1

Which .exe process is responsible for the Windows Explorer to have access to the local network, i.e. when you go in Explorer, and you browser for example \\Livebox\movies?

I need to whitelist this .exe at the Firewall level (see context below), but I first need to know which .exe it is.

Note:

  • netsh advfirewall firewall add rule name="local-network-explorer" dir=out action=allow program="C:\Windows\explorer.exe" did not work

Context: I disallow all inbound/outbound connections by default in the Windows Firewall, and when I (rarely) install a new program that I'd like to have access to internet, I just do this in command line:

netsh advfirewall firewall add rule name="Chrome" dir=out action=allow
                  program="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

as stated in How to block everything (all incoming and outgoing internet access) except those applications are in firewall white-list?.

I know it is a bit extreme, but it has the advantage that no program that I wouldn't have actively whitelisted can send data outside. I've done it for Chrome, Firefox, a SFTP program, a few others, and also for core DNS and DHCP:

netsh advfirewall firewall add rule name="Core Networking (DNS-Out)" dir=out action=allow protocol=UDP remoteport=53 program="c:\windows\system32\svchost.exe" service="dnscache"
netsh advfirewall firewall add rule name="Core Networking (DHCP-Out)" dir=out action=allow protocol=UDP localport=68 remoteport=67 program="c:\windows\system32\svchost.exe" service="dhcp"

and so far it has always been successful.

Basj
  • 2,143

1 Answers1

1

Which .exe process is responsible for the Windows Explorer to have access to the local network, i.e. when you go in Explorer, and you browser for example \\Livebox\movies?

None.

Windows Explorer doesn't explicitly make the network connections – it relies on UNC path support that is made available to all programs. That is, as soon as any process accesses \\foo\bar as a file, the request will be transparently sent through a shared connection maintained by the OS.

Although the "LanmanWorkstation" service is somehow involved in SMB connections, ultimately they're owned by a kernel driver and have no associated userspace process. (Various tools might show them as belonging to PID 4 aka "System", which is the Windows kernel.)

Windows Firewall already comes with a built-in rule "File and Printer Sharing (SMB-Out)" which is already set up for this purpose (the wf.msc GUI shows "System" as the configured program path).

Note that before the connection can happen, the Livebox hostname needs to be resolved to an IP address. If you rely on DNS or LLMNR, both are handled by the "Dnscache" service. NetBIOS name resolution however is also handled through LanmanWorkstation by the kernel SMB driver.

grawity
  • 501,077