17

I am adding a windows firewall rule using netsh advfirewall firewall command in a setup program. My code is giving an error message if the system has windows firewall disabled.

So I need to check the window's firewall status before executing the command netsh advfirewall firewall add. ie, if firewall is disabled, no need to add the rule.

I am checking if the firewall is enabled or not by using the window registry value "EnableFirewall".

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

I am not sure this is the right way. There can be domain firewall profile(?) also.

Thanks in advance.

JChan
  • 1,411
  • 4
  • 24
  • 34

8 Answers8

13

Another option is to use netsh itself to check if firewall is enabled or not. Execute the command netsh advfirewall show private|public|domain. It will give the state on/off.

biegleux
  • 13,179
  • 11
  • 45
  • 52
Pr38y
  • 1,565
  • 13
  • 21
  • 7
    Doesnä't work in Win7 pro. What worked was `netsh advfirewall show currentprofile`. – Macke Feb 18 '14 at 13:49
  • 1
    The command is **`netsh advfirewall show all state`**. You can replace **`all`** by **`private`** or **`public`** or **`domain`** – Paul Oct 06 '15 at 18:19
4

Invoke-Command -ComputerName <servername> -Credential <username> -ScriptBlock {[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine",$env:COMPUTERNAME).OpenSubKey("System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile").GetValue("EnableFirewall")}

1 means enabled.

Ayan Mullick
  • 67
  • 2
  • 11
  • 38
3

Try this for a Compliance and Non-Compliance check:

$FirewallStatus = 0
$SysFirewallReg1 = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" -Name EnableFirewall | Select-Object -ExpandProperty EnableFirewall
If ($SysFirewallReg1 -eq 1) {
$FirewallStatus = 1
}

$SysFirewallReg2 = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" -Name EnableFirewall | Select-Object -ExpandProperty EnableFirewall
If ($SysFirewallReg2 -eq 1) {
$FirewallStatus = ($FirewallStatus + 1)
}

$SysFirewallReg3 = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -Name EnableFirewall | Select-Object -ExpandProperty EnableFirewall
If ($SysFirewallReg3 -eq 1) {
$FirewallStatus = ($FirewallStatus + 1)
}

If ($FirewallStatus -eq 3) {Write-Host "Compliant"}
ELSE {Write-Host "Non-Compliant"}
Robert N
  • 31
  • 1
2

I just had to do something similar for an environment I took over. I used the below to check state for all three profiles.

invoke-command -computername $computer  -scriptblock {
    try{ get-netfirewallprofile | select name,enabled }
    catch{ netsh advfirewall show all state }
}

the try block will work with server 2012 or windows 8 and newer systems. if that fails when it throws an error about not having the cmdlet that will be caught and instead of giving you an error it will fall back to using netsh to display the information.

I've used this on server 2008 R2, 2012 R2 and 2016 with good results. Hope it works for you!

Mike Murray
  • 138
  • 1
  • 1
  • 9
2

Written as a one-liner: 

if (((Get-NetFirewallProfile | select name,enabled) | where { $_.Enabled -eq $True } | measure ).Count -eq 3) {Write-Host "OK" -ForegroundColor Green} else {Write-Host "OFF" -ForegroundColor Red}

What it does?

  • Iterates through each Firewall settings item: [Domain, Private, Public]
  • Check if each item is enabled and set to TRUE
  • There are 3 items, so we count all TRUES and compare to 3
  • Print Green OK or Red OFF
  • NOT using netsh or registry
  • Requires a working NetSecurity Module for the Get-NetFirewallProfile cmdlet.
not2qubit
  • 14,531
  • 8
  • 95
  • 135
1

Make sure to also check the GPO policies for firewalls, they are not stored in the registry, but in another store, see this question as well: Windows Firewall state different between Powershell output and GUI

Erik Oppedijk
  • 3,496
  • 4
  • 31
  • 42
0

I am new to this but how ever i used reg query to get the details.

type this in command line and hit enter.

reg query \\IP_Address\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

I was using it in my works and also was using the command below.

reg query \\ip_address\path
Abyx
  • 12,345
  • 5
  • 44
  • 76
user3007585
  • 1
  • 1
    The letter 'K' is missing in HKEY from the registry path. SO won't let me edit since it's less than a 6 character change... – voidmain Sep 06 '17 at 16:45
0
$Compliance = 'Non-Compliant'
$Check = get-netfirewallprofile | Where-Object {$_.Name -eq 'Domain' -and $_.Enabled -eq 'True'}
$Check = get-netfirewallprofile | Where-Object {$_.Name -eq 'Public' -and $_.Enabled -eq 'True'}
$Check = get-netfirewallprofile | Where-Object {$_.Name -eq 'Private' -and $_.Enabled -eq 'True'}
if ($Check) {$Compliance = 'Compliant'}
$Compliance
gunr2171
  • 16,104
  • 25
  • 61
  • 88
Garrett
  • 11
  • Thank you for this code snippet, which might provide some limited, immediate help. A [proper explanation would greatly improve its long-term value](//meta.stackexchange.com/q/114762/206345) by showing _why_ this is a good solution to the problem, and would make it more useful to future readers with other, similar questions. Please [edit] your answer to add some explanation, including the assumptions you've made. – gunr2171 Mar 02 '18 at 18:46