How to Log Blocked Connections in Windows Firewall in Batch Script
A "Silent Block" is the hardest networking problem to troubleshoot. If your firewall is dropping packets from a specific application or IP address but not telling you, you'll feel like you're fighting a "Ghost" in the machine. To solve this, you need to "Turn on the Lights" by enabling Firewall Logging. By instructing the Windows Firewall to record every "Dropped" packet into a text file, you gain a forensic record of exactly who is trying to connect to you and what your machine is rejecting. A Batch script can use netsh advfirewall to enable these logs and even point them to a specific folder for easy analysis.
This guide will explain how to activate and manage firewall logs.
Method: Enabling the "Dropped Packets" Log
The firewall can log "Dropped Packets" (blocked items) and "Successful Connections." For security auditing, the "Dropped" log is the most valuable.
@echo off
set "LogPath=C:\Logs\firewall_drops.log"
set "LogDir=C:\Logs"
set "SetupFailed=0"
echo [ACTION] Configuring Firewall Logging...
:: 1. Ensure the log directory exists
if not exist "%LogDir%" mkdir "%LogDir%"
:: 2. Set the log location
netsh advfirewall set allprofiles logging filename "%LogPath%"
if %errorlevel% neq 0 set "SetupFailed=1"
:: 3. Enable 'dropped packets' logging on all profiles
netsh advfirewall set allprofiles logging droppedconnections enable
if %errorlevel% neq 0 set "SetupFailed=1"
if "%SetupFailed%"=="0" (
echo [SUCCESS] Logging enabled.
echo Log File Location: %LogPath%
echo.
echo [INFO] Run a connection test, then check the file to see blocks.
) else (
echo [ERROR] Failed to enable logging. Ensure you are running as ADMIN.
)
pause
Administrative Rights. Enabling security logging is a system-level audit task. You MUST run your script as an Administrator.
Method 2: Disabling the Log (Stop Resource Usage)
Firewall logs can grow very large very quickly on a busy network. Turn it off when you're done troubleshooting.
@echo off
echo [ACTION] Stopping firewall logging...
netsh advfirewall set allprofiles logging droppedconnections disable
if %errorlevel% equ 0 (
echo [OK] Logging deactivated.
) else (
echo [ERROR] Failed to disable logging. Ensure you are running as ADMIN.
)
pause
Method 3: Parsing the Log for Blocked IPs
Once the log is running, you can use findstr in your script to see which external IP addresses are being blocked.
@echo off
set "SourceLog=C:\Logs\firewall_drops.log"
if not exist "%SourceLog%" (
echo [ERROR] Log file not found: %SourceLog%
echo Enable logging first using the setup script.
pause
exit /b 1
)
echo [ANALYSIS] Blocked external connections (excluding local subnet^)...
echo.
:: Extract 'DROP' lines and exclude local network addresses
findstr /i "DROP" "%SourceLog%" | findstr /v "192.168\. 10\. 172\.16\."
echo.
pause
How to Avoid Common Errors
Wrong Way: Leaving the log on forever
If your firewall is under a "DDoS" or heavy port scan, the log file can grow to several Gigabytes in a single day, potentially filling your hard drive.
Correct Way: Use Method 1 to enable the log during troubleshooting, and Method 2 to disable it once you've identified the faulty rule or malicious IP.
Problem: Permissions on the Log Folder
The Windows Firewall service runs under a specific system account. If you try to save the log in your "Desktop" or "Documents" folder, it might fail because the system service doesn't have permission to write there.
Solution: Use a root-level folder (like C:\Logs) and ensure the "SYSTEM" account has full control over it.
Best Practices and Rules
1. Max File Size
Always set a maximum file size so the log doesn't crash your system. The default is usually 4MB (4096 KB).
netsh advfirewall set allprofiles logging maxfilesize 8192
2. Monitor "Successful" Connections
Only log successful connections (netsh advfirewall set allprofiles logging allowedconnections enable) if you are troubleshooting an "Exfiltration" issue. Otherwise, it creates too much noise to be useful.
3. Log Header Review
The top of the log file contains the column headers (e.g., date time action protocol src-ip dst-ip). Review these carefully to understand which number in each row corresponds to the "Remote IP."
Conclusions
Enabling firewall logging transforms your security posture from a "Black Box" into a high-visibility audit trail. By moving from mystery connection drops to detailed forensic logs, you gain the data needed to solve complex networking issues and defend against active threats. This professional level of visibility is essential for anyone managing servers, VPNs, or secure workstations in a dynamic network environment.