Request help with browstat error

[Michael Meyers]

I have done a lot of searching on the internet and usenet before posting here,
but I've not been able to find a solution. I'm not even sure if this is really
a problem, so I need advice from someone more knowledgable than me.

PC #1: Windows XP Pro, SP2, simple file sharing enabled. Hard wired into a
D-link DI-624 Router, which is connected to a cable modem. ZoneAlarm Pro
5.5.062.004 installed. Windows firewall disabled

PC #2: Windows XP Home, SP2. Connects wirelessly via D-link DWL-G520 wireless
card. ZoneAlarm Pro also installed, same version. Windows firewall disabled.

Both on workgroup MSHOME.
Both can ping themselves and each other by name and IP address
Both machines can access the internet. Both can see each others shares, and
share files between them.

The only peculiarity I can see is when I run a "browstat status" command,
whichever PC has the computer browser service disabled returns the "Could not
connect to registry, error = 53 Unable to determine
build of browser master: 53" error. If I disable the service on the XP Pro
Machine, it gives this error. If I enable the service on the XP Pro machine and
disable it on the XP Home machine, XP Home gives this error. However, they both
detect the master browser, and there is no browser conflict.

Most of what I have read suggests that this is most likely a firewall issue. I
have ZoneAlarm Pro configured so that the IP address of each machine is in the
others' Trusted Zone.

Like I said, I'm not really sure if this is a problem, since everything else
seems to work. It's just that the anal side of me would like to understand.

 

[Chuck]

I have done a lot of searching on the internet and usenet before posting here,
but I've not been able to find a solution. I'm not even sure if this is really
a problem, so I need advice from someone more knowledgable than me.

PC #1: Windows XP Pro, SP2, simple file sharing enabled. Hard wired into a
D-link DI-624 Router, which is connected to a cable modem. ZoneAlarm Pro
5.5.062.004 installed. Windows firewall disabled

PC #2: Windows XP Home, SP2. Connects wirelessly via D-link DWL-G520 wireless
card. ZoneAlarm Pro also installed, same version. Windows firewall disabled.

Both on workgroup MSHOME.
Both can ping themselves and each other by name and IP address
Both machines can access the internet. Both can see each others shares, and
share files between them.

The only peculiarity I can see is when I run a "browstat status" command,
whichever PC has the computer browser service disabled returns the "Could not
connect to registry, error = 53 Unable to determine
build of browser master: 53" error. If I disable the service on the XP Pro
Machine, it gives this error. If I enable the service on the XP Pro machine and
disable it on the XP Home machine, XP Home gives this error. However, they both
detect the master browser, and there is no browser conflict.

Most of what I have read suggests that this is most likely a firewall issue. I
have ZoneAlarm Pro configured so that the IP address of each machine is in the
others' Trusted Zone.

Like I said, I'm not really sure if this is a problem, since everything else
seems to work. It's just that the anal side of me would like to understand.

Michael,

Both the name resolution and master browser advertisements use NetBIOS packets.
Name / address resolution uses, I believe, netbios-ns, ie port 137. The master
browser advertisement uses netbios-dgm, ie port 138.

I don't think anybody here knows why personal firewalls are so unpredictable WRT
NBT (NetBIOS Over TCP/IP) traffic, nor if the unpredictability is even port
related. All most of us here know is, if there's a personal firewall on a
computer with browser or name resolution problems, it's best to either properly
configure, or un install, the firewall, at least to diagnose the problem. Many
personal firewalls react unpredictably when disabled, and may continue to block
some (but not necessarily all) ports even when disabled.

I've been working with Windows Networking, and browser issues, for several
years. I've come to associate "error = 53" ("name resolution") problems with 4
possible causes.
# Corrupted LSP / Winsock.
# Firewall problem.
# Invalid node type.
# Excessive protocols.

The first two are identified only from experimentation. A corrupted LSP /
Winsock is only diagnosed after its been fixed. Many times, you try everything,
and I mean everything, to fix a problem, sometimes you spend days, then somebody
says "Try LSP-Fix". You run it, and it's done. But there are 4 variations on
this - LSP-Fix is just one of the 4. And not all 4 work every time.
<http://nitecruzr.blogspot.com/2005/05/problems-with-lsp-winsock-layer-in.html>

A firewall problem you only identify after you disable a personal firewall
(assuming it disables successfully, which does happen about 1/2 the time). The
other half, you go thru the bit with everything else, and even try LSP-Fix and
its siblings, to no avail. Then someone discovers an overlooked firewall, and
the light goes on in the head. You un install, and it's done.
<http://nitecruzr.blogspot.com/2005/05/your-personal-firewall-can-either-help.html>

Invalid Node Type is spotted easily from viewing the "ipconfig /all" log. If
the Node Type is "Peer-Peer", and you're on a small LAN (ie no DNS or WINS
server), Peer-Peer won't do.
<http://nitecruzr.blogspot.com/2005/05/reading-ipconfig-and-diagnosing.html#PeerPeer>

Finally, if you spot IPX/SPX or NetBEUI protocols in a "browstat status" log, or
IPV6 aka Advanced or Teredo Tunneling in an "ipconfig /all" log, that has to
come out. At least to diagnose the problem.
<http://nitecruzr.blogspot.com/2005/05/fix-network-problems-but-clean-up.html>

What are the actual reasons why each of these cause an "error = 53"? The
connection between #3 (invalid node type) and the "error = 53" is obvious. None
of the other 3 are even remotely known. The term "corrupt LSP / Winsock" is so
vague, all that says is "it's broken, wave the magic wand (LSP-Fix)".

I suspect that a couple helpers here know a bit more than I've explained above,
if they can add to this ramble, I'd bet a lot of us would benefit. Will they
even read this far? I dunno. Have YOU even gotten to this spot? I dunno. ;-}
<http://nitecruzr.blogspot.com/2005/05/troubleshooting-network-neighborhood.html>

HTH. Please read, then ask more questions!

BTW, Michael, posting your email address openly will get you more unwanted
email, than wanted email. Learn to munge your email address properly, to keep
yourself a bit safer when posting to open forums. Protect yourself and the rest
of the internet, please.
<http://nitecruzr.blogspot.com/2005/05/how-to-post-on-usenet-and-encourage.html#Munging>

 

[Michael Meyers]

Michael,

Both the name resolution and master browser advertisements use NetBIOS packets.
Name / address resolution uses, I believe, netbios-ns, ie port 137. The master
browser advertisement uses netbios-dgm, ie port 138.

I don't think anybody here knows why personal firewalls are so unpredictable WRT
NBT (NetBIOS Over TCP/IP) traffic, nor if the unpredictability is even port
related. All most of us here know is, if there's a personal firewall on a
computer with browser or name resolution problems, it's best to either properly
configure, or un install, the firewall, at least to diagnose the problem. Many
personal firewalls react unpredictably when disabled, and may continue to block
some (but not necessarily all) ports even when disabled.

I've been working with Windows Networking, and browser issues, for several
years. I've come to associate "error = 53" ("name resolution") problems with 4
possible causes.
# Corrupted LSP / Winsock.
# Firewall problem.
# Invalid node type.
# Excessive protocols.

The first two are identified only from experimentation. A corrupted LSP /
Winsock is only diagnosed after its been fixed. Many times, you try everything,
and I mean everything, to fix a problem, sometimes you spend days, then somebody
says "Try LSP-Fix". You run it, and it's done. But there are 4 variations on
this - LSP-Fix is just one of the 4. And not all 4 work every time.
<http://nitecruzr.blogspot.com/2005/05/problems-with-lsp-winsock-layer-in.html>

A firewall problem you only identify after you disable a personal firewall
(assuming it disables successfully, which does happen about 1/2 the time). The
other half, you go thru the bit with everything else, and even try LSP-Fix and
its siblings, to no avail. Then someone discovers an overlooked firewall, and
the light goes on in the head. You un install, and it's done.
<http://nitecruzr.blogspot.com/2005/05/your-personal-firewall-can-either-help.html>

Invalid Node Type is spotted easily from viewing the "ipconfig /all" log. If
the Node Type is "Peer-Peer", and you're on a small LAN (ie no DNS or WINS
server), Peer-Peer won't do.
<http://nitecruzr.blogspot.com/2005/05/reading-ipconfig-and-diagnosing.html#PeerPeer>

Finally, if you spot IPX/SPX or NetBEUI protocols in a "browstat status" log, or
IPV6 aka Advanced or Teredo Tunneling in an "ipconfig /all" log, that has to
come out. At least to diagnose the problem.
<http://nitecruzr.blogspot.com/2005/05/fix-network-problems-but-clean-up.html>

What are the actual reasons why each of these cause an "error = 53"? The
connection between #3 (invalid node type) and the "error = 53" is obvious. None
of the other 3 are even remotely known. The term "corrupt LSP / Winsock" is so
vague, all that says is "it's broken, wave the magic wand (LSP-Fix)".

I suspect that a couple helpers here know a bit more than I've explained above,
if they can add to this ramble, I'd bet a lot of us would benefit. Will they
even read this far? I dunno. Have YOU even gotten to this spot? I dunno. ;-}
<http://nitecruzr.blogspot.com/2005/05/troubleshooting-network-neighborhood.html>

HTH. Please read, then ask more questions!

BTW, Michael, posting your email address openly will get you more unwanted
email, than wanted email. Learn to munge your email address properly, to keep
yourself a bit safer when posting to open forums. Protect yourself and the rest
of the internet, please.
<http://nitecruzr.blogspot.com/2005/05/how-to-post-on-usenet-and-encourage.html#Munging>

Chuck:

First of all, thanks for the heads up about e-mail address posting. Is this
better?

As far as your advice about my problem, you are clearly more knowledgable than I
am, but I have come across most of the references you provided. In terms of
personal firewalls, disabling ZA makes no difference. I don't think I'm willing
to uninstall at this point, as I have no other issues with ZA and as I said, the
LAN seems to be functioning.

In terms of invalid node type, node type is "unknown" on both computers which,
from what I have read, should not be a problem.

There are no extra protocols in browstat log, and no IPV6 in ipconfig /all.

In terms of a corrupted LSP/Winsock, please enlighten me. Could such corruption
exist with all else functioning normally. Also, if this were the cause, it
would have to be present on both PC's, because the browstat error shifts from
one PC to the other, depending on which machine the Computer Browser service is
enabled. I have read that it is better to have it enabled on the wired machine
and disabled on the wireless machine, and that is what I have left it at for
now.

Thanks for any additional help you can provide. Again, should I even worry
about this?

 

[Chuck]

Chuck:

First of all, thanks for the heads up about e-mail address posting. Is this
better?

As far as your advice about my problem, you are clearly more knowledgable than I
am, but I have come across most of the references you provided. In terms of
personal firewalls, disabling ZA makes no difference. I don't think I'm willing
to uninstall at this point, as I have no other issues with ZA and as I said, the
LAN seems to be functioning.

In terms of invalid node type, node type is "unknown" on both computers which,
from what I have read, should not be a problem.

There are no extra protocols in browstat log, and no IPV6 in ipconfig /all.

In terms of a corrupted LSP/Winsock, please enlighten me. Could such corruption
exist with all else functioning normally. Also, if this were the cause, it
would have to be present on both PC's, because the browstat error shifts from
one PC to the other, depending on which machine the Computer Browser service is
enabled. I have read that it is better to have it enabled on the wired machine
and disabled on the wireless machine, and that is what I have left it at for
now.

Thanks for any additional help you can provide. Again, should I even worry
about this?

Michael,

OK, so you just eliminated the last 2 possible causes in my list of 4. As I
implied in my post (which will soon be another blog article with slightly more
detail), the last 2 are the easiest to diagnose.

The first 2 can only be diagnosed after the fact. A firewall problem is best
diagnosed by configuring or by un installing the firewall - at least to diagnose
the problem. An LSP / Winsock problem can only be diagnosed by running the 4
LSP / Winsock fixes, one after the other, until it starts working.

To answer your immediate question, an LSP / Winsock problem can have many
symptoms, in an otherwise working network. Please read my article:
<http://nitecruzr.blogspot.com/2005/05/problems-with-lsp-winsock-layer-in.html>

But unless you can describe secondary symptoms (did you maybe have a recent
spyware problem?), I wouldn't start with LSP / Winsock. Is Zone Alarm installed
on both computers? That's where I'd start, whether you like that or not.
<http://nitecruzr.blogspot.com/2005/05/your-personal-firewall-can-either-help.html>

Right now, I'm real curious about your symptoms. What prompted you to run
browstat in the first place? Let's start there.

And yes, your munging is much better. We all thank you (yeah as if everybody
reads my ramblings).

 

[Michael Meyers]

Michael,

OK, so you just eliminated the last 2 possible causes in my list of 4. As I
implied in my post (which will soon be another blog article with slightly more
detail), the last 2 are the easiest to diagnose.

The first 2 can only be diagnosed after the fact. A firewall problem is best
diagnosed by configuring or by un installing the firewall - at least to diagnose
the problem. An LSP / Winsock problem can only be diagnosed by running the 4
LSP / Winsock fixes, one after the other, until it starts working.

To answer your immediate question, an LSP / Winsock problem can have many
symptoms, in an otherwise working network. Please read my article:
<http://nitecruzr.blogspot.com/2005/05/problems-with-lsp-winsock-layer-in.html>

But unless you can describe secondary symptoms (did you maybe have a recent
spyware problem?), I wouldn't start with LSP / Winsock. Is Zone Alarm installed
on both computers? That's where I'd start, whether you like that or not.
<http://nitecruzr.blogspot.com/2005/05/your-personal-firewall-can-either-help.html>

Right now, I'm real curious about your symptoms. What prompted you to run
browstat in the first place? Let's start there.

And yes, your munging is much better. We all thank you (yeah as if everybody
reads my ramblings).

Chuck:

As I've said, I'm not willing to uninstall ZA at this point. Disabling on both
machines has no effect. In terms of configuring, apart from putting each PC in
the other's Trusted Zone, I don't see any other configuration options. Maybe
there's a ZoneAlarm Pro guru out there who can make additional suggestions.

In terms of a corrupted LSP/Winsock, I had already come across
http://nitecruzr.blogspot.com/2005/05/problems-with-lsp-winsock-layer-in.html in
my research. I'm not experiencing any of the symptoms described, and I don't
feel that's a likely cause. If it were, you'd have to hypothesize corruption on
BOTH PC's, which doesn't seem likely to me.

To be honest, I can't remember why I started to run browstat in the first place.
I think it was just curiosity, after reading other posts in this newsgroup. I'm
always trying to learn new things, and I've found that reading about the
problems others are having is a good way to learn.

 

[Chuck]

Chuck:

As I've said, I'm not willing to uninstall ZA at this point. Disabling on both
machines has no effect. In terms of configuring, apart from putting each PC in
the other's Trusted Zone, I don't see any other configuration options. Maybe
there's a ZoneAlarm Pro guru out there who can make additional suggestions.

In terms of a corrupted LSP/Winsock, I had already come across
http://nitecruzr.blogspot.com/2005/05/problems-with-lsp-winsock-layer-in.html in
my research. I'm not experiencing any of the symptoms described, and I don't
feel that's a likely cause. If it were, you'd have to hypothesize corruption on
BOTH PC's, which doesn't seem likely to me.

To be honest, I can't remember why I started to run browstat in the first place.
I think it was just curiosity, after reading other posts in this newsgroup. I'm
always trying to learn new things, and I've found that reading about the
problems others are having is a good way to learn.

Michael,

Well, curiosity is a wonderful thing, but if you're not experiencing any
debilitating symptoms, then you probably don't need to go any farther.

You're simply the first person I've run across here that seemed to have the
curiosity, and the secondary symptoms (ie the "error = 53") too. I've been very
curious about the actual connection between the LSP/Winsock corruption /
firewall problem and the "error = 53" for a while, and hoped that you'd be
curious enough about it to try and solve it. But if you have no other symptoms,
you probably won't make a good test case anyway.

Zone Alarm Pro is a 2 step configuration. First, you define the Trusted Zone.
Then, you define paranoia / trust level for the Trusted Zone. Have you not done
the second step?

Thanks for reading this far, if your symptoms turn worse, you now know (I hope)
where to find further help.

 

[Michael Meyers]

Michael,

Well, curiosity is a wonderful thing, but if you're not experiencing any
debilitating symptoms, then you probably don't need to go any farther.

You're simply the first person I've run across here that seemed to have the
curiosity, and the secondary symptoms (ie the "error = 53") too. I've been very
curious about the actual connection between the LSP/Winsock corruption /
firewall problem and the "error = 53" for a while, and hoped that you'd be
curious enough about it to try and solve it. But if you have no other symptoms,
you probably won't make a good test case anyway.

Zone Alarm Pro is a 2 step configuration. First, you define the Trusted Zone.
Then, you define paranoia / trust level for the Trusted Zone. Have you not done
the second step?

Thanks for reading this far, if your symptoms turn worse, you now know (I hope)
where to find further help.

Each PC has the IP address of the other PC in its trusted zone. I have left the
settings for the trusted zone at default (Medium), although when I temporarily
set the trusted zone to low (ie firewall off in trusted zone), it made no
difference.

Is this what you mean by setting the paranoia/trust level?

 

[Chuck]

Each PC has the IP address of the other PC in its trusted zone. I have left the
settings for the trusted zone at default (Medium), although when I temporarily
set the trusted zone to low (ie firewall off in trusted zone), it made no
difference.

Is this what you mean by setting the paranoia/trust level?

Michael,

I think what I called the paranoia/trust level is what ZA calls the Security
level. If you have ZAP V5.5 for instance, it's discussed on page 65 of the User
Manual, under "Blocking and unblocking ports". According to the chart, Medium
security level allows outgoing NetBIOS traffic and blocks incoming. So you
would need to either set security level to Low, or manually configure to allow
incoming NetBIOS at Medium level.

Note that there is a lot of latency in the Browser subsystem; changes can take
as long as 50 minutes to show up sometimes. So you have to be patient. Make
the change, and wait.

 

[Michael Meyers]

Michael,

I think what I called the paranoia/trust level is what ZA calls the Security
level. If you have ZAP V5.5 for instance, it's discussed on page 65 of the User
Manual, under "Blocking and unblocking ports". According to the chart, Medium
security level allows outgoing NetBIOS traffic and blocks incoming. So you
would need to either set security level to Low, or manually configure to allow
incoming NetBIOS at Medium level.

Note that there is a lot of latency in the Browser subsystem; changes can take
as long as 50 minutes to show up sometimes. So you have to be patient. Make
the change, and wait.

Your reference to Medium security level blocking incoming NetBIOS traffic is for
the internet zone. The trusted zone at Medium setting allows both incoming and
outgoing NetBIOS traffic, if I understand correctly.

 

[Chuck]

Your reference to Medium security level blocking incoming NetBIOS traffic is for
the internet zone. The trusted zone at Medium setting allows both incoming and
outgoing NetBIOS traffic, if I understand correctly.

Michael,

I was thinking that too - maybe I was thinking of another version of ZAP.

The only reference to Internet Zone or Trusted Zone in that section of the
manual, that I can find, says:

To change a port’s access permission:
1. Select Firewall|Main.
2. In either the Internet Zone Security or the Trusted Zone Security area, click
Custom.
The Custom Firewall Settings dialog appears.
3. Scroll to locate High and Medium security settings.
4. To block or to allow a specific port or protocol, click the check box beside
it.
5. Click Apply, then click OK.

The computer that I tested ZAP on (a long time ago) is unfortunately unavailable
to me, so I will have to take your word for it.