Fiddler and Windows 8 Metro-style applications

Over on StackOverflow, a new Windows 8 user asked how to get Fiddler working with new Windows 8 Metro-style applications. These applications work somewhat differently than classic desktop applications, and require a bit of special configuration work to get Fiddler to work properly.

Fear not, however, Windows 8 and Fiddler get along just fine after a few tweaks. Many of my colleagues have been using Fiddler to debug Metro-style applications over the last few months.

There are three important Windows 8 changes that impact Fiddler:

  1. The .NET CLR 2.0 isn’t installed by default
  2. Metro-style applications require a specific Capability to communicate with the localhost (where Fiddler runs)
  3. Metro-style applications do not respect the per-User Trusted Root Certificates store

Each of these three issues can be worked around to restore the full functionality of Fiddler when running on Windows 8.

DotNet Runtime Version

By default, Windows 8 ships with the Common Language Runtime v4 and the .NET Framework v4.5. Fiddler, however, is currently compiled to run on the v2.0 CLR which is installed on most PCs with the .NET2.0, .NET3.0, and .NET3.5 Frameworks. When you first launch Fiddler on Windows 8, you should see a prompt to install and enable the .NET Framework version 3.5 and the v2.0 CLR:


If for some reason you cannot install the older .NET CLR & Framework (or simply don’t want to), then you can try an beta version of Fiddler targeting the version 4.0 .NET Framework & CLR. This build currently trails the v2-targeted release build by a few bugfixes and features but will be updated periodically. One day, it will likely become the default package, in the same way that the v2-targeted version of Fiddler replaced the v1.1-targeted version back in 2007.

Connecting to Fiddler requires an Application Capability or Loopback Exemption

Windows 8’s Metro-style applications run in isolated processes (AppContainers) where permissions are granted based on a capabilities model. An application only is granted the capabilities which are specified in its package manifest.

[Update 12/10/2011: Please read this post for details on a new utility which simplifies the following steps. ]

Fiddler is a proxy running on your local computer, and for a Metro-style application to send its traffic to Fiddler, the application must either declare the privateNetworkClientServer permission or a Loopback Exemption must be created. Without either of these settings, the App will not be able to connect to the Fiddler proxy running on the local computer, and thus Fiddler will not be able to see its traffic.

CheckNetIsolation LoopbackExempt allows the developer to set up Fiddler or his debugging/testing environment without modifying the capabilities assigned to the AppContainer. Generally speaking, using the CheckNetIsolation tool should be preferred to adding the privateNetworkClientServer capability, as doing so is less impactful to the behavior of the App you’re testing. There was a recent talk that describes how to use CheckNetIsolation with Fiddler– The talk is “Debugging connected Windows 8 apps” and it’s available for viewing here. Minutes 27 to 34 talk about Fiddler, and minutes 19 to 34 discuss use of the CheckNetIsolation tool. To exempt your application’s AppContainer, open an Administrative Command Prompt, and type CheckNetIsolation LoopbackExempta -n=AppContainer’sFullName

You can learn more about assigning capabilities to your application by looking for the text To add capabilities to an app inside this whitepaper.

The Windows 8 Firewall blocks Modern Applications from connecting to Loopback

[Update 12/10/2011: This step should not be needed in the latest Fiddler v4 builds]

You will also need to allow loopback connections through the firewall. The simplest way to do that is to click Tools > Fiddler Options and tick the “Allow remote computers to connect” option, restarting Fiddler when complete.

Allow remote computers to connect checkbox


To decrypt HTTPS, Fiddler’s Root Certificate must be placed in the Machine’s Trusted Root store

Fiddler’s HTTPS-decryption feature relies on a man-in-the-middle approach to decrypting HTTPS traffic. Upon enabling the feature, Fiddler provides the option to copy its self-signed root certificate into your per-User Trusted store:




However, Metro-style applications will not respect any root certificates that are only installed in the per-User Trusted Root Certification Authorities store. If a Metro-style application encounters a certificate chain that doesn’t lead to the Local Machine’s Trusted Root Certification Authorities store, then the trust chain will be deemed invalid and your HTTPS request will fail.

To address this, recent versions of Fiddler include code that will offer to place the Fiddler Root Certificate into the machine-wide Trusted Root Certification Authorities store when Fiddler detects that it is running on Windows 8. After the prompts above, you’ll see the following prompts:



If you choose Yes and Yes in these prompts, then Fiddler should be able to successfully decrypt the HTTPS traffic from your Metro-style application. Note: If you want Fiddler to have the machine trust the root certificate on earlier Windows versions, set the preference named fiddler.certmaker.offermachinetrust to True.


Please let me know if you have any questions, and thank you for building on Windows 8!

-Eric Lawrence

Comments (12)

  1. Crowley says:

    I take it the second "Trust Cert" dialog is a custom fiddler dialog?  Installation of a per-machine root cert doesn't have a dialog if you do it programmaticly under an administrator acct.

    You might consider making that dialog optional if you install the root cert on the LM from FiddlerCore 🙂

  2. EricLaw [MSFT] says:

    Yes, this is a Fiddler dialog, and yes, you're correct if your code is running at Admin, there's no prompt from the system. My executable will always prompt, however, since it's signed by me, always elevates, and accepts arbitrary command line arguments. FiddlerCore apps can trust the cert in any way that they want.

  3. Will says:

    Reconfiguring with CheckNetIsolation and the Firewall exemption is an annoying hassle, particularly when debugging apps that you didn't write. One simple workaround (which has an obvious security risk) is to just disable the Windows Firewall using the Services applet in the control panel. When the firewall is disabled, loopback connections work just fine.

  4. Irfanfare says:

    Does the beta version of Fiddler, targeting the version 4.0 .NET Framework & CLR, also works the same way as described above?

  5. @Irfanfare: I'm not sure what you are asking. See…/fiddler-windows-8-apps-enable-loopback-network-isolation-exemption.aspx for updates on what's been happening in Fiddler v4 lately.

  6. Steve Williams says:

    The "Allow remote computers to connect" is still required, even with the latest available .NET 4 Beta version.  It was the only way we could view HTTPS traffic coming from a Metro app.

  7. Steve says:

    Does this mean that [F12] in IE10 in Metro Mode doesn't show the developer toolbar complete with the Network tab that "integrates" the key parts of Fiddler?

    Or is that all there… and this is purely for the "extended" fiddler capabilities that we'd like to see in Metro?

  8. @Steve: Metro-style Internet Explorer does not include the F12 Developer Tools.

  9. says:

    Under Windows 7, I set the preference named fiddler.certmaker.offermachinetrust to True.

    If I login with a domain account, I got the message

     "Failed to find the root certificate in User Root Store"

    when I want to install the DO_NOT_TRUST_FiddlerRoot certificate.

    If I login with the local Administrator account, I do NOT get this error message.

    Is there a domain GPO preventing to install this certificate ?

  10. sahar habash says:

    Under Windows 7, I set the preference named fiddler.certmaker.offermachinetrust to True.

    If I login with a domain account, I got the message: "Failed to find the root certificate in User Root Store" when I want to install the DO_NOT_TRUST_FiddlerRoot certificate.

    If I login with the local Administrator account, I do NOT get this error message.

    Is there a domain GPO preventing to install this certificate?

    EricLaw: Please contact us using the Send Feedback link in Fiddler's Help menu.

  11. Muhammad Talal Shoaib says:

    Nice post…

    But why do we need to keep fiddler running everytime I want my app to connect to the internet?

    Currently, when I launch my windows 8 app, it fails to connect to the internet until I relaunch the app by launching the fiddler first.

    Any help regarding this will highly be appreciated.

    Thanks –

  12. Anargyros Tomaras says:

    I have the same issue as Muhammad.

    My Metro  app cannot connect to the internet when Fiddler is closed but starts working after i start Fiddler.

    Note that the Proxy is disabled when Fiddler is off.

    Any insights on this would be really appreciated!

Skip to main content