Strange blocking since updating to Windows 2004

CTaylor · July 20, 2020, 2:16pm

I don’t know if it is related, but on 2020-07-17, I updated Windows to the May Update (v2004). At some point after about noon on the 18th (I only turned this computer on the morning of the 19th), I found I had lost connectivity to the network.

Running GlassWire 2.2.210. Firewall on and set to “Ask to connect”. When I turned off the GlassWire firewall, immediately data started flowing to/from the network. Flipped it back to ON and within about 5 minutes, all traffic to the Internet was being blocked. Flipped it back OFF and traffic immediately started flowing.

I wondered if there was something I had blocked that was causing this and so went to the firewall tab and removed everything that was in the “Blocked” section by clicking the “x” that appears when you hover over a lin of a blocked app and acknowledging that I will be promoted when the app next tries to access the network.

Tried flipping the firewall on and off and got the same effect as before. In a few instances (when the GlassWire firewall was ON), I would get a tab in Google Chrome that would report that it was unable to connect to the address and then it kept trying and sometimes it would connect 15 - 30 seconds later.

I saw some recent news reports that in Windows 10 v2004, sometimes the network status indicator in Windows will incorrectly report that access to the Internet has been lost - and even though it is lying, some programs believe that indicator and will refuse to even try to access the network. https://social.technet.microsoft.com/Forums/en-US/4c8654be-d3da-4611-a649-110ca5a7c70a/ncsi-taskbar-icon-may-report-quotno-internetquot-on-windows-10-2004-devices-that-do-have?forum=win10itpronetworking https://www.windowslatest.com/2020/07/18/windows-10-no-internet-connection-problem https://www.forbes.com/sites/gordonkelly/2020/07/20/microsoft-windows-10-upgrade-2004-may-2020-breaks-internet-connections-update-free-windows-10-update/#16fe2275a992

I have another computer at v2004 that does not have the problem I am experiencing on this computer.

The network status indicator on this computer never shows as having lost connectivity.

I am happy to remove GlassWire and do a clean reinstall if that’s the best approach, but I thought I would post here in case there is any value to be gained by trying other things, checking config, etc before I wipe out any evidence.

Cheers, Chris

Ken_GlassWire · July 20, 2020, 4:30pm

@CTaylor

Sorry for the issue!

I believe another person reported this bug and it should be fixed on our next update. Have you ever moved your GlassWire database between PCs or drives by chance?

Thanks for the info about the status indicator but I don’t think it’s related in this case.

CTaylor · July 20, 2020, 5:50pm

Thanks Ken

Yes, I moved my GlassWire database to a different drive. It is an internal drive, so should never be in a state where it isn’t there or anything like that.

Should I move the database back? I would rather keep it on the HDD where I now have it, rather than clutter my smaller, faster, SSD. If it MUST be moved back I can

But something odd - I looked on the web for instructions on moving the database, which I did a long time ago. I found something that said to edit c:\programdata\glasswire\service\glasswire.conf and add a string
db_file_path=d:\glasswire.db

I don’t have such a string in my glasswire.comf file. I do have
DbStorageDirectory = D:\GlassWireDB

Did I screw things up???

Chris

Ken_GlassWire · July 20, 2020, 5:54pm

@CTaylor

This is a known bug when moving databases between devices or drives. We are looking for a way to fix it. It’s a bit complex because we’ll most likely have to create a database conversion system for everyone. I just learned it probably won’t be fixed in the next update, but probably in the one after.

The solution is to do a clean install but that isn’t acceptable of course. We appreciate your patience while we figure out what to do with this weird bug.

I will ask how that string may not be available. Maybe it’s related to the bug.

Update: The bug issue is related to that string.

CTaylor · July 20, 2020, 6:11pm

Will it fix things if I change

DbStorageDirectory = D:\GlassWireDB
to
db_file_path=D:\GlassWireDB

(by the way - I notice I have space either side of the = sign but the examples using db_file_path don’t. Does that matter?)

Or do I need to move it back to the default location until the bug is fixed? Or is it safest to just do a clean install?

Thanks

Chris

Ken_GlassWire · July 20, 2020, 6:28pm

If you move the database back to its previous location and reboot the issue should go away.

I am not sure about changing the .conf file. I have been told the fix for this requires a complete database conversion of some sort, so I don’t think it will make any difference. It couldn’t hurt to try the changes you suggest temporarily though I think just to see?

I’d keep the spacing the same as your database currently shows.

CTaylor · July 20, 2020, 8:23pm

Hi Ken

I decided to go with the nuclear option - uninstall, reboot, clean install. So far, so good. I will leave the database on my SSD in the default location.

I noticed a couple of odd things;

The glasswire.conf file now requires admin rights to access. I don’t believe that was the case before.

In the GlassWire.conf file, the paths use a mix of forward and backward slashes, as in
DbStorageDirectory = C:\ProgramData/glasswire/service

Is that right?

Before I had all backslashes, as in;
db_file_path=D:\GlassWireDB\glasswire.db

So I am having to deal with the huge number of pop-ups I get from “Click to connect”, but I can live with that. I am looking forward to when programs signed with specific certificates can be allowed automagically.

Thanks again for your help. I was really baffled by what was happening. I am glad it wasn’t my fault. ha ha ha

Chris

Ken_GlassWire · July 20, 2020, 9:00pm

@CTaylor

Yes, we changed the .conf file so it requires admin access for security reasons. I believe it was related to a HackerOne report.

I will ask about the mix of slashes and let you know what I find out.

Sorry you have to reset “Ask to connect”. Our next update will show publishers on the graph only at first but we’ll add them to the firewall later as an option.

Ken_GlassWire · July 21, 2020, 6:27pm

@CTaylor

The reason for the forward/back slashes is that we receive the part of the path from Windows and the other part is added by GlassWire. But it doesn’t matter. Both variants should work fine.

CTaylor · July 22, 2020, 11:08am

Thanks for all your info Ken.

Going forward, I would like to suggest a means be added to the UI that would allow people to choose a new location for the GW database and have the program take care of moving files, etc.

Also, having in the “Clear history” section of the UI an indicator of the current size of the database and how much could be save by removing older stuff.

Something like “Remove history older than 180 days, save approx. 300MB, remove history older than 90 days, save approx 100MB”

Cheers, Chris

Ken_GlassWire · July 22, 2020, 1:28pm

@CTaylor

Yes, we are actively discussing a simple import/export feature.

Having a size component of the “clear history” feature is also a great idea. I haven’t thought of that.

CTaylor · September 10, 2020, 11:30am

Hi Ken. This problem has reared its ugly head again. Running GlassWire 2.2.241. Yesterday, I got the “2020-09 Cumulative Update for Windows 10 Version 2004 for x64-based Systems (KB571756)” in case that makes a difference. I also got KB4576478 (update for .NET) in case either of those matter.

GlassWire set to Firewall on, and “Ask to connect” selected. When I installed last time (to solve the problem above), I accepted the defaults but told GlassWire to do a clean install (or whatever it is called). I didn’t move the GlassWire Database.

This morning, after logging on, the Windows wired Internet connection was showing in the system tray as no Internet access (globe with line through it). I rebooted and same. I tried loading a browser and my email client and neither could access the network. I went into GlassWire. Neither my browser nor the mail client (Thunderbird) were shown on the Firewall tab as being blocked.

I toggled the Firewall off in GlassWire. Within a minute, the Windows system tray network icon was showing access to the Internet and everything was able to connect - browser, Thunderbird, etc. I think access by programs was instantaneous - just the tray icon takes some time.

Now something even stranger. If I toggle the GlassWire firewall setting to on, the browser continues to access the Internet fine. I tried a Google search and selected a brand new site I had never visited, so there was no caching involved. BUT - Thunderbird is no longer able to access the Internet. If I load an email with links to graphics on an external server, it can’t load them. If I try to get new mail, I get an error saying “Failed to connect to server imap.gmail.com”. If I toggle the firewall off in GlassWire, Thunderbird starts working fine again. Thunderbird is NOT showing as blocked in GlassWire.

Before I try the nuclear option and reinstall GlassWire cleanly, I thought I would give you the opportunity to troubleshoot the problem. I am happy to have you remote to my machine if that would help. I am happy to send any log info or try any settings.

Otherwise, I will do a clean install of GlassWire

Cheers, Chris

Ken_GlassWire · September 10, 2020, 12:05pm

@CTaylor

A complete clean reinstall should not be required to fix this. I think you could just reboot, then reinstall and check the “reset firewall” option and it should solve it.

If you’d like to recreate the issue then send us logs it would be appreciated it.
https://www.glasswire.com/contact/

Install the latest GlassWire version (you’ve already done this).
Stop the GlassWire service at the Services tab of the Task Manager.
Open C:\ProgramData\GlassWire\service\glasswire.conf as Administrator.
You should not add anything to that file, just change a single parameter: LogEnabled = true
Then you should save the file and restart the GlassWire service.
The log will appear immediately after the service startup.

Then you should repeat the problem and send us the logs.

CTaylor · September 10, 2020, 1:05pm

Sigh…

I did the steps

Stop the GlassWire service at the Services tab of the Task Manager.
Open C:\ProgramData\GlassWire\service\glasswire.conf as Administrator.
You should not add anything to that file, just change a single parameter: LogEnabled = true
Then you should save the file and restart the GlassWire service.

And the problem did not occur. I could access the network with Chrome and Thunderbird even with Glasswire on (on the Firewall tab in GlassWire) and “Ask to connect” enabled.

So I am guessing that stopping and starting the GlassWire service fixed things, at least for now.

Can you tell me where the log files in question are? Is it C:\ProgramData\GlassWire\service\log\20200910.log? I am thinking, if they don’t get too big, I could leave logging on for a while and if the problem occurs again, I could stop the service and send you the logs then. But I wouldn’t want the logs to be too huge.

Would it make sense to leave logging on and periodically - maybe once a week? month? - zip up the log files and store them elsewhere and then delete them? If the above is the log file in question, I presume a new one is created each day? I could then just zip them from previous days and remove them from the current location.

Another thing that seems very strange - I was getting a lot of requests to connect for programs I had previously allowed. I thought this might stem from the Windows Update yesterday. However, I tried some programs from 3rd parties such as Firefox and Opera. These should not have changed, I had previously allowed them in GlassWire, yet just now, when I load them, I get the GlassWire “ask to connect” pop-ups. I allow and then the program is fine. I wonder why I am getting these pop-ups asking to connect for programs I allowed in the past.

Anyhow, other than having (seemingly) all programs again causing “ask to connect” popups, for now things seem to be working fine.

And it seems like some programs cause this “Ask to connect” again if the GlassWire service is stopped and started. But not all and not all the time. I just rebooted and Opera loaded fine with no pop-ups as did Thunderbird. But I got other “Ask to connect” pop-ups like the Windows Store app, Cortana, Runtime Broker, CCleaner, etc.

Here are the lines in C:\ProgramData\GlassWire\service\log\20200910.log since the reboot;

0.08:55:11 [EVENT] System Service (ver. 2.2.241) initialization.
1.08:55:11 [EVENT] Configuration file loaded: C:\ProgramData/glasswire/service/glasswire.conf
2.08:55:11 [EVENT] Debug log enabled: true
3.08:55:11 [EVENT] Debug log directory: C:\ProgramData/glasswire/service/log
4.08:55:11 [HINT] glasswire::win::WlanInterfacesMonitorWin::GetInterfaceInfoNoLock:408: QueryInterfaceInfo() returns error: 5023
5.08:55:11 [EVENT] License file is OK: C:\ProgramData/glasswire/service/license.dat
6.08:55:11 [EVENT] Alert handler successfully started. Hid: 1
7.08:55:11 [EVENT] Alert handler successfully started. Hid: 2
8.08:55:11 [HINT] Alert handler disabled. Hid: 4
9.08:55:11 [EVENT] Alert handler successfully started. Hid: 5
10.08:55:11 [HINT] Alert handler disabled. Hid: 6
11.08:55:11 [HINT] Alert handler disabled. Hid: 7
12.08:55:11 [HINT] Alert handler disabled. Hid: 8
13.08:55:11 [HINT] Alert handler disabled. Hid: 9
14.08:55:11 [HINT] Alert handler disabled. Hid: 10
15.08:55:11 [HINT] Alert handler disabled. Hid: 11
16.08:55:11 [EVENT] Alert handler successfully started. Hid: 12
17.08:55:11 [HINT] Alert handler disabled. Hid: 13
18.08:55:11 [HINT] Alert handler disabled. Hid: 15
19.08:55:11 [HINT] Alert handler disabled. Hid: 16
20.08:55:11 [EVENT] Alert handler successfully started. Hid: 17
21.08:55:11 [HINT] Alert handler disabled. Hid: 18
22.08:55:11 [EVENT] Alert handler successfully started. Hid: 100
23.08:55:11 [EVENT] Listener started. Sid: 1. Name: Local Listener. Bound: 127.0.0.1:20000
24.08:55:11 [EVENT] Listener started. Sid: 2. Name: Public Listener. Bound: 0.0.0.0:7010
25.08:55:11 [EVENT] System service startup succeeded.
26.08:55:11 [HINT] Firewall state change: 0->1
27.08:55:12 [EVENT] Client session connected. Sid: 3, type: 3, protocol: 3, os: 1, version: 2.2.241.0, bound: 127.0.0.1:20000, remote: 127.0.0.1:49684, region: ‘’
28.08:55:39 [EVENT] Client session connected. Sid: 4, type: 2, protocol: 3, os: 1, version: 2.2.241.0, bound: 127.0.0.1:20000, remote: 127.0.0.1:50973, region: ‘’

Thanks

Chris

Ken_GlassWire · September 10, 2020, 5:50pm

@CTaylor

Sorry for the headache. I have shared these details with our team.

Yes, the logs should be in the location you listed and they shouldn’t take up much space if you want to leave them running there. The logs just stay on your hard drive and we cannot access them unless you send them to us via email or some other way.

If you continue to have problems it probably can’t hurt to keep the logs going.

For the problem you’re experiencing the most common cause is some other software also using the Windows Firewall API simultaneously with ours, but that’s not always the problem.

CTaylor · September 10, 2020, 7:32pm

Thanks. I continue to have pop-ups for “Ask to connect” for programs I long ago allowed. Currently, I have nothing that I have blocked listed on the Firewall tab. I have close to 300 total entries on “Active apps” and “Inactive apps” (on the Firewall tab) with many duplicate entries such as two lines for “Foxit Reader 10.0”. In fact, when I sort by name, it looks like most are listed twice. “Opera Internet Browser” is listed 5 times.

I expect the pop-ups for “Ask to connect” will diminish over time and I will continue to monitor. I will leave logging on and if I have the problem re-occur where I find things being blocked, I will post again here.

Thanks