Поделиться через

Working with Multiple Profiles

This example shows how to perform several tasks using the Windows Firewall with Advanced Security APIs.

    Copyright (C) Microsoft. All rights reserved.


        Sample code for 'Windows Firewall with Advanced Security' COM interfaces.

        Illustrates correct usage of following methods/properties of INetFwPolicy2 COM interface
        in the presence of multiple firewall profiles:
          - CurrentProfileTypes
          - IsRuleGroupCurrentlyEnabled
          - IsRuleGroupEnabled
          - LocalPolicyModifyState

#include <windows.h>
#include <stdio.h>
#include <netfw.h>

#pragma comment( lib, "ole32.lib" )
#pragma comment( lib, "oleaut32.lib" )

// Forward declarations
HRESULT    WFCOMInitialize(INetFwPolicy2** ppNetFwPolicy2);
void       WFCOMCleanup(INetFwPolicy2* pNetFwPolicy2);
HRESULT    GetCurrentFirewallState(__in INetFwPolicy2 *pNetFwPolicy2);
HRESULT    IsRuleGroupEnabled(__in INetFwPolicy2 *pNetFwPolicy2);
HRESULT    IsRuleGroupCurrentlyEnabled(__in INetFwPolicy2 *pNetFwPolicy2);
HRESULT    GetLocalPolicyModifyState(__in INetFwPolicy2 *pNetFwPolicy2);

int __cdecl wmain()
    HRESULT hrComInit = S_OK;
    HRESULT hr = S_OK;
    INetFwPolicy2 *pNetFwPolicy2 = NULL;

    // Initialize COM.
    hrComInit = CoInitializeEx(

    // Ignore RPC_E_CHANGED_MODE; this just means that COM has already been
    // initialized with a different mode. Since we don't care what the mode is,
    // we'll just use the existing mode.
    if (hrComInit != RPC_E_CHANGED_MODE)
        if (FAILED(hrComInit))
            wprintf(L"CoInitializeEx failed: 0x%08lx\n", hrComInit);
            goto Cleanup;

    // Retrieve INetFwPolicy2
    hr = WFCOMInitialize(&amp;pNetFwPolicy2);
    if (FAILED(hr))
        goto Cleanup;

    // Show Firewall ON/OFF state on current profiles

    // Show status of 'File and Printer Sharing' rule group on current profiles

    // Show status of 'File and Printer Sharing' rule group on specified profiles

    // For the current firewall profiles display whether the changes to firewall rules 
    //  will take effect or not


    // Release INetFwPolicy2

    // Uninitialize COM.
    if (SUCCEEDED(hrComInit))
    return 0;

// Instantiate INetFwPolicy2
HRESULT WFCOMInitialize(INetFwPolicy2** ppNetFwPolicy2)
    HRESULT hr = S_OK;

    hr = CoCreateInstance(

    if (FAILED(hr))
        wprintf(L"CoCreateInstance for INetFwPolicy2 failed: 0x%08lx\n", hr);
        goto Cleanup;        

    return hr;

// Release INetFwPolicy2
void WFCOMCleanup(INetFwPolicy2* pNetFwPolicy2)
    // Release the INetFwPolicy2 object (Vista+)
    if (pNetFwPolicy2 != NULL)

// For the currently active firewall profiles display whether firewall is ON or OFF
HRESULT GetCurrentFirewallState(__in INetFwPolicy2 *pNetFwPolicy2)
    long    CurrentProfilesBitMask = 0;
    VARIANT_BOOL bActualFirewallEnabled = VARIANT_FALSE;
    struct ProfileMapElement 
        LPCWSTR Name;
    ProfileMapElement ProfileMap[3];
    ProfileMap[0].Id = NET_FW_PROFILE2_DOMAIN;
    ProfileMap[0].Name = L"Domain";
    ProfileMap[1].Id = NET_FW_PROFILE2_PRIVATE;
    ProfileMap[1].Name = L"Private";
    ProfileMap[2].Id = NET_FW_PROFILE2_PUBLIC;
    ProfileMap[2].Name = L"Public";

    wprintf(L"\n\nCurrent Firewall State:\n");

    hr = pNetFwPolicy2->get_CurrentProfileTypes(&amp;CurrentProfilesBitMask);
    if (FAILED(hr))
        wprintf(L"Failed to get CurrentProfileTypes. Error: %x.\n", hr);
        goto CLEANUP;

    // The returned 'CurrentProfiles' bitmask can have more than 1 bit set if multiple profiles 
    //   are active or current at the same time

    for (int i=0; i<3; i++)
        if ( CurrentProfilesBitMask & ProfileMap[i].Id  )
            /*Is Firewall Enabled?*/
            hr = pNetFwPolicy2->get_FirewallEnabled(ProfileMap[i].Id, &amp;bActualFirewallEnabled);
            if (FAILED(hr))
                wprintf(L"Failed to get FirewallEnabled settings for %s profile. Error: %x.\n", ProfileMap[i].Name, hr);
                goto CLEANUP;
            wprintf(L"On %s profile (Current) : Firewall state is %s\n", ProfileMap[i].Name, (bActualFirewallEnabled ? L"ON" : L"OFF"));

    return hr;

// For the currently active firewall profiles display whether the rule group is enabled or not
HRESULT IsRuleGroupCurrentlyEnabled(__in INetFwPolicy2 *pNetFwPolicy2)
    HRESULT hr = S_OK;

    BSTR GroupName = SysAllocString(L"File and Printer Sharing");

    wprintf(L"\n\nIs 'File and Printer Sharing' rule group currently enabled ?\n");

    hr = pNetFwPolicy2->get_IsRuleGroupCurrentlyEnabled(GroupName, &amp;bActualEnabled);

    if ( SUCCEEDED(hr) )
        if (VARIANT_TRUE == bActualEnabled &amp;&amp; S_OK == hr)
            wprintf(L"Rule Group currently enabled on all the current profiles\n");
        else if (VARIANT_TRUE == bActualEnabled &amp;&amp; S_FALSE == hr)
            wprintf(L"Rule Group currently enabled on some of the current profiles but not on all the current profiles\n");
        else if (VARIANT_FALSE == bActualEnabled)
            wprintf(L"Rule Group Currently not enabled on any of the current profiles\n");
        wprintf(L"Failed calling API IsRuleGroupCurrentlyEnabled. Error: 0x %x.\n", hr);
        goto Cleanup;

    return hr;

// For the specified firewall profiles display whether the rule group is enabled or not
HRESULT IsRuleGroupEnabled(__in INetFwPolicy2 *pNetFwPolicy2)
    HRESULT hr = S_OK;

    BSTR GroupName = SysAllocString(L"File and Printer Sharing");

    wprintf(L"\n\nIs 'File and Printer Sharing' rule group enabled in public and private profiles ?\n");

    hr = pNetFwPolicy2->IsRuleGroupEnabled(NET_FW_PROFILE2_PRIVATE | NET_FW_PROFILE2_PUBLIC, GroupName, &amp;bActualEnabled);

    if ( SUCCEEDED(hr) )
        if (VARIANT_TRUE == bActualEnabled &amp;&amp; S_OK == hr)
            wprintf(L"Rule Group currently enabled on both public and private profiles\n");
        else if (VARIANT_TRUE == bActualEnabled &amp;&amp; S_FALSE == hr)
            wprintf(L"Rule Group currently enabled on either public or private profile but not both\n");
        else if (VARIANT_FALSE == bActualEnabled)
            wprintf(L"Rule Group currently disabled on both public and private profiles\n");
        wprintf(L"Failed calling API IsRuleGroupCurrentlyEnabled. Error: 0x %x.\n", hr);
        goto Cleanup;

    return hr;

// For the currently active firewall profiles display whether the changes to firewall rules will take effect or not
HRESULT GetLocalPolicyModifyState(__in INetFwPolicy2 *pNetFwPolicy2)
    HRESULT hr;
    NET_FW_MODIFY_STATE modifystate;

    wprintf(L"\n\nWill changes to firewall rules take effect ?\n");

    hr = pNetFwPolicy2->get_LocalPolicyModifyState(&amp;modifystate);
    if (FAILED(hr))
        wprintf(L"Failed calling API get_LocalPolicyModifyState. Error: %x.\n", hr);
        return hr;

    if(modifystate == NET_FW_MODIFY_STATE_OK)
        if (hr == S_OK)
            wprintf(L"Changing or adding firewall rule (or group) to the current profiles will take effect on all current profiles.\n");
        else if (hr == S_FALSE)
            wprintf(L"Changing or adding firewall rule (or group) to the current profiles will take effect on only some current profiles but not all.\n");
    else if(modifystate == NET_FW_MODIFY_STATE_GP_OVERRIDE)
        if (hr == S_OK)
            wprintf(L"Changing or adding a firewall rule (or group) to the current profiles will not take effect because group policy overrides it on all current profiles.\n");
        else if (hr == S_FALSE)
            wprintf(L"Changing or adding a firewall rule (or group) to the current profiles will not take effect because group policy overrides it on some of the current profiles.\n");
    else if(modifystate == NET_FW_MODIFY_STATE_INBOUND_BLOCKED)
        if (hr == S_OK)
            wprintf(L"Changing or adding firewall rule (or group) to the current profiles will not take effect because unsolicited inbound traffic is not allowed on all the current profiles.\n");
        else if (hr == S_FALSE)
            wprintf(L"Changing or adding firewall rule (or group) to the current profiles will not take effect because unsolicited inbound traffic is not allowed on some of the current profiles.\n");
    return hr;