Port Number</h3>\n<p>First, add a filter with the following conditions defined in <code class=\"language-text\">FILTER_RULES</code> in the sample program.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token punctuation\">{</span> \n  FILTER_KEY_1<span class=\"token punctuation\">,</span> \n  FWPM_LAYER_ALE_AUTH_CONNECT_V4<span class=\"token punctuation\">,</span> \n  FWPM_SUBLAYER_UNIVERSAL<span class=\"token punctuation\">,</span> \n  L<span class=\"token string\">\"Block HTTPS(443)\"</span><span class=\"token punctuation\">,</span> \n  L<span class=\"token string\">\"Block HTTPS(443)\"</span><span class=\"token punctuation\">,</span> \n  <span class=\"token number\">443</span><span class=\"token punctuation\">,</span> \n  <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> \n  FWP_ACTION_BLOCK<span class=\"token punctuation\">,</span> \n  <span class=\"token number\">0xFFFFFFFFFFFFFFF1</span> \n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>If you inspect the event generated when this filter is registered with <code class=\"language-text\">wfpdiag</code>, you can confirm that a filter with a condition that blocks all traffic to remote port 443 has been added to the <code class=\"language-text\">FWPM_LAYER_ALE_AUTH_CONNECT_V4</code> layer.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 934px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e3955086711c05348f2c11c0e65119f7/078fe/02-wfp-003.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 100%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAABYlAAAWJQFJUiTwAAAC8UlEQVQ4y41UaU/bUBDk//+TfkRCqlBLVVFaoAg1DeEmiZ3DV3zfjpM3nbU54hCkPmm1+3zMzp57ea7guoDvtzqK1sjzFGVZUhcoiqKxiyJHVa2wXIJ3hfVaQSkRvGo5e7xCZLFQmEwA16tp+7AsG4Yxx3w+g21b8LwQcbymAEmCjaPeLJp7L57kRRAomCZgUXq9Pi4ve+j3rzEY3NCZDV13oWkLOrIaZ+KEAdCBQpY/M2zp8kGmyEpAQRYVHMdBGFUNqyxbYbWqUdd1o5eMu6oq2iusV6BWlC1A8SLsRJf0mkUpItdHnqSIowhhGDC/IR0GzLXHtCx4T5hPQOogugMoIaepAtOFu3GMs9k1jseXuBj1MZ7oMO2QQDF/zvgdndFJUZRk3RZJitUBFKkqBccGxtMS9wQ4MW5xoJ3geNbDI3MWBSXKiuyzVtbrzaK0le4A0ikZMo+6B284RWyRTSSMEiRxG3bCFAibFux9pTuAcSyFAfNTsYomNF1jZXW2zrzRjc3nrptQfDqRKq86eewAOrbCbAaMRks8PdkYDkdsE43gBqbTaWOLNk2b4vO533SAAEmXFNuANgFJAqZV4653gZsf+xgc7+P25wEezj7jz9EnTB5v4fkSBdiHeJ6QD0JeLsmSHxpGRnZP+HvVhz51YJgJ28VvRo/t1xSP3fdciO74dQDDUEJWjWfbiREQvSSd1OXYBTnY01DrDqH3o7fdNjJ+rquQy0hFOXTtBtp0iNFsgpnHPJrMqzXGyBgiTouGcVFsLIdNwJdF4Xnt1DyMIux/P8Th6Rd8PT/E0e9vOLu+wq+rK5wO+gjitJllqfBOwJdFIUxllel6hfvbCSbaHIG/RNrZMv8RsryUQS/ylqXDlTYeu1xpBZK0daSYxDfZsQ83AaWX/KBll7OnlqttJi8AeCaA1/vOthHABcHmeobrnzZuTi3cnRvQBi7SrF0Cm6C7TgdQfpCGtcwas1EO18wROhliv2yqWddvgB+df94iA+GuPtdDAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e3955086711c05348f2c11c0e65119f7/8ac56/02-wfp-003.webp 240w,\n/static/e3955086711c05348f2c11c0e65119f7/d3be9/02-wfp-003.webp 480w,\n/static/e3955086711c05348f2c11c0e65119f7/7d4d8/02-wfp-003.webp 934w\"\n              sizes=\"(max-width: 934px) 100vw, 934px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e3955086711c05348f2c11c0e65119f7/8ff5a/02-wfp-003.png 240w,\n/static/e3955086711c05348f2c11c0e65119f7/e85cb/02-wfp-003.png 480w,\n/static/e3955086711c05348f2c11c0e65119f7/078fe/02-wfp-003.png 934w\"\n            sizes=\"(max-width: 934px) 100vw, 934px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e3955086711c05348f2c11c0e65119f7/078fe/02-wfp-003.png\"\n            alt=\"Filter registration event\"\n            title=\"Filter registration event\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Also, if you inspect the event processed by this filter’s <code class=\"language-text\">filterId</code>, 71431, you can confirm that traffic to port 443 from various applications was dropped by this filter.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/13fb775b58a93530e19a1e190a005ac6/b1ffc/02-wfp-004.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 59.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAABYlAAAWJQFJUiTwAAABcklEQVQoz5VT2W6DMBDM//9b36omaVpxX8FcBgeDwdPBadK+lSKNWK2s8ezM+jAMC0ph0TUTmlJAlBXqpkbTtBgGg9ttxbrux8Fag6paEfsjvHOI8ylAGKbszahrg2k2WBYDY/bhAFi0LRBFwMdnTrIKaSqpDFSIf38kXCElUBQL0VGVJpHGOCoHpe7oe8l+z/8dA2+71/LZ2+AUKmWR54bKCnjeBUHgw/ci1iEVh+ynyLIS1ys9FiXtqJ4QQjg8aqeQ/iMIgTBqSZIhjpXzT0rN0UdM00Qfd47MYFAWGlncoLq2mG8So+pI0jE1++uohbV/42Bm4D1RePEvOGZHnEWAtPOhhghaG2wX/pD9TexGLhjKK1N+izVOORALuJQ3ggfRHnXfhNtSM5QEuGYKkZ8j8GokScUkZ+gRHP+hboeH1q5MyDIUyxS5zI3hK1nRUXXfW2iSLYvdr1BK41ZGVIZ7t1ANX8c0O/82jKPBPO9/KV9gqKS1hoJi9gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/13fb775b58a93530e19a1e190a005ac6/8ac56/02-wfp-004.webp 240w,\n/static/13fb775b58a93530e19a1e190a005ac6/d3be9/02-wfp-004.webp 480w,\n/static/13fb775b58a93530e19a1e190a005ac6/e46b2/02-wfp-004.webp 960w,\n/static/13fb775b58a93530e19a1e190a005ac6/f992d/02-wfp-004.webp 1440w,\n/static/13fb775b58a93530e19a1e190a005ac6/2ead8/02-wfp-004.webp 1492w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/13fb775b58a93530e19a1e190a005ac6/8ff5a/02-wfp-004.png 240w,\n/static/13fb775b58a93530e19a1e190a005ac6/e85cb/02-wfp-004.png 480w,\n/static/13fb775b58a93530e19a1e190a005ac6/d9199/02-wfp-004.png 960w,\n/static/13fb775b58a93530e19a1e190a005ac6/07a9c/02-wfp-004.png 1440w,\n/static/13fb775b58a93530e19a1e190a005ac6/b1ffc/02-wfp-004.png 1492w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/13fb775b58a93530e19a1e190a005ac6/d9199/02-wfp-004.png\"\n            alt=\"Network traffic drop event\"\n            title=\"Network traffic drop event\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"checking-the-effect-of-filter-weight-within-the-same-sublayer\" style=\"position:relative;\"><a href=\"#checking-the-effect-of-filter-weight-within-the-same-sublayer\" aria-label=\"checking the effect of filter weight within the same sublayer permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Checking the Effect of Filter Weight Within the Same Sublayer</h3>\n<p>Next, while keeping the <code class=\"language-text\">Block HTTPS(443)</code> filter configuration that blocks all traffic to port 443 unchanged, add a filter to the <code class=\"language-text\">FWPM_SUBLAYER_UNIVERSAL</code> sublayer of the same <code class=\"language-text\">FWPM_LAYER_ALE_AUTH_CONNECT_V4</code> layer that allows all traffic from <code class=\"language-text\">msedge.exe</code>.</p>\n<p>At this time, the <code class=\"language-text\">Allow Edge</code> filter’s <code class=\"language-text\">Weight</code> is specified as a value 1 smaller than the <code class=\"language-text\">Block HTTPS(443)</code> filter’s <code class=\"language-text\">Weight</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token punctuation\">{</span> \n  FILTER_KEY_2<span class=\"token punctuation\">,</span> \n  FWPM_LAYER_ALE_AUTH_CONNECT_V4<span class=\"token punctuation\">,</span> \n  FWPM_SUBLAYER_UNIVERSAL<span class=\"token punctuation\">,</span> \n  L<span class=\"token string\">\"Allow Edge\"</span><span class=\"token punctuation\">,</span> \n  L<span class=\"token string\">\"Allow Edge\"</span><span class=\"token punctuation\">,</span> \n  <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> \n  L<span class=\"token string\">\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\"</span><span class=\"token punctuation\">,</span> \n  FWP_ACTION_PERMIT<span class=\"token punctuation\">,</span> \n  <span class=\"token number\">0xFFFFFFFFFFFFFFF0</span> \n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>If these two filters are registered, the <code class=\"language-text\">Allow Edge</code> filter will not take effect, and all traffic to port 443 by <code class=\"language-text\">msedge.exe</code> will be blocked.</p>\n<p>Also, the count of <code class=\"language-text\">terminatingFiltersInfo</code> in <code class=\"language-text\">netEvents</code>, which indicates that this traffic was dropped, does not increase, showing that the evaluation result within the <code class=\"language-text\">FWPM_SUBLAYER_UNIVERSAL</code> sublayer applied <code class=\"language-text\">FWP_ACTION_BLOCK</code>, the filter with the highest <code class=\"language-text\">Weight</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 823px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b6f33a9b05e57abbcf387204d131990c/31aff/02-wfp-005.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 58.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAABYlAAAWJQFJUiTwAAABuUlEQVQoz5WTbXOiUAyF/f+/yy92Ott2u92pLwii1reqgCAI3jybAF1t7YfdO3MnQZOTc3KTThwLyyUsFsLbG2w2wukkOCecz07t5YoIzRHM/fisbet3zIsiWK1QYFFgA4XtNmI+D7XIjPlsxjQMNa4gjmEfCfs9dV6SfAbuWFWNZzhUO0dBSt7fS02wpIp97MiNsTQMlagyN/a0/jeAxs73G8lR5DikjkSZHFKo0gI5HHDZkfwgbfKVRq5k0wJaReul9S9VkLxAbUmalUhRwrHA5SXV6RZM5DNoDShtV5NEmEyE6RQG/Rm9Xo9gkuH5J7xxrv/ndfGqgrJsZH8F/QtoAbudaP+ahm82J4JgogVCAn/CeOxrobmCaktU+nbrVIVcvXhjOzYe9qMFLVeNfDvOnfn3I7cMP0CDQAhV8sOPAd1ul6enPnd3Lzw+jri/f2A0MqYLXn71Gfsh6/VW86jVZVnL0ACr6iJ5p5LX6wLP8xRgqCM14PX1N8/PP3UiYo3JdbxSnduMXF/wuqf1YGeZKECzLbsdNdPjkfrarP2XZEu2wQ5D0cajvj0Q7eo1K/h1/W7v5VH+AFiMoiq56/oiAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b6f33a9b05e57abbcf387204d131990c/8ac56/02-wfp-005.webp 240w,\n/static/b6f33a9b05e57abbcf387204d131990c/d3be9/02-wfp-005.webp 480w,\n/static/b6f33a9b05e57abbcf387204d131990c/7fbc2/02-wfp-005.webp 823w\"\n              sizes=\"(max-width: 823px) 100vw, 823px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b6f33a9b05e57abbcf387204d131990c/8ff5a/02-wfp-005.png 240w,\n/static/b6f33a9b05e57abbcf387204d131990c/e85cb/02-wfp-005.png 480w,\n/static/b6f33a9b05e57abbcf387204d131990c/31aff/02-wfp-005.png 823w\"\n            sizes=\"(max-width: 823px) 100vw, 823px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b6f33a9b05e57abbcf387204d131990c/31aff/02-wfp-005.png\"\n            alt=\"Network traffic drop event 2\"\n            title=\"Network traffic drop event 2\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Next, change the <code class=\"language-text\">Weight</code> of the <code class=\"language-text\">Allow Edge</code> filter to <code class=\"language-text\">0xFFFFFFFFFFFFFFFF</code>, and then register the filters again.</p>\n<p>This time, traffic to port 443 becomes possible only when using <code class=\"language-text\">msedge.exe</code>.</p>\n<p>This behavior shows that when conflicting filters are registered within the same sublayer, the action of the filter with the highest <code class=\"language-text\">Weight</code> is used for the decision.</p>\n<h3 id=\"checking-the-effect-of-weight-across-different-sublayers\" style=\"position:relative;\"><a href=\"#checking-the-effect-of-weight-across-different-sublayers\" aria-label=\"checking the effect of weight across different sublayers permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Checking the Effect of Weight Across Different Sublayers</h3>\n<p>Next, we will check the behavior when conflicting filters are registered in different sublayers of the same layer.</p>\n<p>First, like filters, sublayers have a <code class=\"language-text\">Weight</code> value that represents priority, and network traffic inspected at a given layer passes through all sublayers of that layer in order of sublayer <code class=\"language-text\">Weight</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/35b07bef451ec8c7f9e668c7593403a4/75a80/02-wfp-006.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 54.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAABuklEQVQoz12SiZKjMAxE+f8/hMHYHCYc4U5VGELSqxawO7OqctkG+7mlVnBvWzyWB+Z5xjRN2L43XNG2DYqi0H/jOGIcRp2HYdDB85/PRwc587wgsHGMJE5gYoPEJCdgwfpc0XUdkiRBlmVInUOaZrCyD8NQ/xF0Bdf7viNwArGJhTEGeZbLxRTOOvRdj7quFejlEX6vqhrWWsQiom3vCrhi2zYdQSoHXOJUoTVW1BoBWgz9gKapRVUK7z3yPNeZQD5ChT+BXL9eLwHKz9KXqqa63XArj/F4PPSSc1ZhVK+pywPGxLjffyt8Pp9Y128EsdSjutWSQou2adHUjRab0ff9UYr8gFGhk1ryW/sfsJP9sqgpBj73yKTg5itWYwjSQ6KQIBpFhQc4VVMaEbDvb9qhZxvJ8HTZCCxXFwmrqurXq6xZWXoUmnamTkdRdAL3v07Xcm+RMh1Alx1Oy5pOUuH+2rUPCaRCpppJ/TiH4QF8v/+1DT3QlGkKgUV+piWDDrPZmcalkOkSzH30FWk51nXVVmF4X0jtZwQZX6ZCaZlpnPAzernERr7appSZNaVKuszz43mHHcLO+AO/5jjWtSe6XQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/35b07bef451ec8c7f9e668c7593403a4/8ac56/02-wfp-006.webp 240w,\n/static/35b07bef451ec8c7f9e668c7593403a4/d3be9/02-wfp-006.webp 480w,\n/static/35b07bef451ec8c7f9e668c7593403a4/e46b2/02-wfp-006.webp 960w,\n/static/35b07bef451ec8c7f9e668c7593403a4/3d776/02-wfp-006.webp 1134w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/35b07bef451ec8c7f9e668c7593403a4/8ff5a/02-wfp-006.png 240w,\n/static/35b07bef451ec8c7f9e668c7593403a4/e85cb/02-wfp-006.png 480w,\n/static/35b07bef451ec8c7f9e668c7593403a4/d9199/02-wfp-006.png 960w,\n/static/35b07bef451ec8c7f9e668c7593403a4/75a80/02-wfp-006.png 1134w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/35b07bef451ec8c7f9e668c7593403a4/d9199/02-wfp-006.png\"\n            alt=\"List of sublayers\"\n            title=\"List of sublayers\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The major difference between this evaluation and the filter evaluation described in the previous section is that even if a matching filter is found in a higher-priority sublayer, evaluation still proceeds through all lower-priority sublayers.</p>\n<p>To confirm this behavior, change the <code class=\"language-text\">FILTER_RULES</code> settings in the sample program as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">const</span> FILTER_RULES rules<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n\t<span class=\"token punctuation\">{</span> FILTER_KEY_1<span class=\"token punctuation\">,</span> FWPM_LAYER_ALE_AUTH_CONNECT_V4<span class=\"token punctuation\">,</span> FWPM_SUBLAYER_MPSSVC_QUARANTINE<span class=\"token punctuation\">,</span> L<span class=\"token string\">\"Block HTTPS(443)\"</span><span class=\"token punctuation\">,</span> L<span class=\"token string\">\"Block HTTPS(443)\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">443</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> FWP_ACTION_BLOCK<span class=\"token punctuation\">,</span> <span class=\"token number\">0xFFFFFFFFFFFFFFF1</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n\t<span class=\"token punctuation\">{</span> FILTER_KEY_2<span class=\"token punctuation\">,</span> FWPM_LAYER_ALE_AUTH_CONNECT_V4<span class=\"token punctuation\">,</span> FWPM_SUBLAYER_UNIVERSAL<span class=\"token punctuation\">,</span> L<span class=\"token string\">\"Allow Edge\"</span><span class=\"token punctuation\">,</span> L<span class=\"token string\">\"Allow Edge\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> L<span class=\"token string\">\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\"</span><span class=\"token punctuation\">,</span> FWP_ACTION_PERMIT<span class=\"token punctuation\">,</span> <span class=\"token number\">0xFFFFFFFFFFFFFFFF</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Here, <code class=\"language-text\">Block HTTPS(443)</code>, which blocks all traffic to port 443, and <code class=\"language-text\">Allow Edge</code>, which allows traffic from <code class=\"language-text\">msedge.exe</code>, are assigned to different sublayers of the same layer.</p>\n<p>The <code class=\"language-text\">FWPM_SUBLAYER_MPSSVC_QUARANTINE</code> to which the <code class=\"language-text\">Block HTTPS(443)</code> filter is assigned has a <code class=\"language-text\">Weight</code> of 4.\nMeanwhile, <code class=\"language-text\">FWPM_SUBLAYER_UNIVERSAL</code>, to which the <code class=\"language-text\">Allow Edge</code> filter is assigned, has a <code class=\"language-text\">Weight</code> of 32768, so in terms of registered sublayer priority, <code class=\"language-text\">FWPM_SUBLAYER_UNIVERSAL</code>, which holds the <code class=\"language-text\">Allow Edge</code> filter, has the higher priority.</p>\n<p>However, if the filters are registered with this configuration, communication by <code class=\"language-text\">msedge.exe</code> is not allowed, and all traffic to port 443 is blocked.</p>\n<p>As explained in Chapter 1, in the case of sublayers, even if a matching filter is registered in a sublayer with a higher <code class=\"language-text\">Weight</code>, all sublayers in the layer are evaluated before the final action is determined.</p>\n<p>Also, the final action is determined based on WFP’s policy rules, and basically a “block” action overrides an “allow” action.</p>\n<p>Therefore, as this test result shows, even when traffic is “allowed” in a sublayer with a higher <code class=\"language-text\">Weight</code>, if it is “blocked” in another sublayer, the final decision is “block” except in exceptional circumstances.</p>\n<p>In fact, the results in <code class=\"language-text\">netevents</code> also show that the count of evaluated filters in <code class=\"language-text\">terminatingFiltersInfo</code> increased to 3, confirming that both the <code class=\"language-text\">Allow Edge</code> filter (<code class=\"language-text\">filterId:71441</code>) and the <code class=\"language-text\">Block HTTPS(443)</code> filter (<code class=\"language-text\">filterId:71440</code>) were evaluated, and that the final decision was to drop the traffic.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 916px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/159418229a146ad4120a904a5459c134/59822/02-wfp-007.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 100.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAABYlAAAWJQFJUiTwAAACy0lEQVQ4y5VUi07bQBDM/39MVYlKIKryEFAhtQhEFXBDU4LjxI6feTm243ins748CJBItbS68+lubnZ29hrDBLBepji0XvCt3cdF18ZV38VVj9H38N31cNnvw0lSzKbAohIAAtHhg69RloI4BsIA6DkThoskrjAeAUX+drsBElmNy9VX4A3dFMcCxxHYdoFeL4fnLeD7QMSLkiGBC6CqDOC7K94sNfQ2ZWfbgq4DMDu02z5arQCWFdXRakW8lCnPgOlUkGWCPN/BUAGVzfOzAezaAec2Gce8JOYYIUkipOkMswwEFTImYLEn5ShSZoIeI+R8SP2iqKSWqPWNWbgoJLtUMJ8bCXamPJkIAqbsesLAMh2TUlEs6sM613UTZm40/QBQUwh5u0dApycYkV1ZVgRJGTMeTpHNUgIYkMVCGKhjb8paFK20RhCWcN0Bw4c3COAHPotRYTQGLxSMOWrsBHRd4OlJQD8TvKgPKVM1shSGSrV4bRvZbxtN26N+WpTJBFBdh6MSi4wCjicohjmKbAUka6CdtlltTBLBYKAFmuP25gccO6QEOZzuFHmtI5b6yRbYa/CGaSO1gxaHzIYatFHbgvPrHPb9FTq3Z+hZP+lFqdmrJApqWlFetaJsGOrGgW8qOJ8vkGcZ/u+TDcNq+YJoT9s20OkUODo5xpfTQxycfMXB6THOry+57qLZ/IPW7w73dVnIFrrdHiuucpkuWjMck6H2sbaVvjJuNIDlPKDlWHjsNuv/kl2S5ZtOEVF3V1uv0JaGvm886boprIdHBIMpvP4MoV9Q35hMhhx9xFHA+aTuGn0wtB3XKWu6K5aasnaNAj/cXKN58Rn3Fwe4O/uEu8sjZpAw7RDPf0PuHdctmaaGjGEsxth5pt2B2uBa5TTlQzBmYVJSqArInKOUe4uxto02ev04uCzIi7GMsi55vpLtYxuLvI8V6D8y9grfdq0QVAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/159418229a146ad4120a904a5459c134/8ac56/02-wfp-007.webp 240w,\n/static/159418229a146ad4120a904a5459c134/d3be9/02-wfp-007.webp 480w,\n/static/159418229a146ad4120a904a5459c134/3fccf/02-wfp-007.webp 916w\"\n              sizes=\"(max-width: 916px) 100vw, 916px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/159418229a146ad4120a904a5459c134/8ff5a/02-wfp-007.png 240w,\n/static/159418229a146ad4120a904a5459c134/e85cb/02-wfp-007.png 480w,\n/static/159418229a146ad4120a904a5459c134/59822/02-wfp-007.png 916w\"\n            sizes=\"(max-width: 916px) 100vw, 916px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/159418229a146ad4120a904a5459c134/59822/02-wfp-007.png\"\n            alt=\"Event where the block decision of `FWPM_SUBLAYER_MPSSVC_QUARANTINE` was applied\"\n            title=\"Event where the block decision of `FWPM_SUBLAYER_MPSSVC_QUARANTINE` was applied\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>In this chapter, we reviewed the basic operations for registering and deleting WFP filters from a user-mode program via the BFE.</p>\n<p>Using the <code class=\"language-text\">FWPM_LAYER_ALE_AUTH_CONNECT_V4</code> layer as an example, we also verified the differences in evaluation results between filters in the same sublayer and filters in different sublayers, confirming the actual behavior of WFP filtering.</p>\n<p>In the next chapter, we will use a callout driver to extend classification processing and handle dynamic allow/block control through coordination with user mode.</p>\n<h2 id=\"table-of-contents-for-this-book\" style=\"position:relative;\"><a href=\"#table-of-contents-for-this-book\" aria-label=\"table of contents for this book permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents for This Book</h2>\n<ul>\n<li><a href=\"/a-part-of-anti-virus-3-00-en\">Preface</a></li>\n<li><a href=\"/a-part-of-anti-virus-3-01-en\">Chapter 1: WFP Overview and Architecture</a></li>\n<li><a href=\"/a-part-of-anti-virus-3-02-en\">Chapter 2: Sample for Access Control with WFP</a></li>\n<li><a href=\"/a-part-of-anti-virus-3-03-en\">Chapter 3: Sample for Access Control with a Callout Driver</a></li>\n</ul>\n<div class=\"footnotes\">\n<hr>\n<ol>\n<li id=\"fn-1\">\n<p><code class=\"language-text\">FWPM_FILTER0</code> structure (fwpmtypes.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0</a></p>\n<a href=\"#fnref-1\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-2\">\n<p>Management filtering layer identifiers <a href=\"https://learn.microsoft.com/windows-hardware/drivers/network/management-filtering-layer-identifiers\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/windows-hardware/drivers/network/management-filtering-layer-identifiers</a></p>\n<a href=\"#fnref-2\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-3\">\n<p>Filtering sublayer identifiers <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/fwp/management-filtering-sublayer-identifiers\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/fwp/management-filtering-sublayer-identifiers</a></p>\n<a href=\"#fnref-3\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-4\">\n<p><code class=\"language-text\">FWPM_DISPLAY_DATA0</code> structure (fwptypes.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwptypes/ns-fwptypes-fwpm_display_data0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwptypes/ns-fwptypes-fwpm<em>display</em>data0</a></p>\n<a href=\"#fnref-4\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-5\">\n<p><code class=\"language-text\">FWPM_ACTION0</code> structure (fwpmtypes.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmtypes/ns-fwpmtypes-fwpm_action0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmtypes/ns-fwpmtypes-fwpm_action0</a></p>\n<a href=\"#fnref-5\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-6\">\n<p>Management Functions <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/fwp/fwp-mgmt-functions\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/fwp/fwp-mgmt-functions</a></p>\n<a href=\"#fnref-6\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-7\">\n<p>Sessions <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/fwp/object-management#sessions\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/fwp/object-management#sessions</a></p>\n<a href=\"#fnref-7\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-8\">\n<p>FwpmEngineOpen0 function (fwpmu.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmengineopen0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmengineopen0</a></p>\n<a href=\"#fnref-8\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-9\">\n<p>Transactions <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/fwp/object-management#transactions\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/fwp/object-management#transactions</a></p>\n<a href=\"#fnref-9\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-10\">\n<p>FwpmTransactionBegin0 function (fwpmu.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0</a></p>\n<a href=\"#fnref-10\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-11\">\n<p>FwpmProviderAdd0 function (fwpmu.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmprovideradd0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmprovideradd0</a></p>\n<a href=\"#fnref-11\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-12\">\n<p>FwpmProviderAdd0 function (fwpmu.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmprovideradd0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmprovideradd0</a></p>\n<a href=\"#fnref-12\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-13\">\n<p><code class=\"language-text\">FWPM_FILTER_CONDITION0</code> structure (fwpmtypes.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmtypes/ns-fwpmtypes-fwpm_filter_condition0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmtypes/ns-fwpmtypes-fwpm<em>filter</em>condition0</a></p>\n<a href=\"#fnref-13\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-14\">\n<p><code class=\"language-text\">FWP_MATCH_TYPE</code> enumeration (fwptypes.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwptypes/ne-fwptypes-fwp_match_type\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwptypes/ne-fwptypes-fwp<em>match</em>type</a></p>\n<a href=\"#fnref-14\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-15\">\n<p><code class=\"language-text\">FWP_CONDITION_VALUE0</code> structure (fwptypes.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwptypes/ns-fwptypes-fwp_condition_value0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwptypes/ns-fwptypes-fwp<em>condition</em>value0</a></p>\n<a href=\"#fnref-15\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-16\">\n<p>Filtering condition identifiers <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/fwp/filtering-condition-identifiers-\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/fwp/filtering-condition-identifiers-</a></p>\n<a href=\"#fnref-16\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-17\">\n<p><code class=\"language-text\">FWPM_FILTER0</code> structure (fwpmtypes.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0</a></p>\n<a href=\"#fnref-17\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-18\">\n<p>FwpmFilterAdd0 function (fwpmu.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilteradd0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilteradd0</a></p>\n<a href=\"#fnref-18\" class=\"footnote-backref\">↩</a>\n</li>\n<li id=\"fn-19\">\n<p>FwpmFilterAdd0 function (fwpmu.h) <a href=\"https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilteradd0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://learn.microsoft.com/ja-jp/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilteradd0</a></p>\n<a href=\"#fnref-19\" class=\"footnote-backref\">↩</a>\n</li>\n</ol>\n</div>","fields":{"slug":"/a-part-of-anti-virus-3-02-en","tagSlugs":["/tag/a-part-of-anti-virus-3-en/","/tag/windows-en/","/tag/win-dbg-en/","/tag/anti-virus-en/","/tag/english/"]},"frontmatter":{"date":"2026-04-11","description":"This is the WEB edition of A PART OF ANTI-VIRUS 3, distributed at Technical Book Fest 20.","tags":["A PART OF ANTI-VIRUS 3 (en)","Windows (en)","WinDbg (en)","AntiVirus (en)","English"],"title":"A PART OF ANTI-VIRUS 3 - Learning Windows Filtering Platform (WFP) from Public Sample Code - (WEB Edition) [Chapter 2: A Sample That Uses WFP for Access Control]","socialImage":{"publicURL":"/static/272acc1e889df0e25d89217e89d5fd13/a-part-of-anti-virus-3.png"}}}},"pageContext":{"slug":"/a-part-of-anti-virus-3-02-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}