Article ID: 917730
When you try to create a network connection with a computer that is running Microsoft Windows XP Service Pack 2 (SP2), you may experience one or more of the following problems:
This behavior occurs because Windows Firewall uses packet filtering to block unknown TCP/IP packets on the Windows XP SP2-based computer. This prevents the computer from receiving User Datagram Protocol (UDP) packets, and therefore prevents the network connection.
Windows Firewall helps protect computers that are connected to a network by rejecting unsolicited or unknown incoming connections through TCP/IP version 4 (IPv4). By default, Windows Firewall is turned on in Windows XP SP2. Windows Firewall starts early in the startup process, and then loads a boot-time policy that uses packet filtering to block the unknown packets until the service starts. This boot-time policy is hard-coded and applies even if Windows Firewall is turned off.
To work around this behavior, use one or more of the following methods:
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
Note This hotfix lets you configure the registry to turn off boot-time security settings. Additionally, this hotfix alters Windows Firewall so that UDP packets can be received when the Windows XP SP2-based computer is starting. Therefore, you should only use this hotfix when you absolutely must resolve the behavior. We recommend that you use the methods described in the "Workaround" section to work around this behavior.
To enable this hotfix, you must modify the registry to specify the ports that you want to exclude from the boot-time policy when the computer is starting until Windows Firewall starts. To do this, follow these steps:
Download the 917730 package now.
Collapse this imageExpand this image
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
(http://support.microsoft.com/kb/119591/ )How to obtain Microsoft support files from online services
File informationThe English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Collapse this tableExpand this table
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates
Boot-time securityIn versions of Windows XP that are earlier than Windows XP SP2, there is a window of time between when the network stack starts and when Internet Connection Firewall starts to provide protection. The firewall driver does not start to filter TCP/IP packets until the firewall service is loaded and the appropriate policy is applied. The firewall service depends on several functions and must wait until those functions clear before the service pushes the policy to the driver. During this window of time, a packet could be received and delivered to a service without Internet Connection Firewall filtering. This could potentially expose the computer to a whole class of vulnerabilities. The time period is based on the speed of the computer.
In Windows XP SP2, the firewall driver has a new static policy rule named the boot-time policy. The boot-time policy performs stateful filtering and eliminates the window of vulnerability when the computer is starting. The boot-time policy enables the computer to open ports so that basic networking tasks such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) can occur. The boot-time policy also enables the computer to communicate with a domain controller to obtain appropriate policies. As soon as the firewall service is running, the run-time Windows Firewall policy is loaded, applied, and the boot-time filters are removed. The boot-time policy cannot be configured.
Note If the Windows Firewall/Internet Connection Sharing service is set to Disabled or Manual, the boot-time policy is not applied.
For more information about the Windows Firewall service, click the following article number to view the article in the Microsoft Knowledge Base:
320855For more information about how to turn Internet Connection Firewall on or off, visit the following Microsoft Web page:
(http://support.microsoft.com/kb/320855/ )Description of the Windows XP Internet Connection Firewall
http://technet2.microsoft.com/WindowsServer/en/library/28d7c0c4-539e-4510-9431-9e52d24e0a021033.mspxFor more information about how to turn Internet Connection Firewall on or off, click the following article number to view the article in the Microsoft Knowledge Base:
268230For more information about how Internet Connection Firewall can prevent access to file and printer shares, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/283673/ )How to turn on or turn off the firewall in Windows XP
298804For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/298804/ )Internet firewalls can prevent browsing and file sharing
306203For more information about the Internet Connection Firewall Security log file, visit the following Microsoft Web page:
(http://support.microsoft.com/kb/306203/ )Internet Connection Firewall and Basic Firewall do not block Internet Protocol version 6 traffic
http://technet2.microsoft.com/WindowsServer/en/library/2fcb60d7-545c-4375-8c79-e055c822b41c1033.mspxFor more information about ICMP, visit the following Microsoft Web pages: