JustinChristensen/dhcp.txt

## dhcp.txt
########################### allowed dhcp ###########################
- other settings set to: no
- apply local firewall rules: yes
- hns rules not added

2022-01-23 21:23:01 ALLOW UDP 0.0.0.0 255.255.255.255 68 67 0 - - - - - - - RECEIVE
2022-01-23 21:23:01 ALLOW UDP 172.31.128.1 172.31.142.141 67 68 0 - - - - - - - SEND

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/23/2022 9:23:01 PM
Event ID:      5156
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      marshes
Description:
The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		3616
	Application Name:	\device\harddiskvolume4\windows\system32\svchost.exe

Network Information:
	Direction:		Inbound
	Source Address:		0.0.0.0
	Source Port:		68
	Destination Address:	255.255.255.255
	Destination Port:		67
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	78480
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/23/2022 9:23:01 PM
Event ID:      5156
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      marshes
Description:
The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		3616
	Application Name:	\device\harddiskvolume4\windows\system32\svchost.exe

Network Information:
	Direction:		Outbound
	Source Address:		172.31.128.1
	Source Port:		67
	Destination Address:	172.31.142.141
	Destination Port:		68
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	79732
	Layer Name:		Connect
	Layer Run-Time ID:	48

<item>
        <filterKey>{df2cb33f-78ba-4500-94c9-7765b010b810}</filterKey>
        <displayData>
                <name>Interface Un-quarantine filter</name>
                <description/>
        </displayData>
        <flags/>
        <providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
        <providerData/>
        <layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
        <subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
        <weight>
                <type>FWP_UINT8</type>
                <uint8>0</uint8>
        </weight>
        <filterCondition numItems="3">
                <item>
                        <fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
                        <matchType>FWP_MATCH_EQUAL</matchType>
                        <conditionValue>
                                <type>FWP_UINT64</type>
                                <uint64>10000005</uint64>
                        </conditionValue>
                </item>
                <item>
                        <fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
                        <matchType>FWP_MATCH_EQUAL</matchType>
                        <conditionValue>
                                <type>FWP_UINT64</type>
                                <uint64>1689399683186688</uint64>
                        </conditionValue>
                </item>
                <item>
                        <fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
                        <matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
                        <conditionValue>
                                <type>FWP_UINT32</type>
                                <uint32>1</uint32>
                        </conditionValue>
                </item>
        </filterCondition>
        <action>
                <type>FWP_ACTION_PERMIT</type>
                <filterType/>
        </action>
        <rawContext>0</rawContext>
        <reserved/>
        <filterId>78480</filterId>
        <effectiveWeight>
                <type>FWP_UINT64</type>
                <uint64>2251834173423632</uint64>
        </effectiveWeight>
</item>

########################### blocked dhcp ###########################
- other settings set to: no
- apply local firewall rules: no
- hns rules not added
- guest could have previous dhcp lease, so release with ipconfig /release after setting apply local firewalls back to no, and then request a new one with ipconfig /renew

2022-01-23 21:13:47 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/23/2022 9:13:47 PM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      marshes
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID:		3616
	Application Name:	\device\harddiskvolume4\windows\system32\svchost.exe

Network Information:
	Direction:		Inbound
	Source Address:		0.0.0.0
	Source Port:		68
	Destination Address:	255.255.255.255
	Destination Port:		67
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	78140
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/23/2022 9:13:47 PM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      marshes
Description:
The Windows Filtering Platform has blocked a packet.

Application Information:
	Process ID:		3616
	Application Name:	\device\harddiskvolume4\windows\system32\svchost.exe

Network Information:
	Direction:		Inbound
	Source Address:		0.0.0.0
	Source Port:		68
	Destination Address:	255.255.255.255
	Destination Port:		67
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	78140
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

<item>
        <filterKey>{4ee27303-b593-402e-96da-f433c24dc6a1}</filterKey>
        <displayData>
                <name>Query User</name>
                <description>Prompt the User for a decision corresponding this Inbound Traffic</description>
        </displayData>
        <flags/>
        <providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
        <providerData>
                <data>7501000000000000</data>
                <asString>u.......</asString>
        </providerData>
        <layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
        <subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
        <weight>
                <type>FWP_UINT8</type>
                <uint8>8</uint8>
        </weight>
        <filterCondition numItems="1">
                <item>
                        <fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
                        <matchType>FWP_MATCH_EQUAL</matchType>
                        <conditionValue>
                                <type>FWP_UINT32</type>
                                <uint32>1</uint32>
                        </conditionValue>
                </item>
        </filterCondition>
        <action>
                <type>FWP_ACTION_BLOCK</type>
                <filterType/>
        </action>
        <rawContext>0</rawContext>
        <reserved/>
        <filterId>78140</filterId>
        <effectiveWeight>
                <type>FWP_UINT64</type>
                <uint64>9223372036854783488</uint64>
        </effectiveWeight>
</item>

## dns.txt
########################### allowed dns ###########################
- other settings set to: no
- apply local firewall rules: no
- hns rules added to inbound rules

2022-01-23 21:44:17 ALLOW UDP 172.31.142.141 172.31.128.1 52535 53 0 - - - - - - - RECEIVE

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/23/2022 9:44:17 PM
Event ID:      5156
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      marshes
Description:
The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		3616
	Application Name:	\device\harddiskvolume4\windows\system32\svchost.exe

Network Information:
	Direction:		Inbound
	Source Address:		172.31.142.141
	Source Port:		52535
	Destination Address:	172.31.128.1
	Destination Port:		53
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	78480
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

<item>
        <filterKey>{df2cb33f-78ba-4500-94c9-7765b010b810}</filterKey>
        <displayData>
                <name>Interface Un-quarantine filter</name>
                <description/>
        </displayData>
        <flags/>
        <providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
        <providerData/>
        <layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
        <subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
        <weight>
                <type>FWP_UINT8</type>
                <uint8>0</uint8>
        </weight>
        <filterCondition numItems="3">
                <item>
                        <fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
                        <matchType>FWP_MATCH_EQUAL</matchType>
                        <conditionValue>
                                <type>FWP_UINT64</type>
                                <uint64>10000005</uint64>
                        </conditionValue>
                </item>
                <item>
                        <fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
                        <matchType>FWP_MATCH_EQUAL</matchType>
                        <conditionValue>
                                <type>FWP_UINT64</type>
                                <uint64>1689399683186688</uint64>
                        </conditionValue>
                </item>
                <item>
                        <fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
                        <matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
                        <conditionValue>
                                <type>FWP_UINT32</type>
                                <uint32>1</uint32>
                        </conditionValue>
                </item>
        </filterCondition>
        <action>
                <type>FWP_ACTION_PERMIT</type>
                <filterType/>
        </action>
        <rawContext>0</rawContext>
        <reserved/>
        <filterId>78480</filterId>
        <effectiveWeight>
                <type>FWP_UINT64</type>
                <uint64>2251834173423632</uint64>
        </effectiveWeight>
</item>

########################### blocked dns ###########################
- other settings set to: no
- apply local firewall rules: no
- hns rules not added

2022-01-23 21:38:10 DROP UDP 172.31.142.141 172.31.128.1 60920 53 77 - - - - - - - RECEIVE

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/23/2022 9:38:10 PM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      marshes
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID:		3616
	Application Name:	\device\harddiskvolume4\windows\system32\svchost.exe

Network Information:
	Direction:		Inbound
	Source Address:		172.31.142.141
	Source Port:		60920
	Destination Address:	172.31.128.1
	Destination Port:		53
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	80144
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

<item>
        <filterKey>{7bf5e407-a954-467a-a440-675b30b73574}</filterKey>
        <displayData>
                <name>Query User</name>
                <description>Prompt the User for a decision corresponding this Inbound Traffic</description>
        </displayData>
        <flags/>
        <providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
        <providerData>
                <data>da02000000000000</data>
                <asString>........</asString>
        </providerData>
        <layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
        <subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
        <weight>
                <type>FWP_UINT8</type>
                <uint8>8</uint8>
        </weight>
        <filterCondition numItems="1">
                <item>
                        <fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
                        <matchType>FWP_MATCH_EQUAL</matchType>
                        <conditionValue>
                                <type>FWP_UINT32</type>
                                <uint32>1</uint32>
                        </conditionValue>
                </item>
        </filterCondition>
        <action>
                <type>FWP_ACTION_BLOCK</type>
                <filterType/>
        </action>
        <rawContext>0</rawContext>
        <reserved/>
        <filterId>80144</filterId>
        <effectiveWeight>
                <type>FWP_UINT64</type>
                <uint64>9223372036854783488</uint64>
        </effectiveWeight>
</item>

## ipconfig.txt
PS C:\Users\wroathe\Desktop> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : marshes
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : -------

Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
   Physical Address. . . . . . . . . : 00-15-5D-11-84-74
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8c0b:4011:2059:c20a%18(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.31.128.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 301995357
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-7E-81-8B-00-0D-3A-98-98-2A
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

## netevent-dhcp-allow.txt
<netEvent>
	<header>
		<timeStamp>2022-01-25T03:55:11.510Z</timeStamp>
		<flags numItems="9">
			<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
			<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
			<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
			<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
			<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
			<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
			<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
			<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
			<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
		</flags>
		<ipVersion>FWP_IP_VERSION_V4</ipVersion>
		<ipProtocol>17</ipProtocol>
		<localAddrV4>255.255.255.255</localAddrV4>
		<remoteAddrV4>0.0.0.0</remoteAddrV4>
		<localPort>67</localPort>
		<remotePort>68</remotePort>
		<scopeId>0</scopeId>
		<appId>
			<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
			<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
		</appId>
		<userId>S-1-5-18</userId>
		<addressFamily>FWP_AF_INET</addressFamily>
		<packageSid>S-1-0-0</packageSid>
		<enterpriseId/>
		<policyFlags>0</policyFlags>
		<effectiveName/>
	</header>
	<type>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW</type>
	<classifyAllow>
		<filterId>80466</filterId>
		<layerId>44</layerId>
		<reauthReason>0</reauthReason>
		<originalProfile>1</originalProfile>
		<currentProfile>1</currentProfile>
	</classifyAllow>
	<internalFields>
		<internalFlags/>
		<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
		<capabilities/>
		<fqbnVersion>0</fqbnVersion>
		<fqbnName/>
		<terminatingFiltersInfo numItems="2">
			<item>
				<filterId>80466</filterId>
				<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
				<actionType>FWP_ACTION_PERMIT</actionType>
			</item>
			<item>
				<filterId>88952</filterId>
				<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
				<actionType>FWP_ACTION_PERMIT</actionType>
			</item>
		</terminatingFiltersInfo>
	</internalFields>
</netEvent>

<item>
	<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey>
	<displayData>
		<name>Interface Un-quarantine filter</name>
		<description/>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData/>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
	<weight>
		<type>FWP_UINT8</type>
		<uint8>0</uint8>
	</weight>
	<filterCondition numItems="3">
		<item>
			<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT64</type>
				<uint64>10000006</uint64>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT64</type>
				<uint64>1689399683186688</uint64>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
			<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
			<conditionValue>
				<type>FWP_UINT32</type>
				<uint32>1</uint32>
			</conditionValue>
		</item>
	</filterCondition>
	<action>
		<type>FWP_ACTION_PERMIT</type>
		<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>80466</filterId>
	<effectiveWeight>
		<type>FWP_UINT64</type>
		<uint64>2251834173423632</uint64>
	</effectiveWeight>
</item>

<item>
	<filterKey>{dda1d20d-cd2d-44ec-8dbf-868e73e21e59}</filterKey>
	<displayData>
		<name>Internet Connection Sharing (DHCP Server-In)</name>
		<description>Inbound rule for Internet Connection Sharing to allow use of the IPv4 DHCP Server. [UDP 67]</description>
	</displayData>
	<flags numItems="1">
		<item>FWPM_FILTER_FLAG_INDEXED</item>
	</flags>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
		<data>2806000000000000</data>
		<asString>(.......</asString>
	</providerData>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
	<weight>
		<type>FWP_UINT8</type>
		<uint8>9</uint8>
	</weight>
	<filterCondition numItems="5">
		<item>
			<fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_BYTE_BLOB_TYPE</type>
				<byteBlob>
					<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
					<asString>\device\harddiskvolume4\windows\system32\svchost.exe</asString>
				</byteBlob>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
				<sd>O:SYG:SYD:(A;;CCRC;;;S-1-5-80-2009329905-444645132-2728249442-922493431-93864177)</sd>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_IP_LOCAL_PORT</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT16</type>
				<uint16>67</uint16>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT64</type>
				<uint64>1689399683186688</uint64>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT8</type>
				<uint8>17</uint8>
			</conditionValue>
		</item>
	</filterCondition>
	<action>
		<type>FWP_ACTION_PERMIT</type>
		<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>88952</filterId>
	<effectiveWeight>
		<type>FWP_UINT64</type>
		<uint64>10379531328327516160</uint64>
	</effectiveWeight>
</item>

## netevent-dhcp-deny.txt
<netEvent>
	<header>
		<timeStamp>2022-01-25T04:50:48.866Z</timeStamp>
		<flags numItems="9">
			<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
			<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
			<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
			<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
			<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
			<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
			<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
			<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
			<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
		</flags>
		<ipVersion>FWP_IP_VERSION_V4</ipVersion>
		<ipProtocol>17</ipProtocol>
		<localAddrV4>255.255.255.255</localAddrV4>
		<remoteAddrV4>0.0.0.0</remoteAddrV4>
		<localPort>67</localPort>
		<remotePort>68</remotePort>
		<scopeId>0</scopeId>
		<appId>
			<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
			<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
		</appId>
		<userId>S-1-5-18</userId>
		<addressFamily>FWP_AF_INET</addressFamily>
		<packageSid>S-1-0-0</packageSid>
		<enterpriseId/>
		<policyFlags>0</policyFlags>
		<effectiveName/>
	</header>
	<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
	<classifyDrop>
		<filterId>89392</filterId>
		<layerId>44</layerId>
		<reauthReason>0</reauthReason>
		<originalProfile>1</originalProfile>
		<currentProfile>1</currentProfile>
		<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
		<isLoopback>false</isLoopback>
		<vSwitchId/>
		<vSwitchSourcePort>0</vSwitchSourcePort>
		<vSwitchDestinationPort>0</vSwitchDestinationPort>
	</classifyDrop>
	<internalFields>
		<internalFlags/>
		<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
		<capabilities/>
		<fqbnVersion>0</fqbnVersion>
		<fqbnName/>
		<terminatingFiltersInfo numItems="2">
			<item>
				<filterId>80466</filterId>
				<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
				<actionType>FWP_ACTION_PERMIT</actionType>
			</item>
			<item>
				<filterId>89392</filterId>
				<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
				<actionType>FWP_ACTION_BLOCK</actionType>
			</item>
		</terminatingFiltersInfo>
	</internalFields>
</netEvent>

<item>
	<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey>
	<displayData>
		<name>Interface Un-quarantine filter</name>
		<description/>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData/>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
	<weight>
		<type>FWP_UINT8</type>
		<uint8>0</uint8>
	</weight>
	<filterCondition numItems="3">
		<item>
			<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT64</type>
				<uint64>10000006</uint64>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT64</type>
				<uint64>1689399683186688</uint64>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
			<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
			<conditionValue>
				<type>FWP_UINT32</type>
				<uint32>1</uint32>
			</conditionValue>
		</item>
	</filterCondition>
	<action>
		<type>FWP_ACTION_PERMIT</type>
		<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>80466</filterId>
	<effectiveWeight>
		<type>FWP_UINT64</type>
		<uint64>2251834173423632</uint64>
	</effectiveWeight>
</item>

<item>
	<filterKey>{2475897d-8c6d-4f08-afb2-bea660c3e0a2}</filterKey>
	<displayData>
		<name>Query User</name>
		<description>Prompt the User for a decision corresponding this Inbound Traffic</description>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
		<data>6606000000000000</data>
		<asString>f.......</asString>
	</providerData>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
	<weight>
		<type>FWP_UINT8</type>
		<uint8>8</uint8>
	</weight>
	<filterCondition numItems="1">
		<item>
			<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT32</type>
				<uint32>1</uint32>
			</conditionValue>
		</item>
	</filterCondition>
	<action>
		<type>FWP_ACTION_BLOCK</type>
		<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>89392</filterId>
	<effectiveWeight>
		<type>FWP_UINT64</type>
		<uint64>9223372036854783488</uint64>
	</effectiveWeight>
</item>

## netevent-dns-allow.txt
Host:
Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::128:dc49:cd08:2f95%23
   IPv4 Address. . . . . . . . . . . : 172.23.32.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

Guest:
Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : mshome.net
   Link-local IPv6 Address . . . . . : fe80::680d:c4ff:ce73:97%5
   IPv4 Address. . . . . . . . . . . : 172.23.40.51
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 172.23.32.1

<netEvent>
	<header>
		<timeStamp>2022-01-25T04:19:11.485Z</timeStamp>
		<flags numItems="9">
			<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
			<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
			<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
			<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
			<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
			<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
			<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
			<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
			<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
		</flags>
		<ipVersion>FWP_IP_VERSION_V4</ipVersion>
		<ipProtocol>17</ipProtocol>
		<localAddrV4>172.23.32.1</localAddrV4>
		<remoteAddrV4>172.23.40.51</remoteAddrV4>
		<localPort>53</localPort>
		<remotePort>65056</remotePort>
		<scopeId>0</scopeId>
		<appId>
			<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
			<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
		</appId>
		<userId>S-1-5-18</userId>
		<addressFamily>FWP_AF_INET</addressFamily>
		<packageSid>S-1-0-0</packageSid>
		<enterpriseId/>
		<policyFlags>0</policyFlags>
		<effectiveName/>
	</header>
	<type>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW</type>
	<classifyAllow>
		<filterId>80466</filterId>
		<layerId>44</layerId>
		<reauthReason>0</reauthReason>
		<originalProfile>1</originalProfile>
		<currentProfile>1</currentProfile>
	</classifyAllow>
	<internalFields>
		<internalFlags/>
		<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
		<capabilities/>
		<fqbnVersion>0</fqbnVersion>
		<fqbnName/>
		<terminatingFiltersInfo numItems="2">
			<item>
				<filterId>80466</filterId>
				<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
				<actionType>FWP_ACTION_PERMIT</actionType>
			</item>
			<item>
				<filterId>88857</filterId>
				<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
				<actionType>FWP_ACTION_PERMIT</actionType>
			</item>
		</terminatingFiltersInfo>
	</internalFields>
</netEvent>

<item>
	<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey>
	<displayData>
		<name>Interface Un-quarantine filter</name>
		<description/>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData/>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
	<weight>
		<type>FWP_UINT8</type>
		<uint8>0</uint8>
	</weight>
	<filterCondition numItems="3">
		<item>
			<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT64</type>
				<uint64>10000006</uint64>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT64</type>
				<uint64>1689399683186688</uint64>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
			<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
			<conditionValue>
				<type>FWP_UINT32</type>
				<uint32>1</uint32>
			</conditionValue>
		</item>
	</filterCondition>
	<action>
		<type>FWP_ACTION_PERMIT</type>
		<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>80466</filterId>
	<effectiveWeight>
		<type>FWP_UINT64</type>
		<uint64>2251834173423632</uint64>
	</effectiveWeight>
</item>

<item>
	<filterKey>{fbb1ad8d-6fb5-4c00-8102-64e2929f2eb6}</filterKey>
	<displayData>
		<name>HNS Container Networking - DNS (UDP-In) - AE220698-065F-4093-9C58-31CEC2E384E6 - 0</name>
		<description>HNS Container Networking - DNS (UDP-In) - AE220698-065F-4093-9C58-31CEC2E384E6 - 0</description>
	</displayData>
	<flags numItems="1">
		<item>FWPM_FILTER_FLAG_INDEXED</item>
	</flags>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
		<data>1206000000000000</data>
		<asString>........</asString>
	</providerData>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
	<weight>
		<type>FWP_UINT8</type>
		<uint8>9</uint8>
	</weight>
	<filterCondition numItems="3">
		<item>
			<fieldKey>FWPM_CONDITION_IP_LOCAL_PORT</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT16</type>
				<uint16>53</uint16>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT64</type>
				<uint64>1689399683186688</uint64>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT8</type>
				<uint8>17</uint8>
			</conditionValue>
		</item>
	</filterCondition>
	<action>
		<type>FWP_ACTION_PERMIT</type>
		<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>88857</filterId>
	<effectiveWeight>
		<type>FWP_UINT64</type>
		<uint64>10379530503693795328</uint64>
	</effectiveWeight>
</item>

## netevent-dns-deny.txt
<netEvent>
	<header>
		<timeStamp>2022-01-25T04:52:12.176Z</timeStamp>
		<flags numItems="9">
			<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
			<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
			<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
			<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
			<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
			<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
			<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
			<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
			<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
		</flags>
		<ipVersion>FWP_IP_VERSION_V4</ipVersion>
		<ipProtocol>17</ipProtocol>
		<localAddrV4>172.23.32.1</localAddrV4>
		<remoteAddrV4>172.23.40.51</remoteAddrV4>
		<localPort>53</localPort>
		<remotePort>49509</remotePort>
		<scopeId>0</scopeId>
		<appId>
			<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
			<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
		</appId>
		<userId>S-1-5-18</userId>
		<addressFamily>FWP_AF_INET</addressFamily>
		<packageSid>S-1-0-0</packageSid>
		<enterpriseId/>
		<policyFlags>0</policyFlags>
		<effectiveName/>
	</header>
	<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
	<classifyDrop>
		<filterId>89392</filterId>
		<layerId>44</layerId>
		<reauthReason>0</reauthReason>
		<originalProfile>1</originalProfile>
		<currentProfile>1</currentProfile>
		<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
		<isLoopback>false</isLoopback>
		<vSwitchId/>
		<vSwitchSourcePort>0</vSwitchSourcePort>
		<vSwitchDestinationPort>0</vSwitchDestinationPort>
	</classifyDrop>
	<internalFields>
		<internalFlags/>
		<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
		<capabilities/>
		<fqbnVersion>0</fqbnVersion>
		<fqbnName/>
		<terminatingFiltersInfo numItems="2">
			<item>
				<filterId>80466</filterId>
				<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
				<actionType>FWP_ACTION_PERMIT</actionType>
			</item>
			<item>
				<filterId>89392</filterId>
				<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
				<actionType>FWP_ACTION_BLOCK</actionType>
			</item>
		</terminatingFiltersInfo>
	</internalFields>
</netEvent>

<item>
	<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey>
	<displayData>
		<name>Interface Un-quarantine filter</name>
		<description/>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData/>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
	<weight>
		<type>FWP_UINT8</type>
		<uint8>0</uint8>
	</weight>
	<filterCondition numItems="3">
		<item>
			<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT64</type>
				<uint64>10000006</uint64>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT64</type>
				<uint64>1689399683186688</uint64>
			</conditionValue>
		</item>
		<item>
			<fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
			<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
			<conditionValue>
				<type>FWP_UINT32</type>
				<uint32>1</uint32>
			</conditionValue>
		</item>
	</filterCondition>
	<action>
		<type>FWP_ACTION_PERMIT</type>
		<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>80466</filterId>
	<effectiveWeight>
		<type>FWP_UINT64</type>
		<uint64>2251834173423632</uint64>
	</effectiveWeight>
</item>

<item>
	<filterKey>{2475897d-8c6d-4f08-afb2-bea660c3e0a2}</filterKey>
	<displayData>
		<name>Query User</name>
		<description>Prompt the User for a decision corresponding this Inbound Traffic</description>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
		<data>6606000000000000</data>
		<asString>f.......</asString>
	</providerData>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
	<weight>
		<type>FWP_UINT8</type>
		<uint8>8</uint8>
	</weight>
	<filterCondition numItems="1">
		<item>
			<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
			<matchType>FWP_MATCH_EQUAL</matchType>
			<conditionValue>
				<type>FWP_UINT32</type>
				<uint32>1</uint32>
			</conditionValue>
		</item>
	</filterCondition>
	<action>
		<type>FWP_ACTION_BLOCK</type>
		<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>89392</filterId>
	<effectiveWeight>
		<type>FWP_UINT64</type>
		<uint64>9223372036854783488</uint64>
	</effectiveWeight>
</item>

## notes.txt
- Firewall log: C:\Windows\System32\LogFiles\Firewall\pfirewall.log
- Events from Filtering audit events in Event Viewer
- Filters from wfp show state
- See: https://gist.github.com/JustinChristensen/bb6d15cee90da4e38db9f73161152308
- in the "public" connection profile in the Local Security Policy
- other settings besides "apply local firewall rules" set to no
- Core Networking rules and Remote Desktop rules added to the policy and enabled

- when apply local firewall rules is set to yes
    - dhcp allowed
    - dns allowed
- when apply local firewall rules is set to no
    - when the machine does not yet have a dhcp lease, and no HNS (Host Networking Service) rules added to policy:
        - dhcp denied
        - dns denied
        - I haven't been able to determine which firewall rules govern DHCP, but DNS is governed by the HNS rules
    - when the HNS rules have been added to the policy
        - dns allowed
        - dhcp calls not made when it has a lease (obviously), but if released with ipconfig /release,
          and then renewed with ipconfig /renew, dhcp is denied

TODO:
  * HNS rules appear to be dynamic and contain varying fields, and so adding static rules to the policy won't be effective
      - need a way to allow the HNS to apply local firewall rules
  * I haven't been able to figure out yet which of the local firewall rules govern allowing inbound DHCP broadcasts


Capture Net Events and Filters:
netsh wfp capture start keywords=19
netsh wfp capture stop


## windows-version.txt
WindowsBuildLabEx                                       : 19041.1.amd64fre.vb_release.191206-1406
WindowsCurrentVersion                                   : 6.3
WindowsEditionId                                        : Professional
WindowsInstallationType                                 : Client
WindowsInstallDateFromRegistry                          : 1/23/2022 3:20:24 AM
WindowsProductId                                        : 00331-10000-00001-AA265
WindowsProductName                                      : Windows 10 Pro
WindowsRegisteredOrganization                           :
WindowsRegisteredOwner                                  :
WindowsSystemRoot                                       : C:\Windows
WindowsVersion                                          : 2009
	########################### allowed dhcp ###########################
	- other settings set to: no
	- apply local firewall rules: yes
	- hns rules not added

	2022-01-23 21:23:01 ALLOW UDP 0.0.0.0 255.255.255.255 68 67 0 - - - - - - - RECEIVE
	2022-01-23 21:23:01 ALLOW UDP 172.31.128.1 172.31.142.141 67 68 0 - - - - - - - SEND

	Log Name: Security
	Source: Microsoft-Windows-Security-Auditing
	Date: 1/23/2022 9:23:01 PM
	Event ID: 5156
	Task Category: Filtering Platform Connection
	Level: Information
	Keywords: Audit Success
	User: N/A
	Computer: marshes
	Description:
	The Windows Filtering Platform has permitted a connection.

	Application Information:
	Process ID: 3616
	Application Name: \device\harddiskvolume4\windows\system32\svchost.exe

	Network Information:
	Direction: Inbound
	Source Address: 0.0.0.0
	Source Port: 68
	Destination Address: 255.255.255.255
	Destination Port: 67
	Protocol: 17

	Filter Information:
	Filter Run-Time ID: 78480
	Layer Name: Receive/Accept
	Layer Run-Time ID: 44

	Log Name: Security
	Source: Microsoft-Windows-Security-Auditing
	Date: 1/23/2022 9:23:01 PM
	Event ID: 5156
	Task Category: Filtering Platform Connection
	Level: Information
	Keywords: Audit Success
	User: N/A
	Computer: marshes
	Description:
	The Windows Filtering Platform has permitted a connection.

	Application Information:
	Process ID: 3616
	Application Name: \device\harddiskvolume4\windows\system32\svchost.exe

	Network Information:
	Direction: Outbound
	Source Address: 172.31.128.1
	Source Port: 67
	Destination Address: 172.31.142.141
	Destination Port: 68
	Protocol: 17

	Filter Information:
	Filter Run-Time ID: 79732
	Layer Name: Connect
	Layer Run-Time ID: 48

	<item>
	<filterKey>{df2cb33f-78ba-4500-94c9-7765b010b810}</filterKey>
	<displayData>
	<name>Interface Un-quarantine filter</name>
	<description/>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData/>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>0</uint8>
	</weight>
	<filterCondition numItems="3">
	<item>
	<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>10000005</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>1689399683186688</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
	<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
	<conditionValue>
	<type>FWP_UINT32</type>
	<uint32>1</uint32>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_PERMIT</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>78480</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>2251834173423632</uint64>
	</effectiveWeight>
	</item>

	########################### blocked dhcp ###########################
	- other settings set to: no
	- apply local firewall rules: no
	- hns rules not added
	- guest could have previous dhcp lease, so release with ipconfig /release after setting apply local firewalls back to no, and then request a new one with ipconfig /renew

	2022-01-23 21:13:47 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE

	Log Name: Security
	Source: Microsoft-Windows-Security-Auditing
	Date: 1/23/2022 9:13:47 PM
	Event ID: 5157
	Task Category: Filtering Platform Connection
	Level: Information
	Keywords: Audit Failure
	User: N/A
	Computer: marshes
	Description:
	The Windows Filtering Platform has blocked a connection.

	Application Information:
	Process ID: 3616
	Application Name: \device\harddiskvolume4\windows\system32\svchost.exe

	Network Information:
	Direction: Inbound
	Source Address: 0.0.0.0
	Source Port: 68
	Destination Address: 255.255.255.255
	Destination Port: 67
	Protocol: 17

	Filter Information:
	Filter Run-Time ID: 78140
	Layer Name: Receive/Accept
	Layer Run-Time ID: 44

	Log Name: Security
	Source: Microsoft-Windows-Security-Auditing
	Date: 1/23/2022 9:13:47 PM
	Event ID: 5152
	Task Category: Filtering Platform Packet Drop
	Level: Information
	Keywords: Audit Failure
	User: N/A
	Computer: marshes
	Description:
	The Windows Filtering Platform has blocked a packet.

	Application Information:
	Process ID: 3616
	Application Name: \device\harddiskvolume4\windows\system32\svchost.exe

	Network Information:
	Direction: Inbound
	Source Address: 0.0.0.0
	Source Port: 68
	Destination Address: 255.255.255.255
	Destination Port: 67
	Protocol: 17

	Filter Information:
	Filter Run-Time ID: 78140
	Layer Name: Receive/Accept
	Layer Run-Time ID: 44

	<item>
	<filterKey>{4ee27303-b593-402e-96da-f433c24dc6a1}</filterKey>
	<displayData>
	<name>Query User</name>
	<description>Prompt the User for a decision corresponding this Inbound Traffic</description>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
	<data>7501000000000000</data>
	<asString>u.......</asString>
	</providerData>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>8</uint8>
	</weight>
	<filterCondition numItems="1">
	<item>
	<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT32</type>
	<uint32>1</uint32>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_BLOCK</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>78140</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>9223372036854783488</uint64>
	</effectiveWeight>
	</item>
	########################### allowed dns ###########################
	- other settings set to: no
	- apply local firewall rules: no
	- hns rules added to inbound rules

	2022-01-23 21:44:17 ALLOW UDP 172.31.142.141 172.31.128.1 52535 53 0 - - - - - - - RECEIVE

	Log Name: Security
	Source: Microsoft-Windows-Security-Auditing
	Date: 1/23/2022 9:44:17 PM
	Event ID: 5156
	Task Category: Filtering Platform Connection
	Level: Information
	Keywords: Audit Success
	User: N/A
	Computer: marshes
	Description:
	The Windows Filtering Platform has permitted a connection.

	Application Information:
	Process ID: 3616
	Application Name: \device\harddiskvolume4\windows\system32\svchost.exe

	Network Information:
	Direction: Inbound
	Source Address: 172.31.142.141
	Source Port: 52535
	Destination Address: 172.31.128.1
	Destination Port: 53
	Protocol: 17

	Filter Information:
	Filter Run-Time ID: 78480
	Layer Name: Receive/Accept
	Layer Run-Time ID: 44

	<item>
	<filterKey>{df2cb33f-78ba-4500-94c9-7765b010b810}</filterKey>
	<displayData>
	<name>Interface Un-quarantine filter</name>
	<description/>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData/>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>0</uint8>
	</weight>
	<filterCondition numItems="3">
	<item>
	<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>10000005</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>1689399683186688</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
	<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
	<conditionValue>
	<type>FWP_UINT32</type>
	<uint32>1</uint32>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_PERMIT</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>78480</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>2251834173423632</uint64>
	</effectiveWeight>
	</item>

	########################### blocked dns ###########################
	- other settings set to: no
	- apply local firewall rules: no
	- hns rules not added

	2022-01-23 21:38:10 DROP UDP 172.31.142.141 172.31.128.1 60920 53 77 - - - - - - - RECEIVE

	Log Name: Security
	Source: Microsoft-Windows-Security-Auditing
	Date: 1/23/2022 9:38:10 PM
	Event ID: 5157
	Task Category: Filtering Platform Connection
	Level: Information
	Keywords: Audit Failure
	User: N/A
	Computer: marshes
	Description:
	The Windows Filtering Platform has blocked a connection.

	Application Information:
	Process ID: 3616
	Application Name: \device\harddiskvolume4\windows\system32\svchost.exe

	Network Information:
	Direction: Inbound
	Source Address: 172.31.142.141
	Source Port: 60920
	Destination Address: 172.31.128.1
	Destination Port: 53
	Protocol: 17

	Filter Information:
	Filter Run-Time ID: 80144
	Layer Name: Receive/Accept
	Layer Run-Time ID: 44

	<item>
	<filterKey>{7bf5e407-a954-467a-a440-675b30b73574}</filterKey>
	<displayData>
	<name>Query User</name>
	<description>Prompt the User for a decision corresponding this Inbound Traffic</description>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
	<data>da02000000000000</data>
	<asString>........</asString>
	</providerData>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>8</uint8>
	</weight>
	<filterCondition numItems="1">
	<item>
	<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT32</type>
	<uint32>1</uint32>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_BLOCK</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>80144</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>9223372036854783488</uint64>
	</effectiveWeight>
	</item>
	PS C:\Users\wroathe\Desktop> ipconfig /all

	Windows IP Configuration

	Host Name . . . . . . . . . . . . : marshes
	Primary Dns Suffix . . . . . . . :
	Node Type . . . . . . . . . . . . : Hybrid
	IP Routing Enabled. . . . . . . . : No
	WINS Proxy Enabled. . . . . . . . : No
	DNS Suffix Search List. . . . . . : -------

	Ethernet adapter vEthernet (Default Switch):

	Connection-specific DNS Suffix . :
	Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
	Physical Address. . . . . . . . . : 00-15-5D-11-84-74
	DHCP Enabled. . . . . . . . . . . : No
	Autoconfiguration Enabled . . . . : Yes
	Link-local IPv6 Address . . . . . : fe80::8c0b:4011:2059:c20a%18(Preferred)
	IPv4 Address. . . . . . . . . . . : 172.31.128.1(Preferred)
	Subnet Mask . . . . . . . . . . . : 255.255.240.0
	Default Gateway . . . . . . . . . :
	DHCPv6 IAID . . . . . . . . . . . : 301995357
	DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-7E-81-8B-00-0D-3A-98-98-2A
	DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
	fec0:0:0:ffff::2%1
	fec0:0:0:ffff::3%1
	NetBIOS over Tcpip. . . . . . . . : Enabled
	<netEvent>
	<header>
	<timeStamp>2022-01-25T03:55:11.510Z</timeStamp>
	<flags numItems="9">
	<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
	<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
	<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
	<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
	<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
	<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
	<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
	<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
	<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
	</flags>
	<ipVersion>FWP_IP_VERSION_V4</ipVersion>
	<ipProtocol>17</ipProtocol>
	<localAddrV4>255.255.255.255</localAddrV4>
	<remoteAddrV4>0.0.0.0</remoteAddrV4>
	<localPort>67</localPort>
	<remotePort>68</remotePort>
	<scopeId>0</scopeId>
	<appId>
	<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
	<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
	</appId>
	<userId>S-1-5-18</userId>
	<addressFamily>FWP_AF_INET</addressFamily>
	<packageSid>S-1-0-0</packageSid>
	<enterpriseId/>
	<policyFlags>0</policyFlags>
	<effectiveName/>
	</header>
	<type>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW</type>
	<classifyAllow>
	<filterId>80466</filterId>
	<layerId>44</layerId>
	<reauthReason>0</reauthReason>
	<originalProfile>1</originalProfile>
	<currentProfile>1</currentProfile>
	</classifyAllow>
	<internalFields>
	<internalFlags/>
	<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
	<capabilities/>
	<fqbnVersion>0</fqbnVersion>
	<fqbnName/>
	<terminatingFiltersInfo numItems="2">
	<item>
	<filterId>80466</filterId>
	<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
	<actionType>FWP_ACTION_PERMIT</actionType>
	</item>
	<item>
	<filterId>88952</filterId>
	<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
	<actionType>FWP_ACTION_PERMIT</actionType>
	</item>
	</terminatingFiltersInfo>
	</internalFields>
	</netEvent>

	<item>
	<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey>
	<displayData>
	<name>Interface Un-quarantine filter</name>
	<description/>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData/>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>0</uint8>
	</weight>
	<filterCondition numItems="3">
	<item>
	<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>10000006</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>1689399683186688</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
	<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
	<conditionValue>
	<type>FWP_UINT32</type>
	<uint32>1</uint32>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_PERMIT</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>80466</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>2251834173423632</uint64>
	</effectiveWeight>
	</item>

	<item>
	<filterKey>{dda1d20d-cd2d-44ec-8dbf-868e73e21e59}</filterKey>
	<displayData>
	<name>Internet Connection Sharing (DHCP Server-In)</name>
	<description>Inbound rule for Internet Connection Sharing to allow use of the IPv4 DHCP Server. [UDP 67]</description>
	</displayData>
	<flags numItems="1">
	<item>FWPM_FILTER_FLAG_INDEXED</item>
	</flags>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
	<data>2806000000000000</data>
	<asString>(.......</asString>
	</providerData>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>9</uint8>
	</weight>
	<filterCondition numItems="5">
	<item>
	<fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_BYTE_BLOB_TYPE</type>
	<byteBlob>
	<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
	<asString>\device\harddiskvolume4\windows\system32\svchost.exe</asString>
	</byteBlob>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
	<sd>O:SYG:SYD:(A;;CCRC;;;S-1-5-80-2009329905-444645132-2728249442-922493431-93864177)</sd>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_IP_LOCAL_PORT</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT16</type>
	<uint16>67</uint16>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>1689399683186688</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT8</type>
	<uint8>17</uint8>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_PERMIT</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>88952</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>10379531328327516160</uint64>
	</effectiveWeight>
	</item>
	<netEvent>
	<header>
	<timeStamp>2022-01-25T04:50:48.866Z</timeStamp>
	<flags numItems="9">
	<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
	<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
	<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
	<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
	<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
	<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
	<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
	<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
	<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
	</flags>
	<ipVersion>FWP_IP_VERSION_V4</ipVersion>
	<ipProtocol>17</ipProtocol>
	<localAddrV4>255.255.255.255</localAddrV4>
	<remoteAddrV4>0.0.0.0</remoteAddrV4>
	<localPort>67</localPort>
	<remotePort>68</remotePort>
	<scopeId>0</scopeId>
	<appId>
	<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
	<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
	</appId>
	<userId>S-1-5-18</userId>
	<addressFamily>FWP_AF_INET</addressFamily>
	<packageSid>S-1-0-0</packageSid>
	<enterpriseId/>
	<policyFlags>0</policyFlags>
	<effectiveName/>
	</header>
	<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
	<classifyDrop>
	<filterId>89392</filterId>
	<layerId>44</layerId>
	<reauthReason>0</reauthReason>
	<originalProfile>1</originalProfile>
	<currentProfile>1</currentProfile>
	<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
	<isLoopback>false</isLoopback>
	<vSwitchId/>
	<vSwitchSourcePort>0</vSwitchSourcePort>
	<vSwitchDestinationPort>0</vSwitchDestinationPort>
	</classifyDrop>
	<internalFields>
	<internalFlags/>
	<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
	<capabilities/>
	<fqbnVersion>0</fqbnVersion>
	<fqbnName/>
	<terminatingFiltersInfo numItems="2">
	<item>
	<filterId>80466</filterId>
	<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
	<actionType>FWP_ACTION_PERMIT</actionType>
	</item>
	<item>
	<filterId>89392</filterId>
	<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
	<actionType>FWP_ACTION_BLOCK</actionType>
	</item>
	</terminatingFiltersInfo>
	</internalFields>
	</netEvent>

	<item>
	<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey>
	<displayData>
	<name>Interface Un-quarantine filter</name>
	<description/>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData/>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>0</uint8>
	</weight>
	<filterCondition numItems="3">
	<item>
	<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>10000006</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>1689399683186688</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
	<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
	<conditionValue>
	<type>FWP_UINT32</type>
	<uint32>1</uint32>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_PERMIT</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>80466</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>2251834173423632</uint64>
	</effectiveWeight>
	</item>

	<item>
	<filterKey>{2475897d-8c6d-4f08-afb2-bea660c3e0a2}</filterKey>
	<displayData>
	<name>Query User</name>
	<description>Prompt the User for a decision corresponding this Inbound Traffic</description>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
	<data>6606000000000000</data>
	<asString>f.......</asString>
	</providerData>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>8</uint8>
	</weight>
	<filterCondition numItems="1">
	<item>
	<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT32</type>
	<uint32>1</uint32>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_BLOCK</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>89392</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>9223372036854783488</uint64>
	</effectiveWeight>
	</item>
	Host:
	Ethernet adapter vEthernet (Default Switch):

	Connection-specific DNS Suffix . :
	Link-local IPv6 Address . . . . . : fe80::128:dc49:cd08:2f95%23
	IPv4 Address. . . . . . . . . . . : 172.23.32.1
	Subnet Mask . . . . . . . . . . . : 255.255.240.0
	Default Gateway . . . . . . . . . :

	Guest:
	Ethernet adapter Ethernet 2:

	Connection-specific DNS Suffix . : mshome.net
	Link-local IPv6 Address . . . . . : fe80::680d:c4ff:ce73:97%5
	IPv4 Address. . . . . . . . . . . : 172.23.40.51
	Subnet Mask . . . . . . . . . . . : 255.255.240.0
	Default Gateway . . . . . . . . . : 172.23.32.1

	<netEvent>
	<header>
	<timeStamp>2022-01-25T04:19:11.485Z</timeStamp>
	<flags numItems="9">
	<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
	<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
	<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
	<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
	<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
	<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
	<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
	<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
	<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
	</flags>
	<ipVersion>FWP_IP_VERSION_V4</ipVersion>
	<ipProtocol>17</ipProtocol>
	<localAddrV4>172.23.32.1</localAddrV4>
	<remoteAddrV4>172.23.40.51</remoteAddrV4>
	<localPort>53</localPort>
	<remotePort>65056</remotePort>
	<scopeId>0</scopeId>
	<appId>
	<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
	<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
	</appId>
	<userId>S-1-5-18</userId>
	<addressFamily>FWP_AF_INET</addressFamily>
	<packageSid>S-1-0-0</packageSid>
	<enterpriseId/>
	<policyFlags>0</policyFlags>
	<effectiveName/>
	</header>
	<type>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW</type>
	<classifyAllow>
	<filterId>80466</filterId>
	<layerId>44</layerId>
	<reauthReason>0</reauthReason>
	<originalProfile>1</originalProfile>
	<currentProfile>1</currentProfile>
	</classifyAllow>
	<internalFields>
	<internalFlags/>
	<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
	<capabilities/>
	<fqbnVersion>0</fqbnVersion>
	<fqbnName/>
	<terminatingFiltersInfo numItems="2">
	<item>
	<filterId>80466</filterId>
	<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
	<actionType>FWP_ACTION_PERMIT</actionType>
	</item>
	<item>
	<filterId>88857</filterId>
	<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
	<actionType>FWP_ACTION_PERMIT</actionType>
	</item>
	</terminatingFiltersInfo>
	</internalFields>
	</netEvent>

	<item>
	<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey>
	<displayData>
	<name>Interface Un-quarantine filter</name>
	<description/>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData/>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>0</uint8>
	</weight>
	<filterCondition numItems="3">
	<item>
	<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>10000006</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>1689399683186688</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
	<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
	<conditionValue>
	<type>FWP_UINT32</type>
	<uint32>1</uint32>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_PERMIT</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>80466</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>2251834173423632</uint64>
	</effectiveWeight>
	</item>

	<item>
	<filterKey>{fbb1ad8d-6fb5-4c00-8102-64e2929f2eb6}</filterKey>
	<displayData>
	<name>HNS Container Networking - DNS (UDP-In) - AE220698-065F-4093-9C58-31CEC2E384E6 - 0</name>
	<description>HNS Container Networking - DNS (UDP-In) - AE220698-065F-4093-9C58-31CEC2E384E6 - 0</description>
	</displayData>
	<flags numItems="1">
	<item>FWPM_FILTER_FLAG_INDEXED</item>
	</flags>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
	<data>1206000000000000</data>
	<asString>........</asString>
	</providerData>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>9</uint8>
	</weight>
	<filterCondition numItems="3">
	<item>
	<fieldKey>FWPM_CONDITION_IP_LOCAL_PORT</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT16</type>
	<uint16>53</uint16>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>1689399683186688</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT8</type>
	<uint8>17</uint8>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_PERMIT</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>88857</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>10379530503693795328</uint64>
	</effectiveWeight>
	</item>
	<netEvent>
	<header>
	<timeStamp>2022-01-25T04:52:12.176Z</timeStamp>
	<flags numItems="9">
	<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
	<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
	<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
	<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
	<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
	<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
	<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
	<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
	<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
	</flags>
	<ipVersion>FWP_IP_VERSION_V4</ipVersion>
	<ipProtocol>17</ipProtocol>
	<localAddrV4>172.23.32.1</localAddrV4>
	<remoteAddrV4>172.23.40.51</remoteAddrV4>
	<localPort>53</localPort>
	<remotePort>49509</remotePort>
	<scopeId>0</scopeId>
	<appId>
	<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
	<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
	</appId>
	<userId>S-1-5-18</userId>
	<addressFamily>FWP_AF_INET</addressFamily>
	<packageSid>S-1-0-0</packageSid>
	<enterpriseId/>
	<policyFlags>0</policyFlags>
	<effectiveName/>
	</header>
	<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
	<classifyDrop>
	<filterId>89392</filterId>
	<layerId>44</layerId>
	<reauthReason>0</reauthReason>
	<originalProfile>1</originalProfile>
	<currentProfile>1</currentProfile>
	<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
	<isLoopback>false</isLoopback>
	<vSwitchId/>
	<vSwitchSourcePort>0</vSwitchSourcePort>
	<vSwitchDestinationPort>0</vSwitchDestinationPort>
	</classifyDrop>
	<internalFields>
	<internalFlags/>
	<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
	<capabilities/>
	<fqbnVersion>0</fqbnVersion>
	<fqbnName/>
	<terminatingFiltersInfo numItems="2">
	<item>
	<filterId>80466</filterId>
	<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
	<actionType>FWP_ACTION_PERMIT</actionType>
	</item>
	<item>
	<filterId>89392</filterId>
	<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
	<actionType>FWP_ACTION_BLOCK</actionType>
	</item>
	</terminatingFiltersInfo>
	</internalFields>
	</netEvent>

	<item>
	<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey>
	<displayData>
	<name>Interface Un-quarantine filter</name>
	<description/>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData/>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>0</uint8>
	</weight>
	<filterCondition numItems="3">
	<item>
	<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>10000006</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT64</type>
	<uint64>1689399683186688</uint64>
	</conditionValue>
	</item>
	<item>
	<fieldKey>FWPM_CONDITION_FLAGS</fieldKey>
	<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType>
	<conditionValue>
	<type>FWP_UINT32</type>
	<uint32>1</uint32>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_PERMIT</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>80466</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>2251834173423632</uint64>
	</effectiveWeight>
	</item>

	<item>
	<filterKey>{2475897d-8c6d-4f08-afb2-bea660c3e0a2}</filterKey>
	<displayData>
	<name>Query User</name>
	<description>Prompt the User for a decision corresponding this Inbound Traffic</description>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
	<data>6606000000000000</data>
	<asString>f.......</asString>
	</providerData>
	<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
	<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
	<weight>
	<type>FWP_UINT8</type>
	<uint8>8</uint8>
	</weight>
	<filterCondition numItems="1">
	<item>
	<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
	<matchType>FWP_MATCH_EQUAL</matchType>
	<conditionValue>
	<type>FWP_UINT32</type>
	<uint32>1</uint32>
	</conditionValue>
	</item>
	</filterCondition>
	<action>
	<type>FWP_ACTION_BLOCK</type>
	<filterType/>
	</action>
	<rawContext>0</rawContext>
	<reserved/>
	<filterId>89392</filterId>
	<effectiveWeight>
	<type>FWP_UINT64</type>
	<uint64>9223372036854783488</uint64>
	</effectiveWeight>
	</item>
	- Firewall log: C:\Windows\System32\LogFiles\Firewall\pfirewall.log
	- Events from Filtering audit events in Event Viewer
	- Filters from wfp show state
	- See: https://gist.github.com/JustinChristensen/bb6d15cee90da4e38db9f73161152308
	- in the "public" connection profile in the Local Security Policy
	- other settings besides "apply local firewall rules" set to no
	- Core Networking rules and Remote Desktop rules added to the policy and enabled

	- when apply local firewall rules is set to yes
	- dhcp allowed
	- dns allowed
	- when apply local firewall rules is set to no
	- when the machine does not yet have a dhcp lease, and no HNS (Host Networking Service) rules added to policy:
	- dhcp denied
	- dns denied
	- I haven't been able to determine which firewall rules govern DHCP, but DNS is governed by the HNS rules
	- when the HNS rules have been added to the policy
	- dns allowed
	- dhcp calls not made when it has a lease (obviously), but if released with ipconfig /release,
	and then renewed with ipconfig /renew, dhcp is denied

	TODO:
	* HNS rules appear to be dynamic and contain varying fields, and so adding static rules to the policy won't be effective
	- need a way to allow the HNS to apply local firewall rules
	* I haven't been able to figure out yet which of the local firewall rules govern allowing inbound DHCP broadcasts


	Capture Net Events and Filters:
	netsh wfp capture start keywords=19
	netsh wfp capture stop
	WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406
	WindowsCurrentVersion : 6.3
	WindowsEditionId : Professional
	WindowsInstallationType : Client
	WindowsInstallDateFromRegistry : 1/23/2022 3:20:24 AM
	WindowsProductId : 00331-10000-00001-AA265
	WindowsProductName : Windows 10 Pro
	WindowsRegisteredOrganization :
	WindowsRegisteredOwner :
	WindowsSystemRoot : C:\Windows
	WindowsVersion : 2009