Serious Discussion Minimal Firewall

[Parkinsond]

No, svchost.exe is not just a generic host process like you think.

It’s a critical system component in Windows that runs essential background services. Each instance of svchost.exe can host different Windows services — some of which are absolutely vital, like:

• DNS Client (name resolution),
• Windows Update,
• Security services (like antivirus cloud sync).

Without certain svchost services running, your system can't properly read your local hosts file, located at:
C:\Windows\System32\drivers\etc\hosts

This means your local DNS filtering fails, especially if you’ve got apps that constantly update via changing IPs. Worse, if your DNS requests default to your ISP’s resolver and your system is already compromised — you’re screwed.

Now imagine a malware that modifies the Windows registry and injects a fake svchost.exe under SYSTEM privileges?
Your antivirus can’t connect. Real-time protection fails. You’re either stuck offline or redirected to malicious domains.

On top of that, without the real svchost.exe running properly, you can’t monitor anything on your own system. It’s like being blind in your own house.

And if someone manages to remotely run their own version of svchost.exe under NT AUTHORITY\SYSTEM?


Let’s just say…

FATALITY. STALKER WINS.

Windows firewall control and Fort firewall create rules for svchost.exe per service using it.
But, of course, has nothing to do with malware injecting itself in.

 

[jamey910111]

i always have svchost blocked in simplewall - the only time i unlobck it is if i want to run windows update - otherwise, it's always blocked, for the better. Of course I know/assume it's a vital process that needs to always run, but networking wise it's always blocked...

 

[Parkinsond]

i always have svchost blocked in simplewall - the only time i unlobck it is if i want to run windows update - otherwise, it's always blocked, for the better. Of course I know/assume it's a vital process that needs to always run, but networking wise it's always blocked...

Blocking svchost is not recommended, as serveral vital functions rely on.

 

[jamey910111]

i have been doing it for years, it causes no issues whatsoever. If you want try it and find out - it would however affect windows update and many any time you want to update or connect to a microsoft related service online, in such cases unblock it...i've only needed to ever unblock it for windows update.

 

[deminimis]

Released Minimal Firewall version 1.7, fixing some small bugs people found, simplifying wildcard logic, and UI improvements. The next big thing I will do when I have time specifically for the firewall features is upgrade it to net 9, which will make it much more efficient (but keeping the 4.8 as well).

 

[tnodir]

You can block specific services like Windows Update and Background Intelligent Transfer Service, and also block the specific .exe for each svchost.exe in Windows Firewall

Yes, I mean exactly this.

Try to allow only required services for Windows Update: wuauserv, bits, dosvc. But block svchost.exe itself. Does it work for you?

Hint: wuauserv service handling is broken on Win10+.

--
Windows Firewall Control by Binisoft recommends in its user manual to allow entire svchost.exe by specific ports and destination, because of this bug on Win10+.

Simplewall copies the svchost.exe to other file for Windows Update.

 

[Fan-of-spyshelter]

i have been doing it for years, it causes no issues whatsoever.

Well this is normal you don't have any issue, because the time you decide to block this critical service, your pc do not monitor anything (from the system), and it also depend of why you are using this SVChost.exe (to use the registered service dll manager), normally you can see what is running exactly with a PID number in your Taskmanager, mean wich dll is used.

 

[deminimis]

Yes, I mean exactly this.

Try to allow only required services for Windows Update: wuauserv, bits, dosvc. But block svchost.exe itself. Does it work for you?

Hint: wuauserv service handling is broken on Win10+.

--
Windows Firewall Control by Binisoft recommends in its user manual to allow entire svchost.exe by specific ports and destination, because of this bug on Win10+.

Simplewall copies the svchost.exe to other file for Windows Update.

I'm not really sure. I haven't thought of the use case I would use it for yet. I generally let core system processes access the internet so I don't break anything (something always seemed to get corrupted eventually when I used to block too many things, such as disabling Windows Store). I figure Microsoft will always find a way to get some telemetry through, no matter what you do.

I did implement a way to display the underlying services in version 1.8.

But like you said, it's not able to block individual services (if there are more than one) in a single svchost process. It would rather block all the services for that process. From what I understand, in Windows 11, many svchost processes run only a single service, and so creating a rule for that process will work. I guess you could make things even more messy and reassign each service to its own svchost process. But that sounds brittle. So then an app like yours that has its own driver and operates at the kernel level would be useful for svchost processes with more than one service, to block the connection to individual ones.

 

[simmerskool]

I'm not really sure.
But like you said, it's not able to block individual services (if there are more than one) in a single svchost process.

I'm not really sure either but I recall svchost having different command lines for what it was using / doing and their might be some blocking control that way...

 

[tnodir]

But like you said, it's not able to block individual services (if there are more than one) in a single svchost process.

WPF filter (and so Windows Firewall, Simplewall etc) can block individual services in a single shared svchost process.

I said only about broken Windows Update service on Win 10+.

 

[silversurfer]

v1.8​

• Updated the advanced rule creator to fix the error in uninstalling rules (it was working, but gave an error).
• Updated colors.
• Uninstall all MFW rules (in the advanced tab) now correctly includes wildcard rules.
• Wildcard rules can now optionally target a specific executable name. This allows you to create precise rules, such as allowing only svchost.exe within the C:\Windows\System32 folder without affecting every other system utility.
• Manual Refresh Button: A new refresh button (⟳) has been added to the main toolbar. Clicking this will reload all firewall rules and application lists directly from the system.
• The logic for the "Services" tab has been completely rebuilt. The application now correctly discovers and lists all Windows services from the system, including svchost sub services.
  • Previously, svchost would only be shown and not the underlying services. To show the underlying services, Minimal Firewall now reads the unique Process ID for that specific svchost.exe instance from the event data. It then performs a WMI query against the running system services (SELECT Name FROM Win32_Service WHERE ProcessId = ).

---

To Install:​

Recommend downloading the portable version and unzipping wherever you keep your portable apps (good option is C\Program Files\PORTABLE\Minimal Firewall, for example).

---

To Update:​

NOTE: because of the changes in the previous logic, if you are updating from before v1.7, DELETE the settings and wildcard .json files to prevent conflicts.
If you already have the portable app installed, just unzip this release, and copy all of the contents into your current release (when the app is closed). Overwrite all the files. That way, it will keep the .json files which hold your settings.

Release v1.8 · deminimis/minimalfirewall

Updated the advanced rule creator to fix the error in uninstalling rules (it was working, but gave an error). Updated colors. Uninstall all MFW rules (in the advanced tab) now correctly includes wi...

github.com

 

[rashmi]

simplewall, and windows firewall control, block the connection and show popup asking user to allow or block; that what I consider "paused" connection; as long as it is blocked until my decision, it is paused.

I'm not sure how WFC and simplewall work now, but they didn't "pause" connections when I tried them. A "pause" connection means you get an alert for a program, you click allow, and the program connects successfully. A "blocked" connection means a program cannot connect after clicking "allow"; you need to restart the program to connect successfully. Even GlassWire doesn't "pause" all programs' connections, if I recall correctly.

 

[Parkinsond]

A "pause" connection means you get an alert for a program, you click allow, and the program connects successfully.

That is exactly what both Windows firewall control and simplewall do; they work flawlessly, but I prefer simplewall for dark mode, and tiny RAM footprint.

 

[rashmi]

That is exactly what both Windows firewall control and simplewall do; they work flawlessly, but I prefer simplewall for dark mode, and tiny RAM footprint.

WFC help files (updated June 02, 2025)

Why there is no "Allow for now and ask me later" button?
The notifications are displayed for blocked connections, not for paused connections. It is not possible to resume a connection at Windows Firewall Control level because it doesn't do any packet filtering. The program is blocked, a notification is displayed. If an allow rule is created on the next connection attempt of the program, it will connect based on the newly created allow rule.

 

[Parkinsond]

The notifications are displayed for blocked connections, not for paused connections

Are not blocked connection until I select allow from popup is actually a "paused" connection?

 

[rashmi]

Are not blocked connection until I select allow from popup is actually a "paused" connection?

In short, a "paused" connection allows, and a "blocked" one requires a restart of the program in question to connect successfully. For example, start HiBit Uninstaller, which checks for updates on startup; WFC or simplewall will show an alert, but HiBit will show a connection error. HiBit may not connect if you recheck for updates. HiBit will connect after you restart it (if you clicked "allow" on the firewall alert in your previous attempt).

 

[Parkinsond]

In short, a "paused" connection allows, and a "blocked" one requires a restart of the program in question to connect successfully. For example, start HiBit Uninstaller, which checks for updates on startup; WFC or simplewall will show an alert, but HiBit will show a connection error. HiBit may not connect if you recheck for updates. HiBit will connect after you restart it (if you clicked "allow" on the firewall alert in your previous attempt).

According to your description, simplewall provides "paused" connection; it is blocked until I select allow from popup, then it is connected with no need to restart anything.
Until I find another program providing better usability, performance, and UI, I will stick to simplewall.

 

[tnodir]

According to your description, simplewall provides "paused" connection

No, Simplewall (and others without driver) just block the connections.

"Pausing" the connection is postponing the decision to allow/block until user's choice.
I.e. the incoming or outgoing packet is saved somewhere and sent again after user's decision.
See "Processing Classify Callouts Asynchronously".

 

[Parkinsond]

the incoming or outgoing packet is saved somewhere and sent again after user's decision

What is the gain from saving outgoing packets somewhere rather than blocking connection until decision is taken?

 

[ForgottenSeer 123526]

What is the gain from saving outgoing packets somewhere rather than blocking connection until decision is taken?

In a nutshell, saving those outgoing packets turns an immediate, harsh stop into a brief pause. It keeps your apps happy and responsive, prevents headaches, and gives you a bit more control over your internet traffic.