Fix Microsoft Store Downloads: Enable UWP Loopback Proxy for Clash on Windows

Why UWP ignores your Clash listener on 127.0.0.1

Desktop Win32 programs you install from an installer generally behave like ordinary processes: when you enable the Windows system proxy, many of them honor WinHTTP or WinINET settings and send traffic to whatever address and port you configured—often 127.0.0.1 and your Clash mixed-port. Universal Windows Platform applications are different. Microsoft isolates them with network capabilities that block loopback access to local services unless you explicitly allow it. From the app’s perspective, your proxy is not “on the internet”; it is a loopback peer, and loopback is denied by default.

This design is intentional. UWP apps are expected to talk to remote APIs directly or through brokered Windows components, not to arbitrary localhost servers that could exfiltrate data from another sandboxed process. Unfortunately, a local forward proxy is exactly that kind of localhost server. The symptom is frustratingly consistent: Win32 Chrome may work while the Store shows generic download errors, Xbox Live connectivity tests fail, or a UWP game cannot reach its CDN even though the same machine routes browser traffic through Clash without issue.

Before you chase subscription quality or rewrite rules, confirm the failure mode. If Clash’s connection log shows no entries when the Store attempts a download, traffic may never reach the proxy. If Win32 apps show healthy policy hits but UWP remains silent, loopback isolation is a prime suspect. The fix is not to “open more ports” on the public side; it is to tell Windows which packaged identities may initiate loopback connections toward your local proxy.

If you have not finished baseline setup yet—importing a profile, enabling system proxy, and verifying mixed port—walk through our Clash Verge Rev setup guide first. Loopback exemptions only help after Clash is actually listening and the OS is already pointing Win32 traffic at the correct port.

Symptoms that point to loopback, not routing rules

Loopback problems masquerade as many unrelated errors. The Microsoft Store might report that downloads cannot proceed, error codes that change between builds, or endless “pending” states. The Xbox app may fail its connectivity check even when web pages load. Some first-party UWP utilities exhibit partial behavior: account UI works because it uses a different transport, while binary downloads stall. None of these messages say “loopback blocked,” which is why the issue confuses even experienced Clash users.

Contrast that with a classic rule miss. When routing is wrong but loopback works, Clash usually logs connection attempts, shows policy decisions, and you can adjust DOMAIN-SUFFIX lines or DNS. When loopback is blocked, the interesting connections may never appear in the log at all, or they fail before meaningful metadata shows up. That distinction saves hours of editing YAML that was never evaluated for the UWP process.

Also remember that not every Microsoft experience is UWP. Some components are Win32 or use outbound brokers. Mixed environments mean you can observe “half working” systems where only certain apps break. Document which executables fail before you change global policies.

Align Clash with Windows system proxy

Loopback exemption does not replace a correct system proxy configuration; it only removes one wall. In your Clash-compatible GUI, enable system proxy mode so Windows stores an HTTP proxy pointing at 127.0.0.1:<mixed-port> (common values include 7890, but your profile decides). Confirm the port matches the listener that is actually running after a profile reload. If the OS points at a stale port, UWP will still fail even after exemption.

Some users combine manual PAC files or third-party switchers. Keep the effective configuration simple while debugging: one authoritative system proxy entry that matches Clash, no competing tools rewriting the same keys. After changes, reopen the Store or sign out and back in to ensure the app re-reads network state.

If you rely on authenticated upstream proxies at the Clash layer, remember that UWP still needs to reach Clash locally first. The authentication handshake with your remote provider happens after traffic enters Mihomo; loopback only covers the first hop to localhost.

Find each app’s package family name

Exemptions are granted per package family name, a stable identifier derived from the app publisher and package identity. You can discover it with PowerShell. Open Windows Terminal or PowerShell as a normal user and run queries such as:

Get-AppxPackage *store* | Select-Object Name, PackageFamilyName
Get-AppxPackage *xbox* | Select-Object Name, PackageFamilyName

For a specific known name, narrow the filter:

Get-AppxPackage -Name Microsoft.WindowsStore | Select-Object PackageFamilyName

On typical retail Windows 11 installs, the Store’s package family name is often Microsoft.WindowsStore_8wekyb3d8bbwe, but you should always verify on your own machine because OEM images and side-loaded builds differ. Write down every family name you intend to exempt. Third-party UWP games and utilities each have their own identifier; blanket assumptions lead to “still broken” reports.

If PowerShell returns nothing, the app might be a Win32 package distributed through the Store using different packaging, or you might need a different cmdlet scope. For troubleshooting edge cases, consult Microsoft’s current documentation for listing provisioned packages versus per-user installs.

Grant loopback exemption with CheckNetIsolation

Windows ships a small utility called CheckNetIsolation.exe for network isolation diagnostics. Administrators use its loopback exemption mode to allow specific packaged apps to use local proxies and development servers. You should run the following style of command from an elevated command prompt or elevated PowerShell—right-click Terminal, choose Run as administrator—because changing exemptions touches system policy.

To add an exemption for one package family name:

CheckNetIsolation LoopbackExempt -a -n=Microsoft.WindowsStore_8wekyb3d8bbwe

Replace the value after -n= with the exact string you retrieved from Get-AppxPackage. The -a flag adds an entry to the loopback exempt list. You can repeat the command for Xbox, Game Bar, or any other UWP identity that must reach localhost.

To inspect what Windows currently exempts, use the informational mode documented for your build—commonly a list or query flag depending on version—after you apply changes. If you add the wrong name, nothing breaks globally; the command simply has no effect, which is another reason copy-pasting the precise family name matters.

To remove an exemption when you no longer need local proxy access for that package, the tool supports delete operations with the corresponding package specifier. Keep a short text note of what you added so future you can undo intentional changes cleanly.

Xbox, Game Pass, and other UWP clients

Gaming stacks often include multiple packaged identities: the Xbox app, gaming services, and sometimes per-title shells. A download that originates from the Store may still involve helper packages beyond the main Store entry. If you exempt only one family name, another component might continue to hit the loopback wall. When a flow still fails after exempting the Store, capture the additional package names tied to Xbox or Game Pass using the same PowerShell pattern and add matching CheckNetIsolation lines.

Be patient with large titles. Download managers sometimes retry across CDNs; you want stable exemptions before interpreting flaky speed as node quality. Once loopback works, you can return to tuning proxy groups and rules with confidence that traffic at least reaches Clash.

When TUN mode reduces the need for exemptions

Clash’s TUN interface intercepts traffic at a different layer than per-app WinHTTP settings. Many users enable TUN so that stubborn binaries—including some system components—traverse Mihomo without relying on classic system proxy semantics. For certain workloads, TUN can sidestep the worst of the UWP loopback story because traffic is steered before it is subjected to the same localhost restrictions. TUN is not a universal magic switch; it introduces driver permissions, route tables, and DNS interactions that deserve respect.

If you are deciding between deepening loopback exemptions and switching to TUN, read our TUN mode guide for trade-offs. Some teams run TUN for global capture and keep a minimal loopback list only for developer tools. Others stay on system proxy plus exemptions to avoid kernel-level complexity. Either approach is valid when chosen deliberately.

Troubleshooting checklist

Commands say access denied

Elevation is required. Re-run your shell as administrator. If corporate policy blocks CheckNetIsolation changes, you may need IT assistance or a different connectivity strategy on that device.

Exemption added but nothing changes

Double-check the package family string character for character. Restart the affected app completely—sometimes a full sign-out from the Store helps. Confirm Clash still exposes the listener on the port Windows references.

Store opens but specific games fail

You might be dealing with additional packages or with DNS and rule issues after loopback succeeds. Cross-check the Mihomo connection log once traffic appears; then apply the same disciplined debugging we describe in the Clash troubleshooting guide.

Win32 works, multiple UWPs fail

Consider scripting a loop over all required family names you discovered rather than exempting one popular package and stopping. Document the set that matters for your workflow.

How this differs from LAN proxy sharing

Readers who followed our LAN proxy article already know about allow-lan and exposing the mixed port to other devices. UWP loopback is unrelated: it governs whether a sandboxed app may connect to 127.0.0.1 on the same PC, not whether remote phones may use your proxy. Keep the two concepts separate to avoid misapplied firewall rules.

Summary

Clash Windows users who see Microsoft Store or UWP failures while browsers work are often fighting UWP loopback isolation, not subscription quality. Enable a consistent system proxy, look up each app’s package family name, then add a precise CheckNetIsolation loopback exemption. Re-test before you rewrite large portions of your rules file. Pair that workflow with optional TUN mode when you need broader capture, and keep exemptions minimal for security.

Compared with guessing which node “should” fix the Store, a structured loopback fix saves time and keeps your Mihomo profile honest. When you want a polished desktop client that makes proxy mode, logs, and TUN toggles easy to manage, grabbing an up-to-date build matters as much as any YAML tweak. → Download Clash for free and experience the difference