How to remove the network application of Modern Application in Win8

        In Windows 8, we introduced the new WinRT platform to bring you Modern APPS with dynamic tile and immersive user experience. If you are a corporate user, have a company proxy server environment, or you are a developer, I believe you have found After the local connection replacement agent is connected, all Modern APPS can no longer access the network. This is due to the network isolation design of the new WinRT runtime.

In order to implement new security policies and make applications on the WinRT platform more secure, Modern Apps must be declared by the developer before using a feature. For example, to use a network connection, you need to declare, not only to declare that you need a network connection, but also to declare which type of connection is needed. Due to network isolation, all Modern Apps cannot use IP loopback addresses for interprocess communication by default. When we set up a proxy server for the LAN in the connection settings set by the Internet, Modern APPS can't access the Internet. Only the desktop application can access the Internet through the proxy server. (WinRT has the ability to detect the default proxy server on the local network so that Modern APPS can access the Internet, but it can't be detected automatically after manually specifying the LAN proxy.)

Sometimes, when the company When the default network proxy server is not working, the IT administrator may ask the user to manually specify another LAN proxy server. At this time, Modern Apps can't access the Internet, which is really depressed. In fact, we have two ways to remove the network isolation. Restrictions allow Modern APPS to access the Internet during special periods:

Method 1: Use Group Policy to specify Internet proxy for network isolation environment

Open Local Group Policy Editor, expand "Computer Configure "-" management template "-" network" - "network isolation", we can see the following settings:

We can edit the "application's Internet proxy server" to specify an Internet proxy. Note that the proxy specified here is the same as the LAN proxy specified in your connection settings for the desktop IE option, so that Modern Apps can have access to the Internet. That's right, this is just a foundation, because if you only specify this one, the agent you added and the agent detected by the system are a union. Because the automatic detection takes precedence, after the LAN agent is specified on the desktop, it is automatically detected. The proxy is inconsistent with the manually specified LAN proxy, and the result is still not online. So in order for Modern Apps to be able to access the Internet, we also need to enable the "Agent Definition Authority" option to allow Modern APPS to use only the agents specified here.

Method 2: Adding Network Isolation for Specific App Using Win8's Built-in Debug Command Set

Windows 8 has a built-in command line tool for Modern Apps developers to diagnose the network. questionable. We can use it to add some Modern APPS to the network isolation exclusion list:

Here we use the LoopbackExempt parameter to achieve our needs. For this parameter, its use also has specific secondary parameters that need to be specified.

The program help is very clear, so I won’t go into details here. Here, I want to remind everyone that because the AppContainer or the SID of the package is hard to find (requires the registry), I personally recommend that you use –n=[Name] to operate the network isolation through the AppContainer or package name. Exemption. Because the way to get the name is very simple, as long as you open the %LocalAppData%\\Packages path, the names of the following folders are the names of the various Modern APPS, which are available for easy copying and pasting.

As you can see from the figure, it is not difficult to identify which Modern App in the start screen corresponds to the App, because the part of the folder is the name of the program. For example, we can see the last one, "WinStore_cw5n1h2txyewy", which is undoubtedly the internal name of the "App Store" application.

Here, we assume that the default proxy server is broken now, I set up the LAN proxy in the desktop environment, then I need to use the app store to update several of my applications, then I will To add a network quarantine exemption: Execute "CheckNetIsolation.exe LoopbackExempt -a -n=WinStore_cw5n1h2txyewy" to add the app store to the exempt list.

To verify the list of exemptions, we can use the "CheckNetIsolation.exe LoopbackExempt -a -s" command:

To delete an exemption, change the -a parameter in the exempted command For -d, to quickly clear the contents of the list, execute "CheckNetIsolation.exe LoopbackExempt -c".

Comparing the above two methods, I personally recommend that you use the second method. There are two reasons:

First, in the Group Policy method, the proxy port of the proxy server cannot be specified for the isolated network. Therefore, applications that use non-80 ports may still not work properly. For example, when the app store is set up in this way, it can only browse the app, update the software, and download the software.

Second, the use of CheckNetIsolation allows you to easily control and review the exemption situation, and there is no port limitation, the program function is completely normal. Moreover, for IT professionals, this can be integrated into the code, and the code can be reused for automated control.

In the second way, it is recommended that you use the form -n=[AppName] to add a delete exemption than to use -p=[APPSID] not only better than the convenience mentioned above, but also, like A special Modern App like Store, which has no corresponding SID displayed under HKCU\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Mappings in the registry. After adding the Store exemption by name and reviewing the exemption list, we found that the store's SID=S-1-15-2-2608634532-1453884237-1118350049-1925931850-670756941-1603938316-3764965493.