ActiveX Installer Service fails when DNS Client service is disabled in Windows 8

Applies to: Windows 8Windows 8 EnterpriseWindows 8 Pro

Symptoms


Consider the following scenario:

  • You disable the DNS Client service on a Windows 8-based computer.
  • The ActiveX Installer Service feature is enabled on the computer.
  • You use Internet Explorer to browse to a site that requires you to install an ActiveX control.
In this scenario, you are prompted to enter administrator credentials or administrative approval unexpectedly.

Note The behavior is different in Windows 7. The ActiveX Installer Service works correctly if the DNS Client service is disabled in Windows 7.

Cause


This behavior is by design. A new firewall rule introduced in Windows 8 prevents the ActiveX Installer Service from making DNS queries directly when the ActiveX Installer Service cannot rely on the DNS Client service to do the query on its behalf.

Workaround


Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.


To work around this issue, set the following registry subkey. This registry subkey exempts DNS datagrams from the ActiveX Installer Service firewall policy.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System] 
"AxInstSV-4"="V2.0|Action=Allow|Dir=Out|RPort=53|Protocol=17|app=%windir%\\System32\\svchost.exe|Svc=AxInstSV|Name=AxInstSV DNS outbound allow|Desc=Allow outbound DNS UDP traffic from AxInstSV|"