When the browser obeys Clash but Windows feels “split”

You are not imagining a two-speed network. On a typical Meta-based GUI, flipping System Proxy writes HTTP and SOCKS endpoints into the user’s WinINET settings and marks the profile active. Chromium reads those keys eagerly, so Google search, GitHub, and streaming tabs jump onto your nodes within seconds. Meanwhile, a first-party app that uses WinRT networking, a hardened AppContainer, or its own HTTP stack may never consult the same surface—or may consult it yet still fail if the path depends on reaching a listener on 127.0.0.1 that policy forbids.

Clash itself is usually healthy. Subscription latency looks fine, the dashboard shows handshakes, and speed tests in the browser match expectations. The confusing part is categorical: some executables are “proxy aware,” others behave as if the machine were clean. Before you rewrite YAML for the fifth time, classify the failure. If the symptom is “Store cannot reach anything” while the browser is perfect, you might be dealing with Microsoft-side account or TLS issues—but if the symptom is “Store loads catalog pages yet downloads crawl on the wrong exit,” you are in routing territory. If the symptom is “everything UWP fails only while Clash points to 127.0.0.1:7890,” you are staring at localhost loopback isolation, not weak nodes.

Prove the class in sixty seconds Temporarily set a non-loopback LAN listener (allowed by your client’s “Allow LAN” option) and point system proxy at that LAN IP from another device—or switch to TUN briefly. If UWP suddenly follows policy, loopback was the gating issue. If nothing changes, continue with DNS and rule order checks using our YAML routing tutorial.

What UWP “loopback isolation” actually means on Windows 11

Universal Windows Platform applications run inside an AppContainer sandbox. One of the sandbox’s historical defaults is to block network connections that target localhost unless the system explicitly grants an exemption. Microsoft’s rationale was sensible: a malicious sideloaded app should not silently scan services on your loopback interface or abuse a local administrative agent. The side effect is legitimate: if Clash (or any local forwarder) listens on 127.0.0.1 and the OS pushes “use HTTP proxy at 127.0.0.1:port,” the UWP process may be unable to complete the TCP handshake to that proxy port even though a Win32 browser can.

This is different from “UWP ignores proxies entirely.” In many builds, the platform does attempt to honor system proxy for outbound Internet traffic, but any workflow that tunnels through a local intermediary hits the loopback wall first. Mixed-mode clients make this more visible: they expose mixed ports, API dashboards, and PAC files on localhost for convenience. Power users then see Edge succeed while the Store updater stalls—not because the Store is “smarter,” but because the components involved sit on different sides of the sandbox boundary.

Windows exposes mitigation through CheckNetIsolation, a console utility that manipulates LoopbackExemptions for specific package family names. Granting an exemption is narrower than disabling the firewall: you are explicitly allowing a known package to talk to loopback interfaces. That is still a security-sensitive knob—treat exemptions like firewall rules. Prefer the minimal set of packages, revoke experiments you no longer need, and avoid blanket “enable for everything” tools except on disposable VMs.

System proxy versus UWP: where WinINET ends

System proxy on Windows is not one universal string that every subsystem reads. WinINET-based consumers pick up user-level proxy configuration; WinHTTP maintains a separate matrix often tuned with netsh winhttp; WinRT stacks may query yet another source depending on manifest capabilities and OS revision. Clash GUIs usually configure the path that helps browsers fastest. That is good default UX, but it explains why “I enabled system proxy” is not a single switch that magically re-parents Xbox Game Bar widgets, certain inbox services, or odd COM-activated downloaders.

For day-to-day browsing and many IDEs, staying on system proxy keeps blast radius small. When you need first-party apps to respect the same exit policy as the browser, you either align their proxy discovery path, remove the localhost dependency from the hot path, or move interception earlier—TUN mode—so the traffic is classified before it leaves the host. The next sections walk those choices in a reproducible order.

Manual loopback exemption with CheckNetIsolation (Administrator)

When you are confident the failure mode is loopback-related, add a targeted exemption for the package family name (PFN) of the misbehaving app. The tool ships with Windows; you do not install extras. You do need an elevated shell because you are altering network isolation policy.

Step 1 — Identify the package family name

Open PowerShell as a standard user and list candidates. For Microsoft Store infrastructure, you often touch packages whose names begin with Microsoft.WindowsStore or Microsoft.StorePurchaseApp, but your symptom might implicate Microsoft.XboxIdentityProvider or another dependency. Use Get-AppxPackage with a string filter:

Get-AppxPackage *store* | Select-Object Name, PackageFamilyName

Copy the PackageFamilyName exactly—case and punctuation matter.

Step 2 — Enable loopback for that PFN

Launch PowerShell as Administrator and run:

CheckNetIsolation LoopbackExempt -a -n="Your.PackageFamilyName_here"

The -a flag adds an exemption. No output usually means success. Relaunch the UWP app completely—suspended background brokers may cache negative paths—then retest downloads or sign-in flows.

Step 3 — Audit what you granted

List current exemptions:

CheckNetIsolation LoopbackExempt -s

To remove a mistake:

CheckNetIsolation LoopbackExempt -d -n="Your.PackageFamilyName_here"
Do not paste mystery scripts Community “one-liners” that loop across every installed package and exempt all of them defeat the sandbox’s intent. Prefer explicit PFNs tied to the app you are debugging, then document the change in your personal runbook so you can revert after upgrades.

GUI helpers in Clash forks (UWP loopback toggles)

Most maintained Meta-based Windows clients surface the same underlying capability as a checklist: pick Microsoft Store, Xbox-related packages, or other inbox apps, then apply loopback exemptions with one click. Under the hood, the GUI still ends up at the same isolation APIs—you are simply avoiding typos in PackageFamilyName strings.

When you use these tools, read the dialog carefully. Some builds distinguish between “enable loopback for selected apps” and “reset Windows proxy keys.” Applying both at once during a heated debugging session can obscure the true fix. Change one layer at a time: first confirm plain Internet routing with TUN off, then address loopback if localhost is in the path, then re-enable TUN if you need IP-layer capture for non-proxy-aware binaries.

If your fork does not expose a UWP helper, the manual CheckNetIsolation path remains authoritative. Keep a small text file of PFNs you legitimately exempted; Windows feature upgrades occasionally shuffle dependent packages, and a stale exemption is cheaper to re-add than to rediscover from scratch.

Why TUN mode fixes a different class of “still direct” issues

Clash TUN attaches a virtual network adapter and steers eligible IP traffic through the Meta core before it egresses the machine. That is the same conceptual model described in our Windows 11 and macOS TUN guide: you are no longer asking each app to cooperate with SOCKS or HTTP proxy settings. For Internet-bound flows, TUN often makes Store, Xbox Live, and other WinRT clients “just work” from a routing perspective because the TCP session is redirected at a layer below most per-app proxy preferences.

TUN does not delete loopback policy. If an app must talk to a localhost-only control channel and remains sandboxed, you can still need CheckNetIsolation. In practice, many user complaints disappear after TUN because their Clash listener is no longer the loopback bottleneck for general HTTPS—only ancillary tools (local API, PAC hosts, plugin panels) continue to care. Treat TUN as widening coverage; treat loopback exemption as unblocking local endpoints.

YAML and split routing sanity

Turning TUN on without reviewing tun and dns sections can make everything worse: full-machine outages, recursive DNS, or “only Microsoft breaks” patterns when fake-ip and DOMAIN rules disagree. Keep auto-route behavior aligned with your intent, avoid stacking two tunnel drivers, and verify upstream policy groups before blaming the adapter. When you need intricate streaming or AI splits, wire dedicated policy groups first—see the policy group guide—then enable TUN so the enforcement point matches the complexity of your table.

A repeatable Windows 11 workflow (system proxy → loopback → TUN)

Follow the same order every time you onboard a laptop or rebuild an image. First, prove baseline Internet without Clash. Second, import a known-good subscription and enable system proxy only; confirm browser egress and DNS. Third, reproduce the UWP symptom. Fourth, if the proxy endpoint is on localhost, apply a minimal loopback exemption set (GUI or CheckNetIsolation). Fifth, if some binaries still ignore proxy discovery, enable TUN and re-test while watching the Meta log for policy hits. Sixth, document toggles you actually needed so the next OS feature update is a diff, not a treasure hunt.

Observation Likely interpretation Try next
Browser OK, UWP fails only with 127.0.0.1 proxy Loopback isolation CheckNetIsolation or client UWP tool for that PFN
Browser OK, UWP still wrong exit after LAN proxy IP Rule/DNS path, not loopback Inspect DOMAIN/GEOIP order; simplify DNS mode
Everything times out when TUN enables Adapter, DNS hijack, or route conflict Follow TUN troubleshooting section in the desktop guide
Store opens but purchases error Account, TLS inspection, or region mismatch Separate from proxy; check account and date/time
Xbox app chat works, downloads stall Mixed CDN policy or dead node Test nodes; add DOMAIN-SUFFIX splits for delivery hosts

DNS, fake-ip, and first-party Microsoft endpoints

Even with perfect TUN and a generous loopback profile, DNS mistakes masquerade as “UWP is broken.” If Clash serves synthetic addresses for domains that Microsoft libraries resolve in unexpected orders, you can see partial success: icons render while large blobs never start. Align dns mode with your rules, prefer explicit nameserver-policy splits for sensitive suffixes, and avoid aggressive hijacks until the baseline path is stable. When debugging, temporarily simplify DNS to a conservative configuration, validate with a packet capture or Meta logs, then reintroduce fake-ip and advanced features deliberately.

Remember that some inbox components use encrypted DNS or hard-coded resolvers. They still traverse IP once resolved; that is where TUN visibility helps. If logs show unexpected SNI or QUIC noise, tune process rules rather than hammering global switches.

Enterprise agents, campus Wi-Fi, and double tunnels

Corporate device compliance stacks sometimes inject their own filtering drivers that interact poorly with Meta’s WFP helper. Symptoms overlap with loopback confusion: some apps work, some do not, and toggling Clash appears nondeterministic. Pause third-party VPNs and endpoint filters only long enough to establish whether Clash alone reproduces the issue. If the conflict is confirmed, decide on exclusion lists with your IT policy—randomly elevating exemptions across all UWP packages is not a substitute for architecture review.

Campus captive portals add another wrinkle: until you authenticate, general traffic should remain local. Keep bypass rules for portal domains and subnets in your profile comments so you remember why those lines exist six months later.

Verification checklist before you call it “fixed”

  1. Record baseline speeds without Clash on the same Wi-Fi radio channel.
  2. With system proxy only, verify two browsers and one non-browser Win32 tool (for example curl without manual flags) to see inherited settings.
  3. Enumerate failing UWP PFNs; apply minimal loopback exemptions; reboot the app cold.
  4. Enable TUN; confirm the virtual adapter appears; rerun Store or Xbox flows while tailing Meta logs.
  5. Rollback test: disable TUN, remove one exemption at a time, confirm the minimal fix set.
  6. Export the working YAML and store the PFN list beside it for the next Windows feature upgrade.

If every step passes yet a single title still misbehaves, capture the exact error string—Microsoft’s client messages distinguish store account blocks, licensing, and networking. Routing can only heal what is truly a path problem.

Closing thoughts

Windows 11 does not hate Clash; it applies layered sandboxes that interact with localhost-forwarding designs in ways classic Win32 never exposed. Understanding UWP loopback isolation, knowing how to wield CheckNetIsolation without carpet-bombing exemptions, and pairing those fixes with disciplined TUN activation gives you a complete desktop playbook: local interoperability when you need it, IP-layer enforcement when proxy discovery is incomplete, and system proxy for the lightweight case that already works.

Compared with endlessly toggling “PAC / Global / Rule” buttons, the structured approach saves time and reduces surprise regressions after cumulative updates. A maintained Meta-based client from a trustworthy channel, plus clear documentation of which PFNs you exempted, ages far better than ad hoc hacks copied from old forum threads.

Download Clash for free and experience the difference — pick a current Windows build, enable system proxy for quick wins, then graduate to TUN when you want Store, Xbox, and desktop binaries on the same policy rails.

For the full tunnel story across adapters, drivers, and DNS hijack, continue with the TUN setup and troubleshooting guide and keep our tech column open while you iterate.