Revisiting Fiddler and Win8+ Immersive applications

Back in September, I blogged about the configuration steps required to debug Windows 8 Immersive (“Metro-style”) apps using Fiddler. Since that post was originally written, I’ve made available a new version of Fiddler which runs natively on the .NETv4 Framework, enabling Windows 8 users to run Fiddler without installing older versions of the Framework.

As I mentioned in that post, Immersive applications (and IE11 on the Desktop) run inside isolated processes known as “AppContainers.” By default, AppContainers are forbidden from sending network traffic to the local computer (loopback). This is, of course, problematic when debugging with Fiddler, as Fiddler is a proxy server which runs on the local computer. The post went on to explain how the CheckNetIsolation tool can be used to permit an AppContainer to send traffic to the local computer. However, using CheckNetIsolation is pretty cumbersome—it requires that you know the AppContainer’s name or security ID, and you must configure each AppContainer individually. To resolve those difficulties, I have built a GUI tool that allows you to very easily reconfigure an AppContainer to enable loopback traffic. This tool requires Windows 8 and runs on the .NET Framework v4. When launched, the utility scans your computer’s AppContainers and displays them in a list view. Each entry has a checkbox to the left of it, indicating whether the AppContainer may send loopback traffic. You can toggle these checkboxes individually, or use the buttons at the top to set all of the checkboxes at once. Click Save Changes to commit the configuration changes you’ve made, or click Refresh to reload the current configuration settings.

In current versions of Fiddler, you can launch the configuration tool described below by clicking the Win8 Config button in Fiddler’s toolbar.

If you are not running Fiddler, you can install a standalone version of the EnableLoopback Utility. To make changes to the exemption list, you must elevate to Administrator.

EnableLoopback Utility screenshot

Note: When you run Unit Tests in Visual Studio 2012, an ephemeral AppContainer is created for the duration of the unit test, and removed later. In order to ensure that this temporary container is shown in the EnableLoopback utility, you must click the Refresh button while the Unit Test is running. Learn more here



Update 6/14/2013: An open-source utility is now available which shows how to use the Firewall APIs mentioned below. Check it out at

PS: For the technically-inclined, this tool relies on calling the new Network Isolation APIs introduced with Windows 8. Their .NET declarations (as of the BUILD conference) are as follows:

// Call this API to enumerate all of the AppContainers on the system 
internal static extern uint NetworkIsolationEnumAppContainers(out uint pdwCntPublicACs, out IntPtr ppACs); 
// Call this API to free the memory returned by the Enumeration API 
internal static extern void NetworkIsolationFreeAppContainers(IntPtr pACs); 
// Call this API to load the current list of Loopback-enabled AppContainers
internal static extern uint NetworkIsolationGetAppContainerConfig(out uint pdwCntACs, out IntPtr appContainerSids); 
// Call this API to set the Loopback-exemption list 
internal static extern uint NetworkIsolationSetAppContainerConfig(uint pdwCntACs, SID_AND_ATTRIBUTES[] appContainerSids); 
// Use this API to convert a string SID into an actual SID 
[DllImport("advapi32.dll", SetLastError=true)]
internal static extern bool ConvertStringSidToSid(string strSid, out IntPtr pSid); 
// Use this API to convert a string reference (e.g. "@{blah.pri?ms-resource://whatever}") into a plain string 
[DllImport("shlwapi.dll", CharSet=CharSet.Unicode, ExactSpelling=true)] 
internal static extern int SHLoadIndirectString(string pszSource, StringBuilder pszOutBuf, int cchOutBuf, IntPtr ppvReserved);
Comments (46)

  1. McAkins says:

    Thanks Eric, nicely done. Just a question? Doesn't allowing Loopback negates the security feature of the AppContainer? and jeopardize Win8 in general. What knock-on effect could this have security-wise? Thanks already.

  2. @McAkins: That's a great question. Yes, turning off the AppContainer restriction does negate the security value of that restriction, so it's wise to only apply exemptions when needed. That's one reason why this utility makes it so easy to reapply the restriction to all apps when the user is done debugging.

    Of course, in many cases, a Fiddler user will only exempt applications that they themselves had authored, keeping the security risk low.

    Even without the loopback restriction, Win8 offers a huge amount of defense-in-depth against threats in this area. Win8 apps are reviewed before posting in the Store, and the Win8 firewall will itself block inbound loopback traffic unless the application is configured to allow it (as Fiddler is). The primary security value derived from this restriction is that it helps prevent anyone from building a dual-headed system that uses loopback network connections as a form of IPC from the A/C process to a higher-integrity desktop process. By forbidding such connections by default, there is significantly lower potential attack surface, since an A/C process will have no interesting targets to attack. Since Fiddler must inherently assume that traffic sent to it may be malicious, it's already coded for safety against such threats.

  3. Terrence Spencer says:

    Erik this could not have come at a better time.  I have been having trouble getting my Metro app to talk with my local webservice for development.  

    Thanks a bunch.

  4. Terrence says:

    Erik, I note that there is not much feedback from the community on this loopback tool.  I am not having much luck getting my win8 metro c# xaml to access my local webservice.  The webservice works because a console app in the same project get data fine from the ws.  My metro app on the other hand freezes up on this call:

    var resp = await client.GetAsync("http://localhost:7500/Wcf1.svc/People");

    When I open the win8 loopback exemptions tool, my project is checked.  Can you tell me what else to look for?Thanks.

  5. @Terrrence: I'm not really sure I understand your first sentence– what sort of feedback were you expecting?

    Did you actually watch your app running in Fiddler? Is a request made?

  6. Terrence says:

    I was trying to see if anyone else was using the tool and still not able to access a local webservice.  So I was hoping to see more feedback so I could fix it myself without having to bother you.  Turns out I had to open a hole in the firewall for my ws port as well and now it works.  Should you add this step to your blog post?

  7. Hannes Preishuber says:

    Thanks Eric for your long term an great support.

    Worked for me on windows 8.

    Since a few days,I get no traffic in httpfiddler for localhost. The traffic to web from a METRO styled .NET APP is captured

  8. @Hannes: For actual support, please send me mail. Include a description of exactly what you mean when you say "get no traffic in Fiddler for localhost."  thanks.

  9. Alireza Noori says:

    Hi, can I use this app to enable proxy rules in Proxifier, or could I at least make MetroStyle apps access internet through a simple proxy after I install Proxifier? Currently when I install it, none of the apps work but the desktop apps work fine. Thanks. (More info:…/442723)

  10. EricLaw [MSFT] says:

    @Alireza: I'm not sure what Proxifier is or how it works. But if it's a local loopback proxy, then yes, you'd need to configure AppContainer exemptions to get your Metro-style applications to work with it. When you use EnableLoopback, do you properly capture traffic with Fiddler?

  11. EricLaw [MSFT] says:

    From the brief description of how Proxifier works, no, it won't work from Windows 8 Metro applications. It's very likely implemented as a Winsock LSP, and those aren't loaded by apps running in AppContainers. To do something like that, you need to use an updated product implemented on top of the Windows Filtering Platform (…/aa366510(v=vs.85).aspx).

  12. LyphTEC says:

    Hi Eric,

    I've installed the loopback util as per the blog post and can see fiddler traffic for all the Metro-style apps. However, if I don't have fiddler running, non of the apps can seem to access the internet?

    Even doing "exempt none" & uninstalling the extension and fiddler still doesn't seem to reset all the apps back to normal and they all come up with an error that there is no internet connection even though in the desktop mode, everything works fine?

    It seems like some settings (internet proxy?) for Metro-style apps get's overridden after installing the extension and doesn't reset itself?

    Any ideas?

  13. EricLaw [MSFT] says:

    @LyphTEC: It probably has nothing to do with EnableLoopback and everything to do with a bad proxy setting. I think you're saying that IE on the Desktop works fine? Try this: Go to a command prompt and type: NETSH WINHTTP SHOW PROXY

    What does it say?

  14. Pradeep says:

    Hi Eric,

    Thanks for the info. In my C++ application I am calling NetworkIsolationSetAppContainerConfig() with IE SID (SID from Enable Loopback utility). I see that IE entry is checked. Question is what API or parameter change will uncheck the entry.

  15. EricLaw [MSFT] says:

    @Pradeep:  When you call this API, you pass in the complete list of AppContainers to exempt. So, if you call the API with an empty list, all of the exemptions are cleared.

  16. Pradeep says:

    Thanks Eric. I have implemented this. The idea is to read the existing list, add or remove the entries and update it again. I think this is the expected implementation. One more question – Are the SIDs and Container names going to be fixed. (For example IE 10 has one fixed 'SID/app container name', I guess it may with IE 11).

  17. Martin J. says:

    I'm having trouble with this too. I installed your tool and checked my app, but I see no traffic at all from my W8 App. The calls are working. Running "NETSH WINHTTP SHOW PROXY" displays "Direct access (no proxy erver)". What do I have to set up more?

  18. Fahim says:

    Hi Eric,

    I've installed the software as you described. My all apps are running fine. But once i am trying to install new apps from app store, it shows that unable to install. I think the new apps i was trying to download is not included in the exemptions list and that's why new apps are not running. My question is how i can include new apps in the exemption list? Or is there any other way to install new apps from apps store?  I'll be glad if you can give me solution. Thanks.

  19. Kiran says:

    Hi Eric,

    I am trying to use Fiddler with Proxifier. At first i could see the store but after restart fiddler is unable to capture the data from store. Even reinstall didn't help.

    Can you tell me what to do?


  20. Hugh Fairfield says:

    I'm trying to capture https traffic from my windows metro application (on my surface machine) into fiddler (on my desktop), but al the calls fail (likely due to certificate errors). Is there a way around this? Or other tools that would work in a similar manner?

    EricLaw: You need accept the prompt that trusts the Fiddler root certificate on a machine-wide basis. Please post followups to the Fiddler Discussion forum (see the Help menu) as I am no longer at Microsoft.

  21. venkatesh says:

    hi to all,i have a problem,when using app container loop back,error shows "failed to get  app container info,unable to enumerate app containers ".please help to solve this issue

    EricLaw: There are no known problems with this tool unless you're running on a pre-release version of Windows. You might try asking in the Fiddler discussion forum.

  22. scott says:

    Hi, is there a way to programmatically add applications to the loopback exemption list using FiddlerCore? I am reading your book, but I only see a section describing how to use the GUI (pg 83). Take for example, the Windows Store — Name: winstore_cw5n1h2txyewy SID: S-1-15-2-2608634532-1453884237-1118350049-1925931850-670756941-1603938316-3764965493

    Thanks, Scott

    EricLaw: As noted in the post, you can use the CheckNetIsolation tool (shipped in Win8) for this purpose. The newest EnableLoopback.exe tool accepts one of two command line options: all or none, which do the logical things.

  23. @venkatesh: Are you by-chance running a 3rd party firewall product, like McAfee? If so, be aware that it disables the Windows Firewall service which is used to enforce loopback restrictions, and replaces the Windows Firewall with its own firewall that does not support the API that permits exemptions for Loopback. You will need to talk to McAfee about how to configure it to allow loopback, or disable their firewall and reinstate the Windows Firewall.

  24. pierre says:

    I use in c++ NetworkIsolationEnumAppContainers i find the first app container structure elements but i dont understand how to find the next :

    DWORD NetworkIsolationEnumAppContainers( _In_   DWORD Flags, _Out_  DWORD *pdwNumPublicAppCs, _Out_  PINET_FIREWALL_APP_CONTAINER *ppPublicAppCs);

    [EricLaw] You probably should ask over on, but the point is that you call this API and it returns a pointer to an array of AppContainer structures.

  25. Ketan says:

    Hello Eric, Any way to make the utility work on Win Server 2012 as it doesnt run on W2012 and my fiddler request are getting 502s.

    Thanks Ketan

    EricLaw: There's no reason that the utility won't work on WS2012. Please email me details using the Help > Send Feedback link in Fiddler. (I'm no longer at Microsoft.)

  26. pierre says:

    Thanks for the answer. Can you show the layout of the structures?


        internal struct SID_AND_ATTRIBUTES
            public IntPtr Sid;
            public uint Attributes;

        internal struct INET_FIREWALL_AC_CAPABILITIES
            public uint count;
            public IntPtr capabilities;

        internal struct INET_FIREWALL_AC_BINARIES
            public uint count;
            public IntPtr binaries;

        internal struct INET_FIREWALL_APP_CONTAINER
            internal IntPtr appContainerSid;
            internal IntPtr userSid;
            internal string appContainerName;
            internal string displayName;
            internal string description;
            internal INET_FIREWALL_AC_CAPABILITIES capabilities;
            internal INET_FIREWALL_AC_BINARIES binaries;
            internal string workingDirectory;
            internal string packageFullName;

  27. Twotall says:

    I can not get any metro apps requiring internet access to work at all,  They work for 3 months and just quit.  I have refreshed windows 8 4 times each time the apps work until pc sleeps or restarts then they quit again.  Microsoft wanted $99.00 just to look a problem…warranty expired 6 days ago.    I just can't understand what is going on.  I have tried all the reset troubleshooters, etc…I am not using proxy, just a home cable modem connect via Ethernet cable. Any ideas, why they just suddenly quit working.  With fiddler exemption they work.

    EricLaw: If the EnableLoopback tool unblocks you, that suggests that there's something unusual about your proxy or network configuration, such that Windows is confused about the remote IP addresses and believes they're on your local network. It's possible that there's either malware or some VPN software (from your ISP) causing this problem.

  28. Kishore says:

    Hi Eric,

    We are testing a windows-based application which runs in the local machine and gets the data from the local DB server. We need to test the response times for different actions we perform on the application. It is 64-bit application which we are testing in Windows 7 machines. Is it possible to use Fiddler to test our application and get the response times for different actions. I again re-confirm, it is a standalone application and not a web application.Thanks!

  29. @Kishore: Fiddler can see any HTTP traffic, but it has to be HTTP traffic. Database servers often use non-HTTP based TCP/IP protocols.

  30. Greeshma says:

    there is an error showing that the utility was unable to collect a list of AppContainers on the system. (Netlso error code 0x6F4). what does this mean? And what should I do?

    EricLaw [ex-MSFT] That appears to be a null-reference error inside the API itself. Do you have the Windows Firewall service installed and running?

  31. Tanmoy Khan says:

    I have the same problem as mentioned by Greeshma, "the utility was unable to collect a list of AppContainers on the system. (Netlso error code 0x6F4), unable to enumerate AppContainers.". And, yes EricLaw, I have Windows Firewall running on my computer. Please suggest something.

  32. Tanmoy Khan says:

    I can exempt loopback using CheckNetIsolation. But Enable Loopbackutility is not working.

  33. Mark Bidar says:

    Great post Eric!

    I was struggling trying to troubleshoot connection timeouts from the 64bit BHO with  EPM turned on. The BHO timed out when making connection to a local service. This fixed it. Thanks.

  34. James Powder says:

    Hello.. Thank you so much for this application ! Me, and many other users had message, that store and other brick app cant acces internet, but desktop internet works fine.. So where was the problem ? Reinstalled Win 8 and it works for 1 day. Then – cant acces to internet connection. Now. I tryed your app, enable conection for win 8 apps and it works ! Just have to do that every day 🙂 Still, Thanks !

  35. highland74 says:

    I have connection problem on Windows UI (but not on the standard desktop) I have this message of Fidller : Sorry this utility was unable to collect rhe lis of Appcontainers on this this system (Netiso Error Code 0x0 Unable ro enumerate AppContainers.  Any idea please

  36. Deepak says:

    I have connection problem on Windows UI (but not on the standard desktop) I have this message of Fidller : Sorry this utility was unable to collect rhe lis of Appcontainers on this this system (Netiso Error Code 0x0 Unable ro enumerate AppContainers.  Any idea please

  37. Hein Vogel says:

    I have a question: Fiddler used to be able to see the webtraffic generated by my VSTO Add-in for Excel in Office 2013. The new version doesn't, despite all exemptions being ticked? Please help

  38. EricLaw [MSFT] says:

    @Hein: Office applications don't run in AppContainers, so the Exemption tool isn't relevant for your scenario. Is your VSTO extension using System.NET? Did you start Fiddler *before* starting the Office application? .NET doesn't always automatically adopt the system proxy:…/ConfigureDotNETApp. Also be sure to check the Help > Troubleshoot Filters option to ensure that the traffic isn't simply being hidden.

  39. Hein says:

    Thank you very much Eric: I made sure it uses System.NET, and now the traffic is being shown very nicely. Thanks you for the quick answer. I was afraid that it would not work with Office 354 and Office 2013 VSTO applications under Windows 8.1, but it works perfectly now, thanks again.

  40. Discobacon says:

    When running the App Container Loopback Exemption Utility,  get the error : 'Unable to enumerate AppContainers' (NetIso ErrorCode 0x0). Any ideas howto solve this ? Thanks

    [EricLaw] Upgrade to the current version (1.4) which is linked in the post above. It offers a fallback codepath which runs in the event that the AppContainer Enumeration API fails.

  41. Momoski says:

    Hi I have the same error. AFAIK I am using the latest version: Fiddler Web Debugger (v4.4.5.6).Error : 'Unable to enumerate AppContainers' (NetIso ErrorCode 0x0). Plz Help otherwise I have to move everything to another PC which runs on Win 7.

    [EricLaw] Upgrade to the current version of EnableLoopback (1.4) which is linked in the post above. It offers a fallback codepath which runs in the event that the AppContainer Enumeration API fails.

  42. zuhri says:

    why my apps windows 8.1 cant connect internet without fiddler?

  43. Ian Yates says:

    @zuhri – I suspect your proxy settings are hard-coded to talk to fiddler running locally.  Stop fiddler and check your system's proxy settings.  If they still point to localhost then remove the settings and see how things work.  Usually Fiddler will populate these settings and remove them for you when it closes.  I can't recall if it has an option to disable this behaviour – you may want to explore Fiddler's options in case such an option exists.

  44. Muhammad Talal Shoaib says:

    Nice post…

    But why do we need to keep fiddler running every time I want my app to connect to the internet?

    Currently, when I launch my windows 8 app, it fails to connect to the internet until I relaunch the app by launching the fiddler first.

    Any help regarding this will highly be appreciated.

    Thanks –

  45. Amit Sharma says:

    Thanks a lot Eric for the great tool you have made. Fiddler is simply awesome. Is there any e-book I can read to understand fiddler and its capabilities fully?