Tutorial · Estimated reading 14 mins

Fix UWP apps not using Clash on Windows:
Loopback exemption and system proxy steps

System proxy is enabled and browsers work, but Microsoft Store, Xbox, or other Windows UWP apps still fail? That often is not a bad node or a missing DOMAIN-SUFFIX rule—it is loopback isolation: UWP sandboxes block access to 127.0.0.1 where Clash Verge Rev listens. This guide separates “proxy is written to Windows” from “UWP may use localhost,” then walks through CheckNetIsolation, verification, and optional TUN.

Windows UWP · Loopback · System proxy · Clash Verge Rev

1 Symptoms and common false leads

A familiar story on Windows: Clash Verge Rev is running, system proxy is enabled, Chrome or Edge loads pages fine, but Microsoft Store spins forever, the Xbox app cannot sign in, or other store-installed Windows UWP apps report generic network errors. Instinct says “bad node,” “wrong rule,” or “DNS leak”—all worth checking—but when only UWP-style apps fail while ordinary Win32 programs behave, you should prioritize two questions: is the OS proxy entry actually consistent with Clash, and can those UWP packages reach 127.0.0.1 where your local proxy listens?

Windows separates those concerns. System proxy means WinHTTP / user settings point HTTP(S) traffic at a host and port (often 127.0.0.1 and your mixed port). UWP apps additionally run inside a sandbox that, by default, blocks loopback access to protect local services. So Clash may be working perfectly for anything allowed to talk to localhost, while UWP still looks “offline.” That is not automatically a Clash routing bug; it is platform networking policy colliding with a localhost proxy design.

If you have not installed the client yet, start with our Clash Verge Rev Windows install guide, then return here for UWP-specific steps.

2 Two layers: proxy configuration vs UWP loopback

Think in two layers. Layer one: system proxy is effective—Windows shows a manual proxy pointing at the same IP and port Clash exposes, and browsers that honor system proxy can reach the open internet through your policy groups. Layer two: UWP may use that proxy only if the app is allowed to open TCP connections to the loopback address where the proxy binds. Most UWP packages are denied loopback by default, which blocks “proxy on localhost” even when layer one is correct.

Misunderstanding the split wastes hours. Users add exotic DOMAIN-SUFFIX rows for microsoft.com while the real failure is earlier: the app never reaches the local listener. Conversely, if browsers fail too, fix subscriptions, rules, and DNS first—loopback exemptions will not repair a globally broken proxy.

Terminology Loopback, loopback exemption, and LoopbackExempt all refer to letting a specific UWP package talk to 127.0.0.1 (and ::1). They are unrelated to whether a domain is “foreign” or “domestic” in your rules.

3 Step one: verify system proxy before touching loopback

Open Windows Settings → Network & Internet → Proxy. Confirm Use a proxy server is on and that the address matches what Clash Verge Rev shows for system proxy (mind mixed HTTP/SOCKS mappings in the UI). Then load a site in Edge or Chrome that requires your proxy. If that fails, pause and troubleshoot Clash core health, node selection, and rules—there is no UWP-only miracle fix.

When desktop apps and browsers succeed but Store and Xbox do not, proceed to loopback. This ordering prevents mistaking a global outage for an app-container issue and keeps your Clash logs meaningful.

4 Why UWP blocks localhost proxies by default

Windows 10 and 11 isolate many store-distributed apps inside an app container. Default network policy prevents those processes from connecting to local loopback addresses. That design mitigates scanning and abuse of local services, but it also blocks the common pattern of “HTTP proxy on 127.0.0.1.” From the user’s perspective the symptom looks like “app has no network,” not a polite HTTP 403 from a remote site.

Clash Verge Rev in system-proxy mode listens on localhost; UWP without exemption therefore cannot attach to the proxy port, regardless of how good your upstream node is. Recognizing the mechanism is the difference between tweaking YAML for hours and running one CheckNetIsolation command.

5 CheckNetIsolation and loopback exemption

Microsoft ships CheckNetIsolation.exe to manage per-package loopback exceptions. You need each target app’s Package Family Name (PFN), which looks like Microsoft.WindowsStore_8wekyb3d8bbwe—the exact suffix can vary by build; always copy from your machine.

List current exemptions

Inspect what is already allowed before adding duplicates:

CMD 
CheckNetIsolation LoopbackExempt -s

Find the PFN

In PowerShell, narrow Appx packages by name (examples below—adjust wildcards as needed):

PowerShell 
Get-AppxPackage *WindowsStore* | Select-Object PackageFamilyName
Get-AppxPackage *Xbox* | Select-Object PackageFamilyName

Add exemption for one package

Run an elevated Command Prompt or PowerShell and substitute the real PFN:

CMD (Admin) 
CheckNetIsolation LoopbackExempt -a -n="Microsoft.WindowsStore_8wekyb3d8bbwe"

Repeat for each UWP that must reach the local proxy—Store, Xbox, Xbox Game Bar, and others each have their own PFN. After updating, fully restart the app or sign out and back in to clear stale sessions.

Bulk scripts (use with care)

Community scripts iterate Get-AppxPackage and call LoopbackExempt -a for every installed app. That is convenient on a personal machine but broadens exposure: exempted UWP can talk to more localhost services than a single proxy port. Enterprise deployments should follow IT policy instead of blanket automation.

Security Loopback exemption is a real permission. Only install apps you trust, and avoid unnecessary global “enable everything” tools on shared PCs.
Do not confuse -c with -s To view the list, use -s. Removing a single entry uses -d -n="<PFN>". Official documentation warns that LoopbackExempt -c clears all exemptions—avoid it unless you fully intend to reset everything.

6 Clash Verge Rev settings to double-check

After loopback is fixed, Clash still needs to present a consistent story: System Proxy enabled in the app, listening port aligned with Windows settings, and no stale manual proxy left behind from another tool. If you switch to TUN-only and disable system proxy, both the OS panel and the client must reflect that—mixed states confuse troubleshooting.

Allow LAN and other sharing options affect other devices on your subnet; they do not replace UWP loopback rules for localhost. If Store still shows odd DNS symptoms after loopback works, review our DNS leak prevention guide for FakeIP, DoH, and resolver consistency—misconfigured DNS can look like “network down” in UWP shells.

Download installers from our download page rather than random repackaged binaries; integrity matters when you grant admin rights and install services.

7 Optional TUN mode and how it relates to loopback

TUN moves traffic at the routing layer through a virtual interface. Many workflows combine TUN with or without system proxy; whether you still need explicit loopback exemptions depends on how a given UWP constructs its outbound path. Some users find TUN reduces reliance on localhost HTTP proxies; others keep system proxy plus exemptions for simplicity. Treat both as tools, not religions—verify with connection logs rather than assumptions.

For developers who also need terminals, Git, and containers on the same machine, our Clash Verge Rev TUN guide walks through service mode, elevation, and verification steps that pair well with the loopback fixes described here.

8 Acceptance checklist for Store and Xbox

Work through this list in order when validating a fix:

  1. Windows proxy settings show 127.0.0.1 and the same port as Clash Verge Rev.
  2. At least one desktop browser successfully uses the proxy through your rules.
  3. Target UWP PFNs appear in CheckNetIsolation LoopbackExempt -s.
  4. Problematic apps were restarted or the user session refreshed after changes.
  5. Clash logs show expected domain matches for Microsoft endpoints—no accidental DIRECT to dead routes.
  6. Third-party firewalls or security suites are not blocking UWP separately from Win32.

When both proxy correctness and loopback exemptions line up, most “only Store fails” tickets close. Remaining issues are often account region, Microsoft service outages, or overly aggressive rules that still misroute Microsoft CDN domains.

9 If it is still broken

Collect structured evidence instead of random node swaps. Note Store error codes, timestamps, and Clash log lines for the same window. Check whether corporate policy blocks Store traffic, whether Windows Update is required, and whether a third-party “internet accelerator” injects its own proxy that conflicts with Clash. Review rules that might send microsoft.com, windows.net, or Xbox endpoints to an exit that cannot reach Microsoft services.

When TLS handshakes fail, distinguish DNS problems from routing problems: a loopback issue is solved before those layers matter; once loopback works, DNS and policy debugging proceeds like any other Clash deployment.

Rule of thumb UWP-only failures → think loopback and localhost proxy reachability first. Global failures → think subscription, nodes, rules, and DNS first.

10 Wrap-up

When Windows UWP apps appear to “ignore” Clash, the culprit is frequently loopback isolation, not a missing overseas rule. Validating system proxy alignment and then applying CheckNetIsolation exemptions for each required package puts Microsoft Store, Xbox, and similar apps back on the same troubleshooting path as your browser. Compared with endlessly editing YAML, separating the two layers saves time and produces clearer logs.

Optional TUN mode can complement or replace parts of this workflow depending on how you want traffic captured; combine it with the guides linked above when you need full-machine coverage beyond the browser. Among comparable stacks, Clash’s transparent rules and readable Mihomo logs still make these edge cases easier to reason about than opaque one-click clients.

Grab current installers from our download hub; keep GitHub for source and issues, not as the primary distribution channel for day-to-day installs.

→ Download Clash for free and experience the difference

Tags: Windows UWP Loopback System proxy Clash Verge Rev Microsoft Store CheckNetIsolation Clash Windows
Clash Verge Rev logo for Windows UWP and system proxy

Clash Verge Rev

Next-gen Clash client · Free and open source

On Windows, Clash Verge Rev pairs system proxy and optional TUN with clear logs so you can tell loopback issues apart from rule problems—ideal when only Microsoft Store or Xbox UWP apps fail.

TUN full traffic takeover Mihomo high-performance core Precise rule routing DNS leak helpers Multi-subscription management
Windows macOS Linux

Related reading

Tutorial

Clash Verge Rev on Windows: install, permissions, and migrating from Clash for Windows

 Tutorial

Clash Verge Rev TUN mode: route terminal, Git, and Docker through the proxy