Get Active WFP Block Rules

Description

Lists all persistent WFP outbound-block rules currently installed by the WFP manager, showing the filter ID, blocked executable path, and IP version.

Overview

This script calls Get-WfpBlock to enumerate all active WFP outbound-block rules that were created by the SpecterInsight WFP manager. Each result shows the numeric filter ID (which can be passed to Remove-WfpFilter for surgical removal), the NT-format path of the blocked executable, and whether the rule applies to IPv4 or IPv6 traffic.

This is useful for auditing what is currently blocked before removing rules.

Pre-Requisites

  • High integrity (Administrator) process

Dependencies

  • Firewall

Parameters

None.

Example Output

FilterId  NtPath                                                                    Layer
--------  ------                                                                    -----
65537     \device\harddiskvolume3\program files\windows defender\msmpeng.exe        IPv4
65538     \device\harddiskvolume3\program files\windows defender\msmpeng.exe        IPv6
65539     \device\harddiskvolume3\program files\windows defender\mssense.exe        IPv4
65540     \device\harddiskvolume3\program files\windows defender\mssense.exe        IPv6
Scroll to Top