- There is a delay or a slow response when you try to log-in or access data on a server.
- You may receive a time-out error message. The text of the message may vary depending on the program that you are using.
- You may be unable to create the network connection.
Windows Firewall helps protect computers that are connected to a network by rejecting unsolicited or unknown incoming connections through TCP/IP version 4 (IPv4). By default, Windows Firewall is turned on in Windows XP SP2. Windows Firewall starts early in the startup process, and then loads a boot-time policy that uses packet filtering to block the unknown packets until the service starts. This boot-time policy is hard-coded and applies even if Windows Firewall is turned off.
- Wait about 15 seconds, and then retry the network connection.
- Increase the time-out settings as required for any programs that are affected by this issue.
Note This hotfix lets you configure the registry to turn off boot-time security settings. Additionally, this hotfix alters Windows Firewall so that UDP packets can be received when the Windows XP SP2-based computer is starting. Therefore, you should only use this hotfix when you absolutely must resolve the behavior. We recommend that you use the methods described in the "Workaround" section to work around this behavior.
To enable this hotfix, you must modify the registry to specify the ports that you want to exclude from the boot-time policy when the computer is starting until Windows Firewall starts. To do this, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpNat
- On the Edit menu, point to New, and then click Key.
- Type Parameters, and then press ENTER.
- On the Edit menu, point to New, and then click String Value.
- Type BootTimeUDPExemptions, and then press ENTER.
- Right-click BootTimeUDPExemptions, and then click Modify.
- In the Value data box, type the numbers of the ports that you want to exclude from the boot-time policy, and then click OK.
Note You must separate port numbers with commas. For example, type 1234,5678,23456 to open ports 1234, 5678, and 23456.
- Exit Registry Editor.
- You must be logged in as an administrator to apply these changes.
- You can apply these changes before or after you install the hotfix. However, the registry setting has no effect unless the hotfix is installed.
- These changes are no longer in effect after Windows Firewall starts.
- This hotfix only lets you enable common UDP ports. You cannot use this hotfix to add dynamic ports to the boot-time security exemptions of the firewall.
Download the 917730 package now.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
File informationThe English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
|File name||File version||File size||Date||Time||Platform|
Boot-time securityIn versions of Windows XP that are earlier than Windows XP SP2, there is a window of time between when the network stack starts and when Internet Connection Firewall starts to provide protection. The firewall driver does not start to filter TCP/IP packets until the firewall service is loaded and the appropriate policy is applied. The firewall service depends on several functions and must wait until those functions clear before the service pushes the policy to the driver. During this window of time, a packet could be received and delivered to a service without Internet Connection Firewall filtering. This could potentially expose the computer to a whole class of vulnerabilities. The time period is based on the speed of the computer.
In Windows XP SP2, the firewall driver has a new static policy rule named the boot-time policy. The boot-time policy performs stateful filtering and eliminates the window of vulnerability when the computer is starting. The boot-time policy enables the computer to open ports so that basic networking tasks such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) can occur. The boot-time policy also enables the computer to communicate with a domain controller to obtain appropriate policies. As soon as the firewall service is running, the run-time Windows Firewall policy is loaded, applied, and the boot-time filters are removed. The boot-time policy cannot be configured.
Note If the Windows Firewall/Internet Connection Sharing service is set to Disabled or Manual, the boot-time policy is not applied.
For more information about the Windows Firewall service, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 917730 - Last Review: Mar 29, 2017 - Revision: 3