You cannot create a network connection when you are starting a Windows XP SP2-based computer

Article translations Article translations
Article ID: 917730
Expand all | Collapse all

On This Page

Symptoms

When you try to create a network connection with a computer that is running Microsoft Windows XP Service Pack 2 (SP2), you may experience one or more of the following problems:
  • There is a delay or a slow response when you try to log-in or access data on a server.
  • You may receive a time-out error message. The text of the message may vary depending on the program that you are using.
  • You may be unable to create the network connection.
This behavior occurs primarily when the Windows XP SP2-based computer is starting. The behavior stops after the Windows Firewall/Internet Connection Sharing service starts.

Cause

This behavior occurs because Windows Firewall uses packet filtering to block unknown TCP/IP packets on the Windows XP SP2-based computer. This prevents the computer from receiving User Datagram Protocol (UDP) packets, and therefore prevents the network connection.

Windows Firewall helps protect computers that are connected to a network by rejecting unsolicited or unknown incoming connections through TCP/IP version 4 (IPv4). By default, Windows Firewall is turned on in Windows XP SP2. Windows Firewall starts early in the startup process, and then loads a boot-time policy that uses packet filtering to block the unknown packets until the service starts. This boot-time policy is hard-coded and applies even if Windows Firewall is turned off.

Workaround

To work around this behavior, use one or more of the following methods:
  • Wait about 15 seconds, and then retry the network connection.
  • Increase the time-out settings as required for any programs that are affected by this issue.

Resolution

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


Note This hotfix lets you configure the registry to turn off boot-time security settings. Additionally, this hotfix alters Windows Firewall so that UDP packets can be received when the Windows XP SP2-based computer is starting. Therefore, you should only use this hotfix when you absolutely must resolve the behavior. We recommend that you use the methods described in the "Workaround" section to work around this behavior.

To enable this hotfix, you must modify the registry to specify the ports that you want to exclude from the boot-time policy when the computer is starting until Windows Firewall starts. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpNat
  3. On the Edit menu, point to New, and then click Key.
  4. Type Parameters, and then press ENTER.
  5. On the Edit menu, point to New, and then click String Value.
  6. Type BootTimeUDPExemptions, and then press ENTER.
  7. Right-click BootTimeUDPExemptions, and then click Modify.
  8. In the Value data box, type the numbers of the ports that you want to exclude from the boot-time policy, and then click OK.

    Note You must separate port numbers with commas. For example, type 1234,5678,23456 to open ports 1234, 5678, and 23456.
  9. Exit Registry Editor.
Notes
  • You must be logged in as an administrator to apply these changes.
  • You can apply these changes before or after you install the hotfix. However, the registry setting has no effect unless the hotfix is installed.
  • These changes are no longer in effect after Windows Firewall starts.
  • This hotfix only lets you enable common UDP ports. You cannot use this hotfix to add dynamic ports to the boot-time security exemptions of the firewall.
The following file is available for download from the Microsoft Download Center:

Collapse this imageExpand this image
Download
Download the 917730 package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Hotfix information

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Ipnat.sys5.1.2600.2887136,32014-Apr-200600:20x86

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

More information

Boot-time security

In versions of Windows XP that are earlier than Windows XP SP2, there is a window of time between when the network stack starts and when Internet Connection Firewall starts to provide protection. The firewall driver does not start to filter TCP/IP packets until the firewall service is loaded and the appropriate policy is applied. The firewall service depends on several functions and must wait until those functions clear before the service pushes the policy to the driver. During this window of time, a packet could be received and delivered to a service without Internet Connection Firewall filtering. This could potentially expose the computer to a whole class of vulnerabilities. The time period is based on the speed of the computer.

In Windows XP SP2, the firewall driver has a new static policy rule named the boot-time policy. The boot-time policy performs stateful filtering and eliminates the window of vulnerability when the computer is starting. The boot-time policy enables the computer to open ports so that basic networking tasks such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) can occur. The boot-time policy also enables the computer to communicate with a domain controller to obtain appropriate policies. As soon as the firewall service is running, the run-time Windows Firewall policy is loaded, applied, and the boot-time filters are removed. The boot-time policy cannot be configured.

Note If the Windows Firewall/Internet Connection Sharing service is set to Disabled or Manual, the boot-time policy is not applied.

For more information about the Windows Firewall service, click the following article number to view the article in the Microsoft Knowledge Base:
320855 Description of the Windows XP Internet Connection Firewall
For more information about how to turn Internet Connection Firewall on or off, visit the following Microsoft Web page:
http://technet2.microsoft.com/WindowsServer/en/library/28d7c0c4-539e-4510-9431-9e52d24e0a021033.mspx
For more information about how to turn Internet Connection Firewall on or off, click the following article number to view the article in the Microsoft Knowledge Base:
268230 How to turn on or turn off the firewall in Windows XP
For more information about how Internet Connection Firewall can prevent access to file and printer shares, click the following article numbers to view the articles in the Microsoft Knowledge Base:
298804 Internet firewalls can prevent browsing and file sharing
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
306203 Internet Connection Firewall and Basic Firewall do not block Internet Protocol version 6 traffic
For more information about the Internet Connection Firewall Security log file, visit the following Microsoft Web page:
http://technet2.microsoft.com/WindowsServer/en/library/2fcb60d7-545c-4375-8c79-e055c822b41c1033.mspx
For more information about ICMP, visit the following Microsoft Web pages:
http://technet2.microsoft.com/windowsserver/en/library/732438fe-70c5-4e68-9663-ecbd955d29ea1033.mspx

Properties

Article ID: 917730 - Last Review: April 22, 2013 - Revision: 7.0
Keywords: 
atdownload kbqfe kbhotfixserver kbtshoot kbexpertiseinter KB917730

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com