After a deluge of new networking-related articles last week, I have just one to share this time:
2568645 Firewall exceptions not honored after cluster failover
- Mike Platts
Quite a variety of new articles were released this week, covering a number of networking technologies and operating system versions:
2523887 You may encounter file corruption issues when you use the Offline Files feature to synchronize data in Windows 7
2525835 MS11-047: Vulnerability in Microsoft Hyper-V could cause denial of service: June 14, 2011
2535094 Server stops responding when you lock or unlock files on a network by using the SMB2 protocol in Windows Vista or in Windows Server 2008
2535121 IP-HTTPS connections disconnect if the network status is changed on a computer that is running Windows 7 or Windows Server 2008 R2
2536493 Slow SQL Online Transaction Processing performance when SQL database files are stored on an SMB network file share in Windows 7, in Windows Server 2008 R2, or in Windows Storage Server 2008 R2
2537589 SMB/CIFS sessions leak in Windows Vista and in Windows Server 2008
2547057 IP packets are not routed through a Windows Server 2008 R2–based LAN router in a VLAN environment
2548145 The size of the Active Directory increases rapidly on a Windows Server 2008 R2-based domain controller that hosts the DNS Server role
2548470 A WebClient service crashes on a computer that is running Windows 7 or Windows Server 2008 R2 when you connect a WebDav resource
2548491 A SSTP connection to an external SSTP server from a computer that is running Windows Vista or Windows Server 2008 does not work
2548554 Ftp.exe output cannot be redirected to a file in Windows Vista or in Windows Server 2008
2549036 "0x0000000A" stop error occurs when several applications access the same network share file by using the MapViewOfFile() API on a computer that is running Windows 7 or Windows Server 2008 R2
2549268 SNMP threads do not time out correctly in Windows Vista or in Windows Server 2008
2549656 DNS Server service randomly cannot resolve external names and returns a "Server Failure" error if IPv6 is disabled in Windows Server 2008 R2
2550111 Event IDs 34005 and 31004 may be logged in the System event log of Windows 7 when Internet Connection Sharing (ICS) is enabled on an available Network connection
2550719 "Name Error 3" error message when you send a query to an EDNS-enabled forwarding DNS server and the query is resolved by using WINS forward lookup in Windows Server 2008 R2
2551685 Applications or services that rely on local named pipes encounter a connectivity failure in Windows Server 2008 SP2 or in Windows Vista SP2
2553549 All the TCP/IP ports that are in a TIME_WAIT status are not closed after 497 days from system startup in Windows Vista and in Windows Server 2008
2554859 The "skipassource" flag of IP addresses is cleared after you use the GUI to change IP settings of a network adapter in Windows 7 or in Windows Server 2008 R2
2555258 Some files under a WebDAV folder are not listed in Windows 7
2555948 Multicast forwarding is enabled when you restart RRAS in Windows 7 or in Windows Server 2008 R2
2555958 SNMP services returns no attributes for a PID when you monitor services by using SNMP services on a computer that is running Windows 7 or Windows Server 2008 R2
2560598 "The folder you entered does not appear to be valid. Please choose another" error when you use "Add a network connection" to connect to a nested WebDAV subfolder in Windows 7 or Windows Server 2008 R2
As discussed in the previous posts in this series, there can be several causes that will prevent the Windows Firewall from starting. In this installment I will cover specifics of checking dependencies.
When checking dependencies you will want to check to ensure that the default dependencies are in place, that there are not additional dependencies, and that the BFE and RPC services are starting.
As seen in the screenshots below, the Base Filtering Engine and the Windows Firewall Authorization Driver are the default dependencies. Use the steps below to view this:
In addition, the Base Filtering Engine also has a dependency on RPC, as seen below.
Therefore, we also need to verify that the Base filtering Engine and the RPC service are started and set to start automatically as seen below.
Additional Dependencies
Finally, if there are any dependencies other than the ones mentioned above you will want to remove them.
Windows 7 / Windows 2008 R2 have the same dependencies as Windows Vista but the services that have dependencies on them are different. Fortunately we are not concerned with what has a dependency on these services so we can check the same Base Filtering Engine and RPC services.
This is the last post of my series on troubleshooting issues where the Windows Firewall Service fails to start.
I hope you have found this information useful.
- David Pracht
The Windows Firewall Service Fails to start – Checking Privilege Access
As discussed in the previous posts in this series, there can be several causes that will prevent Windows Firewall from starting. In this installment, part 4 of 5 in the series, I will cover specifics of checking access privileges for both Windows Vista and Windows 7.
Checking Privilege access
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
You can see the privilege access settings by looking at the RequiredPrivileges registry value.
I have listed the values you will find in a default clean install below but it is possible you will have other values.
You can then check the privileges found in the previous step using secpol.msc. Make sure each of the above listed privileges has LOCAL SERVICE listed in them.
You can check this by one of the following methods:
Open secpol.msc, right click on root node (Security Settings) and export the data to an .inf file, open the .inf file in notepad.
Note: In the .inf file make sure the above listed privileges contain the SID of the needed object - for LOCAL SERVICE the SID is S-1-5-19
Note: This list below is edited to only contain the values we are looking for. There will be more values in the INF.
[Privilege Rights] SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551 SeAuditPrivilege = *S-1-5-19,*S-1-5-20 SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544 SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20 SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
Open the Local Security Policy MMC (secpol.msc), then drill down to Local Policies / User Rights Assignment.
Find the Policy for the corresponding privileges (below) and make sure LOCAL SERVICE is listed in them.
Privilege name
Policy name
SeAssignPrimaryTokenPrivilege
Replace a process level token
SeAuditPrivilege
Manage auditing and security log
SeChangeNotifyPrivilege
Bypass traverse checking
SeCreatGlobalPrivilege
Create global objects
SeImpersonatePrivelege
Impersonate a client after authentication
SeUncreaseQuotaPrivilege
Adjust memory quotas for a process
Missing privileges can be added via Registry Editor as follows:
What’s next?
In my next installment, I will cover Firewall service dependencies.
I have just one new networking-related article to mention this week:
2465408 Applications or services cannot update their routing tables after they receive route change notifications in Windows Server 2008 R2 or in Windows 7
As discussed in my previous posts in this series, there can be several causes that will prevent the Windows Firewall from starting. In this installment, part 3 of 5, I will cover specifics of checking registry permissions.
You can verify the permissions in Registry Editor by right-clicking each of the following registry keys and choosing Permissions. Then, highlight the desired account and click Advanced. Then highlight the desired account (again) and click Edit.
Depending on the operating system version, either NT Service\MpsSvc or NT Service\BFE needs permissions for the following keys as described below (note that HKEY_LOCAL_MACHINE has been shortened to HKLM):
Reviewing registry permissions for Windows Vista:
Reviewing registry permissions for Windows 7:
In my next blog post in this series, I will cover access privileges.
This is part two in my series on Windows Firewall failing to start. In part one, I covered Windows XP and gave an overview of the issues seen in Windows Vista and Windows 7. As discussed, there can be several causes that will prevent the firewall from starting. In this post, I will cover specifics of checking the logon permissions.
First you should verify that the "Log on as:" account is set to Local Service. The Base Filtering Engine, Windows Firewall, and NLA services should all be set to Log on as the "Local Service" account. I'm only including one screenshot as an example because it is the same for all of the services that use Local Service. Note that the Password fields are ignored for this account. For more information on the Local Service account, refer to http://msdn.microsoft.com/en-us/library/ms684188(VS.85).aspx.
IPsec Policy agent uses the "Network Service" account.
Next we will want to verify the security descriptor definition language string, or SDDL string. This string defines the string format that the ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor functions use to describe a security descriptor as a text string. Refer to http://msdn.microsoft.com/en-us/library/aa379570(VS.85).aspx for more information.
We can use SC SDSHOW to show the SDDL string for the services of interest.
Syntax: sc sdshow <Service Name>
Note: You will want to run this command against a working machine in your environment for comparison but here are the default settings from a clean install.
Service Name: NLASVC
D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A
;;CCLCSWRPLORC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPRC;;;S-1-5-80-3141615172-2
057878085-1754447212-2405740020-3916490453)
Service Name: BFE
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Service Name: MPSSVC
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCRP;;;S-1-5-80-2006800713-1441093265-249754
844-3404434343-1444102779)S:(AU;FA;CCDCKCSWRPWPDTLOCRSDRCWDWO;;;WD)
Service Name: SharedAccess
057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
You can restore the default permissions via the SDDL strings above or get similar data from a working machine in your own environment.
SC sdset <Service Name> <SDDL string>
Example:
SC sdset SharedAccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
Notice that the end of each is SY = Local System, BA = Administrator, AU = Authenticated Users, PU = Power Users
In the next installment of this series, I will cover registry permissions as related to Windows Firewall.
Like last week, I have one new networking-related article to share this time:
2560995 Intel’s My WiFi Technology stops working after resuming from sleep or hibernate in Windows 7
There can be several causes that will prevent the Windows Firewall from starting and I will attempt to cover them in this series of five blog posts. In this first post, I will cover Windows XP and Windows Vista / Windows 7 separately as they are two different services. Last I will cover one issue with OneCare. Note: Specifics on Windows Vista and Windows 7will come in a later blog post.
In Windows XP, the firewall service is named "Windows Firewall/Internet Connection Sharing (ICS)", or SharedAccess service.
Typical errors seen as either popups or within event logs when the service fails to start are:
Problems starting the Firewall Service in Windows XP are most commonly related to an issue with the Shared Access registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
The quickest resolution is generally to rebuild the key. Instructions for doing this are in the following article, along with a FIXIT link:
You cannot start the Windows Firewall service in Windows XP SP2
Other things you will want to check are:
The above 3 items cover the vast majority of the issues with starting the Firewall in Windows XP.
In Windows Vista and later, the firewall service is "Windows Firewall" (MPSSVC); it combines both Firewall and IPsec functionality.
The first thing to check is that the Base Filtering engine (BFE) is running. There are a number of services dependent on the BFE service (including the Windows Firewall) that may also fail to start:
In my experience most of the issues starting these services are related to permissions.
Typical errors seen in relation to starting this service are:
What to look for (specific details will be shared in a future blog post):
Lastly, I am including information about one issue that may be seen with the Windows OneCare Firewall Service. The following messages may be seen:
The Windows OneCare Firewall Service Could not Start
Urgent - Turn on Firewall
You will see this error in the Windows OneCare interface, with a red status action item asking you to enable the firewall. The action listed does not enable the firewall, however.
This issue is also very specific because the firewall settings in Windows OneCare are grayed out and cannot be modified.
To resolve this issue:
Use the steps below to ensure that the PATH environment variable contains the following path:
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM
If this does not resolve the issue, try the following step:
If this does not resolve the issue, or if the problem does not match the description, please follow the steps in KB article 910659.
This wraps up my overview of how to troubleshoot issues starting the Windows Firewall Service. I will have some future blog posts with more specific details on the Windows Vista/Windows 7 steps.
Happy World IPv6 Day! I wanted to remind you that various Microsoft sites, among many others, are running IPv6 today to allow ISPs, hardware manufacturers, and various other businesses to test communication in a large scale. If you would like to learn more about what makes today unique for IPv6 or would like to learn more about IPv6 itself, please check out the following:
World IPv6 Day
http://blogs.technet.com/b/microsoft_blog/archive/2011/06/07/microsoft-supports-next-generation-of-the-internet-with-world-ipv6-day.aspx
http://www.microsoft.com/ipv6
I have one new networking-related article for this week:
2473489 IP address and default gateway settings are assigned incorrectly in Windows Vista, in Windows Server 2008, in Windows 7, and in Windows Server 2008 R2