Comodo Firewall does not intercept Windows 10 auto-activation phone home

How can Windows 10 send information out of our systems and not be intercepted by the latest version of Comodo Firewall?

Slui.exe used to be the Windows activation file. Comodo intercepted it on Windows 8, and we could block it and therefore block Windows activation. We would do this so we could choose WHEN to activate Windows.

I started a thread asking how to block Windows 10 auto activation and was finally told that it cannot be done by a Microsoft forums moderator.

People have A LOT of incorrect assumptions about this. Many

  1. Do not know that once you activate Windows 10, your machine ID is stored in the cloud and thereafter even if you FORMAT and FRESH install on a blank partition, the moment Windows 10 fresh installation gets connected to the internet it activates Windows 10 based on your previous activation which is permanently assigned to your machine. This happens without you entering ANY keys or ANY email addresses in Windows 10.

  2. Do not know that previous methods to turn off Windows auto-activation do not apply to Windows 10, only previous versions of Windows. Articles on the internet that claim this can be done on Windows 10 are not correct.

  3. Offer workarounds such as Sysprep, Audit mode and other complicated methods to delay Windows activation. That is not the question however.

The question is why and how is Comodo Firewall not intercepting Windows 10 phoning home? If it intercepted Windows 10, then we could activate Windows 10 WHEN we wanted (a few days after setting everything up and making an image so that the image does NOT contain activated Windows 10, for example.)

This question is not about messing with Windows activation but simply about allowing us to activate Windows 10 WHEN we want.
This is not a thread about merits of the Windows 10 operating system and what people think of it, please no rants about that, I am just trying to find out why Comodo Firewall does not intercept all information being sent out of our systems on Windows 10?

Comodo should intercept ALL information being sent out and let us choose whether to (permanently) allow it or not.
If there is a setting that needs to be adjusted for that to happen, can you post what that setting is?

You may have a global rule that allows outgoing traffic, the firewall could be in Safe Mode, the executable in question could be in one of the default firewall application rules that gives it outgoing access… Those are the three obvious questions that come to mind. Don’t know how the activation in Windows 10 works, as in what executable does it, so I can’t say for sure.

If you make an application rule for slui.exe Comodo should be able to intercept it. With default it will allow all trusted applications, like digitally signed Windows system files, to connect to the web.

That’s how the firewall works by default. That Global Rule allows outgoing traffic in general. Outgoing traffic is handled by application rules. The firewall is not designed to handle application specific rules in Global Rules.

the firewall could be in Safe Mode, the executable in question could be in one of the default firewall application rules that gives it outgoing access… Those are the three obvious questions that come to mind. Don’t know how the activation in Windows 10 works, as in what executable does it, so I can’t say for sure.
All privacy related settings minus one can be disabled in Windows 10 its self. I have seen one article where somebody really had to go beyound the surface to hunt down a privacy setting.

I have an unactivated image and can test anything you suggest. In my first test I completely uninstalled Comodo Firewall, rebooted.
I then installed Comodo Firewall and did not touch any settings, rebooted when prompted.

Now I connected to internet and did NOT allow anything that came up to connect to the internet.
Within seconds Windows 10 was activated.

I am standing by to reimage and modify this test per your instructions.
I have already tried blocking ALL instances of slui.
SLUI.EXE is not therefore (the only thing) used to activate Windows 10 because it activated AFTER I blocked it, this was done before I even posted here.

Did I address Sanya IV Litvyak’s suggestions by reinstalling Comodo Firewall from scratch and not touching any options?
I have disabled all privacy settings on Windows 10 that I could find, I am proficient in Windows Operating System settings.

I am standing by to repeat the test and with your help, figure out how Windows 10 sends data in and out of our systems without being intercepted by Comodo Firewall’s default settings.

With the default settings CIS will allow trusted applications, including Windows system files, to connect to the web.

You either need to set the firewall to Custom Policy Mode or make an application rule for slui.exe. Give it the Blocked Application policy. Of course you need to make sure to not connect to the internet before you do all of this.

All right. Before I test again. Would you please give me explicit instructions in how to catch which executable auto-activates Windows 10 because it is NOT slui.exe. I had already blocked ALL instances of slui.exe and it still activated.

I have an image of unactivated Windows 10, what do I change specifically in the latest build of version 8 of Comodo Firewall to catch the file which auto-activates Windows 10?

If it is not a driver you should be able to catch it by setting the Firewall to Custom Ruleset in Firewall Settings and set the Alert Frequency to It will alert for all network activity to very high.

However. You need to be more than vigilant with svchost.exe. It facilitates services for many Windows system and regular applications. You need to enable HIPS as well. In the process which is tricky it may slip through when taking a wrong decision. I would say a search online using a search engine might yield quicker results. :-\

Edit: fixed link

All information about this on the internet so far is incorrect because people think this is the same as Windows 8 and it is not. I have a thread on this on Microsoft Forums and Microsoft Windows developers posted that this is by design.

If you can post anything else to help me catch the executables which auto-activate Windows 10, please do, otherwise I will do the best I can to see if I can figure out which executable auto activates Windows 10. Blocking slui.exe does not stop Windows 10 activation.

You guys told me to set “Firewall to Custom Ruleset in Firewall Settings” and “set the Alert Frequency to very high.”
I did that BEFORE connecting to the internet of course.

I did not let anything, ZERO things through, and Windows 10 still activated in matter of a nano second, it was a second or two at the most after connecting to the internet…

What else do you have? How can Windows 10 send and receive data with Alert Frequency set to very high?
Isn’t that the setting supposed to catch everything sending data in/out?

So what? What possible legal reason could you have for delaying Windows 10 activation?

I think it’s very well known that on activation Microsoft store your hardware id and Windows 10 activation on their servers, again so what? It’s also well known that if you reinstall Windows 10 on the same hardware it will activate as soon as possible, again so what?

Until your copy of Windows is activated you don’t have a legal license to use it, activation is what ties the copy of Windows you bought or upgraded to the one physical computer on which you are allowed to run it. The only exceptions to that are corporate volume licensing deals and (possibly) student discount deals. But even there I can think of no legal reason for wanting to delay activation.

Can you please explain the circumstances under which you would legally want to delay Windows activating (on any version)?

Yes of course I can. This thread only applies to legally activated Windows 10, sir.
If Windows 10 wasn’t activated, this problem would not exist, it only exists after Windows 10 is already legally activated and your system is permanently tied to that activation and thereafter the auto-activation kicks in on fresh installs.

So if I want to make an image to use on multiple computers, there are all sorts of long ways I can accomplish this on Windows 10 but I am looking for the short way just like in Windows 7 where I could have 120 days to do this, legally.

I am making a Windows 10 image in which I want to set every program up just the way I like it to be. Every font in every program and every setting in every program, not to mention Windows 10 itself, and then I want to use that same unactivated image on multiple computers with the similar hardware, each with its own key. I absolutely can do that legally and activate the unactivated image on each system. Windows 10 is FREE for Windows 7/8 users as well as Microsoft insiders. I am a Microsoft Insider and I also own the retail version of Windows 8 bought at Office Max - both of these entitle me to two separate free Windows 10 licenses.

There are workarounds for me to do this, I can go through the process of changing the keys on every computer, I can use sysprep, audit option. I can delay connecting the image to the internet. I can do this in multiple ways, but there are things I need to set up using the internet, and the moment I connect the computer to the internet, Windows 10 bypasses all Comodo Firewall restrictions somehow and activates itself.

This has nothing to do with messing with activation, if I did this on previous versions of Windows, I could just block slui.exe and mission accomplished. Blocking activation in no way messes with activation. Blocking activation is no different than not connecting to the internet. You can only delay activation for so long, but long enough to do exactly what I am doing, making a drive image of Windows 10.

People use computers in different ways, people set up computers in different ways, if nothing else, Windows 10 should not be able to send data in and out of our systems without being intercepted by Comodo Firewall… It is doing that even at Comodo Firewall Alert Frequency set to Very High. Something is very wrong with that…

Not really, if you change to Custom Ruleset and alert frequency to Very High you still have all preset rules which allows most if not all access to the internet.

Please remove all preset rules in applications, then you should be able to find which process does the activation.


Sorry that’s not what I meant, what I meant is that the things I mentioned could be set by default and those could be the cause of the issue, so you should try going into global rules and check if you have any “Allow All outgoing” or anything similar and remove those, then go to application rules and remove any premade rules for Windows executables etc, then go to Firewall settings and set Firewall to Custom Ruleset, Alert Frequency to Very High and if it’s enabled then disable “Do NOT show popup alerts”, also if you’ve got IPv6 enabled/set up then you may want to enable IPv6 filtering if it’s disabled.

I am willing to give this one more try. First of all I have an unactivated drive image which activates lightning fast after being connected to the internet. So let’s do this right. Let me make sure that I do this right per your instructions.

Let me completely remove Comodo Firewall and reboot. Let me then install Comodo Firewall from scratch with default settings.
This will make sure that nothing other than what you tell me to do is set up - so all doubt can be removed.

0. Uninstall Comodo Firewall > Reboot.

  1. Default fresh installation of Comodo Firewall > Reboot
  2. Firewall settings set Firewall to Custom Ruleset, Alert Frequency to Very High
  3. Connect to the internet.

I will wait for one of you to post that those three steps are enough to remove any doubt that Comodo Firewall is correctly set up to catch Windows 10 auto activation phone home executable.

And yes I will make sure that the following applies to default installation as well if it doesn’t already:
“Disable “Do NOT show popup alerts”, also if you’ve got IPv6 enabled/set up then you may want to enable IPv6 filtering if it’s disabled.”

Please post if this and doing nothing else is sufficient for this experiment.

Also for the sake of the experiment remove all global rules and application rules. (There are some preset at a default install)

When something runs as a driver it sits in the kernel together with Inspect driver has the same rights. Then CIS cannot filter it.

On a side note. That’s why installing a driver is, from a HIPS point of view, the most dangerous thing to allow to an unknown executable; it gives a program all the rights to be able to terminate all CIS processes without CIS being able to defend its self.

This will still not filter driver traffic.

On a side note:

With the point in bold. You apparently have never tested if removing the allow outgoing traffic rule in Global Rules yields more alerts than with the rule present. The Help file does not suggest this nor have others or I ever witnessed it. Your opinion goes against how the firewall is supposed to work: all outgoing traffic first goes through Application Rules before going through Global Rules. Hence why outgoing traffic gets filtered on a per application basis in Application Rules. Your opinion is likely to cause confusion with less experienced users. I suggest you test your opinion on your own system rather than use other member’s topics as experimentation ground.

That may be however you have failed to provide evidence that the windows activation takes place via driver and failed to explain how it works in Windows 10, which is what this topic is about really, the current experiment is if Comodo Firewall even CAN in ANY WAY stop the activation and hence the most logical thing would be to remove anything that may POTENTIALLY allow it through, if it still fails then it’d be logical to assume it takes place via drivers but so far you seem to be suggesting that it’s no use trying because we somehow just knows it uses drivers, but from where do we know that? I’ve seen no evidence of it.

Why have a global rule that says “Allow all outgoing” when the aim of the experiment is to test whether the firewall is even capable of blocking the activation? In fact why even have any allow rules whatsoever for the purpose of this experiment? Can you explain to me why that would be wanted? Why would we want to have any allow rules when the purpose is to block?
Furthermore if your statement is true then why would the “Allow all outgoing” global rule ever be needed? What is its purpose if it’s never relevant? Yes Application Rules have a higher priority when it comes to outgoing traffic, but when there is no application rule for the application in question? What then?

I’d also like to point out that I am particular with the words I use and I never used any definitive words regarding the global outgoing rule, I used words like “may”, besides in the later part in bold which you so happily pointed out I even said to remove all global rules and all application rules, not any specific rules, this is to remove the risk of the Firewall in any way allowing the traffic by default.

And could you please explain my opinion as I don’t recall ever giving any such opinion that you seem to claim I have? The opinion I have is that keeping those rules doesn’t help in the test.

I will be doing my own testing regarding outgoing global rule (but it won’t be in regards to windows activation) for the sake of testing it even though I’ve made no definitive statement about it.
Edit: You’re right, having firewall set to Custom ruleset and removing all application rules and then setting global rules to allow all outgoing traffic still blocks everything, in which case I’d like to ask why the rule is even there by default in Internet Security Config? What purpose does it serve? Off-topic so you can answer via PM.

I have implemented your instructions and they were successful in blocking Windows 10 auto-activation.

Because auto-activation kicks in almost immediately after connecting the internet the two things that appear are numerous svchost.exe intercepts and a System intercept.

This is easy to experiment on if you have an activated Windows 10.
Formatting then quick reinstalling Windows 10 without internet then making an image before connecting to the internet easily allows you to narrow down the possible culprits.

I can test further if you tell me how. Based on what I posted, would you guess that one of the svchost.exe intercepts is the possible culprit?

Would rebooting then allowing one by one svchost.exe intercept then checking activation status be your recommendation? I mean there are not that many things that show up in the beginning and auto-activation is one of the first things out of the gate.

First of all I’d suggest setting up rules to allow DNS request and access to your router, right now it may just have been blocked because you don’t have access to your router or DNS lookups, so what we want to test now is to allow access from your router to your computer and from your computer to your router as well as outgoing DNS lookups.

So for svchost.exe and System I’d make the rules:

  • Allow IP Out From MAC Any to [Router IP] (for example if that is your routers IP) Where Protocol Is Any
  • Allow IP In From [Router IP] to MAC Any Where Protocol Is Any
  • Allow TCP/UDP Out From MAC Any To MAC Any Where Source Port Is Any And Destination Port Is 53

And then try again, this should allow communication between your computer and the router in order to actually establish a connection and it would allow DNS lookup request, but it shouldn’t let Windows activate if it’s using a normal executable and NOT drivers. If it’s using drivers then at this point it should be able to activate.

First of all thank you for your advice. I would like to make sure I set up the next step exactly right before proceeding.

You have been using Comodo Firewall extensively and you know exactly where to click on to set this up but settings are not simple in Comodo Firewall. Would you be able to post exactly where to click and what to do in detail…

Is there only one instance of svchost.exe, is there one single svchost.exe file?

I actually have a lot of questions but I think it’s best if you simply post exactly what I should do and then after we find the culprit my questions will be irrelevant…

So if you would, could you post where in the program do I click on exactly to accomplish the three things you said…