Microsoft KB Archive/917730

= You cannot create a network connection when you are starting a Windows XP SP2-based computer =

Article ID: 917730

Article Last Modified on 8/29/2007

-

APPLIES TO


 * Microsoft Windows XP Service Pack 2

-





Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
When you try to create a network connection with a computer that is running Microsoft Windows XP Service Pack 2 (SP2), you may experience one or more of the following problems:
 * There is a delay or a slow response when you try to log-in or access data on a server.
 * You may receive a time-out error message. The text of the message may vary depending on the program that you are using.
 * You may be unable to create the network connection.

This behavior occurs primarily when the Windows XP SP2-based computer is starting. The behavior stops after the Windows Firewall/Internet Connection Sharing service starts.



CAUSE
This behavior occurs because Windows Firewall uses packet filtering to block unknown TCP/IP packets on the Windows XP SP2-based computer. This prevents the computer from receiving User Datagram Protocol (UDP) packets, and therefore prevents the network connection.

Windows Firewall helps protect computers that are connected to a network by rejecting unsolicited or unknown incoming connections through TCP/IP version 4 (IPv4). By default, Windows Firewall is turned on in Windows XP SP2. Windows Firewall starts early in the startup process, and then loads a boot-time policy that uses packet filtering to block the unknown packets until the service starts. This boot-time policy is hard-coded and applies even if Windows Firewall is turned off.



WORKAROUND
To work around this behavior, use one or more of the following methods:
 * Wait about 15 seconds, and then retry the network connection.
 * Increase the time-out settings as required for any programs that are affected by this issue.



RESOLUTION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Note This hotfix lets you configure the registry to turn off boot-time security settings. Additionally, this hotfix alters Windows Firewall so that UDP packets can be received when the Windows XP SP2-based computer is starting. Therefore, you should only use this hotfix when you absolutely must resolve the behavior. We recommend that you use the methods described in the &quot;Workaround&quot; section to work around this behavior.

To enable this hotfix, you must modify the registry to specify the ports that you want to exclude from the boot-time policy when the computer is starting until Windows Firewall starts. To do this, follow these steps:  Click Start, click Run, type regedit, and then click OK. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpNat

 On the Edit menu, point to New, and then click Key. Type Parameters, and then press ENTER. On the Edit menu, point to New, and then click String Value.</li> Type BootTimeUDPExemptions, and then press ENTER.</li> Right-click BootTimeUDPExemptions, and then click Modify.</li> In the Value data box, type the numbers of the ports that you want to exclude from the boot-time policy, and then click OK.

Note You must separate port numbers with commas. For example, type 1234,5678,23456 to open ports 1234, 5678, and 23456.</li> Exit Registry Editor.</li></ol>

Notes
 * You must be logged in as an administrator to apply these changes.
 * You can apply these changes before or after you install the hotfix. However, the registry setting has no effect unless the hotfix is installed.
 * These changes are no longer in effect after Windows Firewall starts.
 * This hotfix only lets you enable common UDP ports. You cannot use this hotfix to add dynamic ports to the boot-time security exemptions of the firewall.

The following file is available for download from the Microsoft Download Center:

Download the 917730 package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

<div class="moreinformation_section">

Boot-time security
In versions of Windows XP that are earlier than Windows XP SP2, there is a window of time between when the network stack starts and when Internet Connection Firewall starts to provide protection. The firewall driver does not start to filter TCP/IP packets until the firewall service is loaded and the appropriate policy is applied. The firewall service depends on several functions and must wait until those functions clear before the service pushes the policy to the driver. During this window of time, a packet could be received and delivered to a service without Internet Connection Firewall filtering. This could potentially expose the computer to a whole class of vulnerabilities. The time period is based on the speed of the computer.

In Windows XP SP2, the firewall driver has a new static policy rule named the boot-time policy. The boot-time policy performs stateful filtering and eliminates the window of vulnerability when the computer is starting. The boot-time policy enables the computer to open ports so that basic networking tasks such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) can occur. The boot-time policy also enables the computer to communicate with a domain controller to obtain appropriate policies. As soon as the firewall service is running, the run-time Windows Firewall policy is loaded, applied, and the boot-time filters are removed. The boot-time policy cannot be configured.

Note If the Windows Firewall/Internet Connection Sharing service is set to Disabled or Manual, the boot-time policy is not applied.

For more information about the Windows firewall, visit the following Microsoft Web page:

http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

For more information about the Windows Firewall service, click the following article number to view the article in the Microsoft Knowledge Base:

320855 Description of the Windows XP Internet Connection Firewall

For more information about how to turn Internet Connection Firewall on or off, visit the following Microsoft Web page:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_enable_firewall.mspx

For more information about how to turn Internet Connection Firewall on or off, click the following article number to view the article in the Microsoft Knowledge Base:

268230 How to turn on or turn off the firewall in Windows XP

For more information about how Internet Connection Firewall can prevent access to file and printer shares, click the following article numbers to view the articles in the Microsoft Knowledge Base:

298804 Internet firewalls can prevent browsing and file sharing

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

306203 Internet Connection Firewall and Basic Firewall do not block Internet Protocol version 6 traffic

For more information about the Internet Connection Firewall Security log file, visit the following Microsoft Web page:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_firewall_log_understanding.mspx

For more information about service definitions, visit the following Microsoft Web pages:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_services_overview.mspx

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_services_add.mspx

For more information about ICMP, visit the following Microsoft Web pages:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_tcpip_und_icmp.mspx

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_icmp_select.mspx

For more information about the version of Windows Firewall that is included in Windows XP SP2, visit the following Microsoft Web page:

http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

Additional query words: Boot-Time Firewall Security

Keywords: atdownload kbqfe kbhotfixserver kbtshoot kbexpertiseinter KB917730

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.