SNMP Extension Fails on Windows 8/Server 2012 when attempting network communication

Applies to: Windows 8Windows 8 EnterpriseWindows 8 Pro


Any SNMP Extension agent that attempts to perform any UDP or TCP network communication on Windows Server 2012 or Windows 8 will fail. The socket connect() request will fail with the following NT status code: 

{Access Denied}
A process has requested access to an object, but has not been granted those access rights.


Windows 8/Server 2012 implements "Windows Service Hardening" (WSH) rules on the SNMP.EXE process that prevent all network communication except: UDP Out over Remote Port 161, or UDP In over Local Port 161. If a partner SNMP Extension DLL tries to perform UDP or TCP communication, even to the loopback address, the communication will be rejected by the WSH rule.


The partner must implement their own Windows Service Hardening (WSH) rules to allow their SNMP extension to perform the UDP or TCP communication it requires -- even for loopback communication. For example, if the SNMP extension performs TCP traffic over local port 3333, the following rules must be added:

1. An outbound rule for TCP remote port 3333
2. An inbound rule for TCP local port 3333

This is accomplished by running a program in privileged mode that adds these two rules using the INetFwRule interface (API) by setting the properties using the put_ methods, and then by calling "hr = pFwRules->Add(pFwRule); " .

The loopback address should not be specified in put_localaddresses or put_remoteaddresses -- this is not recommended or supported. Instead, to block incoming TCP connectivity to local port 3333, configure a rule using Windows Firewall with Advanced Security, netsh or the Firewall Control Panel to block incoming connection requests. Unlike WSH, rules created using these tools have no effect on loopback communication.

More Information

The INetFwRule interface documentation can be found in MSDN: