When you try to create a network connection with a computer that is running Microsoft Windows XP Service Pack 2 (SP2), you may experience one or more of the following problems:
There is a delay or a slow response when you try to log-in or access data on a server.
You may receive a time-out error message. The text of the message may vary depending on the program that you are using.
You may be unable to create the network connection.
This behavior occurs primarily when the Windows XP SP2-based computer is starting. The behavior stops after the Windows Firewall/Internet Connection Sharing service starts.
This behavior occurs because Windows Firewall uses packet filtering to block unknown TCP/IP packets on the Windows XP SP2-based computer. This prevents the computer from receiving User Datagram Protocol (UDP) packets, and therefore prevents the network connection.
Windows Firewall helps protect computers that are connected to a network by rejecting unsolicited or unknown incoming connections through TCP/IP version 4 (IPv4). By default, Windows Firewall is turned on in Windows XP SP2. Windows Firewall starts early in the startup process, and then loads a boot-time policy that uses packet filtering to block the unknown packets until the service starts. This boot-time policy is hard-coded and applies even if Windows Firewall is turned off.
To work around this behavior, use one or more of the following methods:
Wait about 15 seconds, and then retry the network connection.
Increase the time-out settings as required for any programs that are affected by this issue.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Note This hotfix lets you configure the registry to turn off boot-time security settings. Additionally, this hotfix alters Windows Firewall so that UDP packets can be received when the Windows XP SP2-based computer is starting. Therefore, you should only use this hotfix when you absolutely must resolve the behavior. We recommend that you use the methods described in the "Workaround" section to work around this behavior.
To enable this hotfix, you must modify the registry to specify the ports that you want to exclude from the boot-time policy when the computer is starting until Windows Firewall starts. To do this, follow these steps:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684Description of the standard terminology that is used to describe Microsoft software updates
In versions of Windows XP that are earlier than Windows XP SP2, there is a window of time between when the network stack starts and when Internet Connection Firewall starts to provide protection. The firewall driver does not start to filter TCP/IP packets until the firewall service is loaded and the appropriate policy is applied. The firewall service depends on several functions and must wait until those functions clear before the service pushes the policy to the driver. During this window of time, a packet could be received and delivered to a service without Internet Connection Firewall filtering. This could potentially expose the computer to a whole class of vulnerabilities. The time period is based on the speed of the computer.
In Windows XP SP2, the firewall driver has a new static policy rule named the boot-time policy. The boot-time policy performs stateful filtering and eliminates the window of vulnerability when the computer is starting. The boot-time policy enables the computer to open ports so that basic networking tasks such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) can occur. The boot-time policy also enables the computer to communicate with a domain controller to obtain appropriate policies. As soon as the firewall service is running, the run-time Windows Firewall policy is loaded, applied, and the boot-time filters are removed. The boot-time policy cannot be configured.
Note If the Windows Firewall/Internet Connection Sharing service is set to Disabled or Manual, the boot-time policy is not applied.
For more information about the Windows Firewall service, click the following article number to view the article in the Microsoft Knowledge Base:
320855 Description of the Windows XP Internet Connection Firewall
For more information about how to turn Internet Connection Firewall on or off, visit the following Microsoft Web page: