Search code examples
powershellwindows-firewallwindows-security

How to convert Application Package SID to usable format

I try to export full info about certain Windows Defender Firewall with following code:

 $rule = (Get-NetFirewallRule -DisplayName "Start")[0]
 $ApplicationFilter   = @($rule | Get-NetFirewallApplicationFilter)
 $AddressFilter       = @($rule | Get-NetFirewallAddressFilter)
 $PortFilter          = @($rule | Get-NetFirewallPortFilter)
 $SecurityFilter      = @($rule | Get-NetFirewallSecurityFilter)
 $ServiceFilter       = @($rule | Get-NetFirewallServiceFilter)
 $InterfaceFilter     = @($rule | Get-NetFirewallInterfaceFilter)
 $InterfaceTypeFilter = @($rule | Get-NetFirewallInterfaceTypeFilter)

Problem is that command $rule | Get-NetFirewallApplicationFilter gives answer in following form:

 Program : Any
 Package : S-1-15-2-283421221-..........-..........-.........-..........-..........-..........

instead of name of package and username like in Windows Defender Firewall console.

I spent a few hours on searching how to convert this special SID to usable form, but I've had no luck. I know, that the rule which has app package configured get value of 'Owner' property - this value is SID of user who owned package which SID is mentioned in

($rule | Get-NetFirewallApplicationFilter).Package

but I still don't know how to get name of package Does anybody know how to do it?

LukiD

Solution

  • It looks like the group has the name if it's an appx program? (appx is the enemy of administrators)

    $rule = (Get-NetFirewallRule -DisplayName "Start")[0]
if ($rule.group -match '@{.*') { 
  $appxname = $rule.group -replace '@{|_.*' 
}
$appxname

Microsoft.Windows.StartMenuExperienceHost

    Here's 90 appx firewall rules. Sometimes the funny @{ } string is in the Displayname as well. An Intel program even has a unicode '®' in the title.

    get-netfirewallrule | % {
  if ($_.group -match '@{.*') { 
    $appxname = $_.group -replace '@{|_.*' 
    $displayname2 = $_.displayname -replace '@{|_.*' 
    $_ | select @{n='displayname2';e={$displayname2}},@{n='appxname';e={$appxname}}
  }
}

displayname2                               appxname
------------                               --------
Microsoft.Windows.ContentDeliveryManager   Microsoft.Windows.ContentDeliveryManager
Microsoft.Windows.CloudExperienceHost      Microsoft.Windows.CloudExperienceHost
Microsoft.Windows.CloudExperienceHost      Microsoft.Windows.CloudExperienceHost
Start                                      Microsoft.Windows.StartMenuExperienceHost
Work or school account                     Microsoft.AAD.BrokerPlugin
Intel® Graphics Command Center             AppUp.IntelGraphicsExperience
Windows Feature Experience Pack            MicrosoftWindows.Client.CBS
...