Windows QoS Fun

April 2020

I recently had an issue with an application running away with networking resources. Looking at the process I could see it taking 100% of the gigabit connection. What to do, what to do…

Intro

I’m not a Windows expert by any means. Just here to learn. Disclaimers aside, here’s a summary of some neat things I learned about QoS.

Basics of QoS

For those who don’t know, QoS = Quality of Service. You can prioritize and restrict certain IP traffic by configuring QoS.

There are many criteria traffic can be filtered by such as:

• Application Name
• Source Port
• Destination Port or Range
• IP Protocol Type (TCP/UDP/Both)
• … and more

These criteria can all have throttled bandwidth by using “-ThrottleRateActionBitsPerSecond” which “specifies a throttle rate in bits per second to set the maximum bandwidth that can be consumed”.

The variable type accepted for this parameter is UInt64 which has a minimum value of 0

Creating a QoS Policy

So let’s create a new QoS Policy with the minimum value:

PS C:\Users\Administrator> New-NetQosPolicy -Name "chrome" -AppPathNameMatchCondition "chrome.exe" -ThrottleRateActionBitsPerSecond 0KB -PolicyStore ActiveStore

However, you cannot use 0KB as an input, it will throw an error… So what if we use a value only slightly above 0?

If you use 0.01KB, it will work!

This is true in both the latest version of Windows Server 2019 [Version 1809 OS Build 17763.737] and Windows Server 2016 [Version 1607 OS Build 14393.693].

PS C:\Users\Administrator> New-NetQosPolicy -Name "chrome" -AppPathNameMatchCondition "chrome.exe" -ThrottleRateActionBitsPerSecond 0.01KB -PolicyStore ActiveStore

Name           : chrome
Owner          : PowerShell / WMI
NetworkProfile : All
Precedence     : 127
AppPathName    : chrome.exe
JobObject      :
ThrottleRate   : 8 Bits/sec

So why should anyone care?

This is a significantly lower value than available in “gpedit”, which only allows a Throttle Rate of 1 KBps.

This is also weird because a value only slightly above the UInt64 minimum is valid but the true minimum is not allowed.

This is a nifty trick and has a few applications, albeit obscure ones usually.

Playing an Attack/Defend competition?

• Use this to essentially block any exfil over FTP or screw with attacker’s beacons, assuming the rules allow it. Often times the rules say you can’t BLOCK, but they rarely say you can’t THROTTLE.

Need a Makeshift Firewall?

• Windows Firewall has issues around precedence of rules and applies the most broad rule. QoS will respect the most specific rule effecting a packet while still having broad rules in place.