Windows XP ICS stuck on starting. Please help!

[nbal]

Hi,

I am using a Windows XP SP1 at home. I have a problem that is not critical, but it is a risk and a hell of an inconvenience. I don't know when and how it started, but I first noticed it a couple of days ago when I discovered that after each reboot my network would come up without any firewall. I have looked everywhere for help on this one without any luck. I even remember posting again on this newsgroup, but I cannot find the post anywhere.

My PC normally takes ~18" to boot (bootvis). It then takes another 2' during which the PC is very sluggish CPU is 99% idle, and network is inaccesible. After this period, network is again accesible, but without firewall. I can restart manually the firewall within 5" without any problems. During this period the "sc queryex" command gives me for SharedAccess service PENDING_START, and that ipnat is stopped with exit code 1077. SharedService seems to depend on ipnat, and is stuck waiting for it. I did put a trace on ipnat through the registry, and the problem mutated since. The delay is still the same, but the network eventually comes up firewalled.

I would hate repairing or formatting my instalation, so any help would be appreciated. I think I have seen some posts with similar ICS problems on this group, so I am hoping to get some feedback.

Thanks,
Nikos

PS1: ipnat trace

[1420] 18:51:56: DhcpInitializeInterfaceManagement
[1420] 18:51:56: DnsInitializeFileManagement
[1420] 18:51:56: DnsInitializeTableManagement
[1420] 18:51:56: DnsInitializeInterfaceManagement
[1420] 18:51:56: H323InitializeInterfaceManagement
[1420] 18:51:56: ServiceMain
[1356] 18:52:05: EAPOLTrayIconReady: Advise username = TARDIS\nikos
[1204] 18:52:05: EAPOLTrayIconReadyWorker: Advise username = TARDIS\nikos
[1204] 18:52:06: ElGetWinStationUserToken: GetWinStationUserToken failed for SessionId (0) with error (1702)
[1204] 18:52:06: ElGetLoggedOnUserName: Got User Name TARDIS\nikos
[1204] 18:52:06: EAPOLTrayIconReadyWorker: Tray icon ready for username TARDIS\nikos
[1420] 18:53:18: NhpUpdatePolicySettings: NhPolicyAllowsFirewall=1, NhPolicyAllowsSharing=1
[1420] 18:53:18: FwInitializeLogger
[1420] 18:53:18: NatRmStartProtocol
[1420] 18:53:18: NhUpdateApplicationSettings
[1420] 18:53:18: NhFreeApplicationSettings
[1420] 18:53:18: NhFreeDhcpReservations
[1420] 18:53:19: NatInstallApplicationSettings
[1420] 18:53:19: AlgRmStartProtocol
[1420] 18:53:19: H323RmStartProtocol
[1420] 18:53:19: NhMapAddressToAdapter
[1420] 18:53:19: NhMapAddressToAdapter
[1420] 18:53:19: NhMapAddressToAdapter
[1420] 18:53:19: NatStartConnectionManagement
[1420] 18:53:19: NhpStartAddressChangeNotification
[1420] 18:53:19: ServiceMain: service started successfully
[340] 18:53:19: NatpConfigurationChangedCallbackRoutine
[340] 18:53:19: NatpProcessConfigurationChanged
[340] 18:53:19: NatpStopSharedConnectionManagement
[340] 18:53:19: NhpDeletePrivateInterface
[340] 18:53:19: AlgRmDeleteInterface
[340] 18:53:19: H323RmDeleteInterface
[340] 18:53:19: H323DeleteInterface
[340] 18:53:19: H323LookupInterface
[340] 18:53:19: H323DeleteInterface: interface 0 not found
[340] 18:53:19: NatRmDeleteInterface
[340] 18:53:19: NatDeleteInterface
[340] 18:53:19: NatpLookupInterface
[340] 18:53:19: NatDeleteInterface: interface 0 not found
[340] 18:53:19: FwStartLogging
[340] 18:53:19: FwpLoadSettings
[340] 18:53:19: NatpProcessConnectionNotify
[340] 18:53:19: NhMapGuidToAdapter
[340] 18:53:19: NatpProcessConnectionNotify: MapGuidToAdapter failed
[340] 18:53:20: NhpAddressChangeCallbackRoutine
[340] 18:53:20: NhpStartAddressChangeNotification
[340] 18:53:20: NatpConnectionNotifyCallbackRoutine
[340] 18:53:20: NatpProcessConnectionNotify
[340] 18:53:20: NhMapGuidToAdapter
[340] 18:53:20: NatpProcessConnectionNotify: MapGuidToAdapter failed
[340] 18:53:23: NhpAddressChangeCallbackRoutine
[340] 18:53:23: NhpStartAddressChangeNotification
[340] 18:53:23: NatpConnectionNotifyCallbackRoutine
[340] 18:53:23: NatpProcessConnectionNotify
[340] 18:53:23: NhMapGuidToAdapter
[340] 18:53:23: NatpBuildPortMappingList
[340] 18:53:23: NatpQueryConnectionInformation
[340] 18:53:23: NatBindInterface
[340] 18:53:23: NatpLookupInterface
[340] 18:53:23: AlgRmAddInterface
[340] 18:53:23: NatGetInterfaceCharacteristics
[340] 18:53:23: NatpLookupInterface
[340] 18:53:23: AlgRmBindInterface
[340] 18:53:23: NhMapAddressToAdapter
[1356] 18:53:23: NatLookupPortMappingAdapter
[1356] 18:53:23: NatLookupPortMappingAdapter: status c0000225 getting info for adapter 65539
[340] 18:53:23: AlgRmEnableInterface
[340] 18:53:23: H323RmAddInterface
[340] 18:53:23: H323CreateInterface
[340] 18:53:23: H323LookupInterface
[340] 18:53:23: H323RmBindInterface
[340] 18:53:23: H323BindInterface
[340] 18:53:23: H323LookupInterface
[340] 18:53:23: H323RmEnableInterface
[340] 18:53:23: H323EnableInterface
[340] 18:53:23: H323LookupInterface
[340] 18:53:23: H323ActivateInterface
[340] 18:53:23: NatGetInterfaceCharacteristics
[340] 18:53:23: NatpLookupInterface
[340] 18:53:23: NhMapAddressToAdapter
[340] 18:53:23: NatLookupPortMappingAdapter
[340] 18:53:23: NatLookupPortMappingAdapter: status c0000225 getting info for adapter 65539
[340] 18:53:23: NatLookupPortMappingAdapter
[340] 18:53:23: NatLookupPortMappingAdapter: status c0000225 getting info for adapter 65539
[340] 18:53:23: NatLookupPortMappingAdapter
[340] 18:53:23: NatLookupPortMappingAdapter: status c0000225 getting info for adapter 65539

PS2: sc output

C:\Documents and Settings\nikos>sc queryex sharedaccess

SERVICE_NAME: sharedaccess
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0x0
PID : 848
FLAGS :

C:\Documents and Settings\nikos>sc queryex ipnat

SERVICE_NAME: ipnat
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :

C:\Documents and Settings\nikos>sc qc ipnat
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: ipnat
TYPE : 1 KERNEL_DRIVER
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : System32\DRIVERS\ipnat.sys
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IP Network Address Translator
DEPENDENCIES : Tcpip
SERVICE_START_NAME :
DISPLAY_NAME : IP Network Address Translator
DEPENDENCIES : Tcpip
SERVICE_START_NAME :

 

[nbal]

Solution

Hi,

After a few tries and my trusty linux box I was able to solve this one. Quite helpful was also the ipnat tracing enabled by HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IPNATHLP\EnableFileTracing. It was all along a registry problem, modified by an unknown application sometime in the past month. All changes affected the SharedAccess key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess.

1) The "DisplayName" was changed from "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICF)" to "Windows Firewall / Internet Connection Sharing (ICF)"
2) The "DependOnService" was changed from "Netman NLA RasMan ALG" to "Netman Winmgmt"

Undoing these changes reduced firewall (network) boot time from 2' to 20". Still I was getting errors in the System Event logs from IPNATHLP "NAT was unable to request an operation of the kernel-mode translation module...". The IPNATHLP logs also indicated 2 failed "NatpProcessConnectionNotify: MapGuidToAdapter failed". After 20" delay MapGuidToAdapter would succeed. Clearly more was to be done.

I was fortunate to have a month old backup of my registry before the problems appeared. I uploaded a current one with the backup and diff'ed them in my linux box. Many changes during that month to be sure. But of more importance were the changes in the SharedAccess key. 2 new keys were added (Epoch and Setup) with their subkeys, and one old "Security" was deleted. Deleting those keys and copying "Security" from my backup I was able to reduce firewall and network boot to 1" .

And another thing: In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\Globall I noticed that apart from the 3 netbios ports I had configured (139 tcp, 138 & 137 udp) there were 3 more (445 tcp, 1029 udp, 2024 udp) completely hidden which i never configured. I prompted deleted them as well.

Problem solved,
Nikos