XP Home connectivity lost after SP2: NETBT??

[Martin Kochanski]

A pair of computers linked via Ethernet: one 98, one XP Home. Each
belongs to the workgroup WORKGROUP and has shares that the other
connects to. After SP2,

- TCP/IP works. I can ping from one computer to the other and I can also
make TCP connections from one computer to the other.
- the 98 computer browsing the network sees WORKGROUP and sees itself
but does not see the XP Home computer.
- the XP Home computer browsing the network through My Network Places
sees WORKGROUP, but WORKGROUP appears blank: it doesn't even see itself
there.
- Event Viewer reports "4311" error messages for NetBT.
- Although TCP/IP > Properties > Advanced > WINS says "Enable NETBIOS",
ipconfig/all reports "NetBIOS over Tcpip Disabled".
- net view \\xpmachine lists all the XP machine's shares.
- net view \\98machine reports "System error 1231 has occurred".
- I have checked that the workgroup name is still WORKGROUP.
- uninstalling the network card and allowing XP to find it again makes
no difference to the problem.
- Disabling Windows Firewall makes no difference to the problem.
- Disabling and re-enabling the LAN connection makes no difference to
the problem.
- Repairing the LAN connection fails. The message is "Windows could not
finish repairing the problem because the following action cannot be
completed: Clearing NetBT".

I'm sort of running out of things to try. Does anyone have any
suggestions?

 

[Martin Kochanski]

I should add: both computers have fixed IP addresses, of 192.168.0.4 for
Windows 98 and 192.168.0.1 for XP Home - and (as I said) TCP/IP in
itself works perfectly.

The XP Home machine has no LMHOSTS file.

 

[Steve Winograd [MVP]]

A pair of computers linked via Ethernet: one 98, one XP Home. Each
belongs to the workgroup WORKGROUP and has shares that the other
connects to. After SP2,

- TCP/IP works. I can ping from one computer to the other and I can also
make TCP connections from one computer to the other.
- the 98 computer browsing the network sees WORKGROUP and sees itself
but does not see the XP Home computer.
- the XP Home computer browsing the network through My Network Places
sees WORKGROUP, but WORKGROUP appears blank: it doesn't even see itself
there.
- Event Viewer reports "4311" error messages for NetBT.
- Although TCP/IP > Properties > Advanced > WINS says "Enable NETBIOS",
ipconfig/all reports "NetBIOS over Tcpip Disabled".
- net view \\xpmachine lists all the XP machine's shares.
- net view \\98machine reports "System error 1231 has occurred".
- I have checked that the workgroup name is still WORKGROUP.
- uninstalling the network card and allowing XP to find it again makes
no difference to the problem.
- Disabling Windows Firewall makes no difference to the problem.
- Disabling and re-enabling the LAN connection makes no difference to
the problem.
- Repairing the LAN connection fails. The message is "Windows could not
finish repairing the problem because the following action cannot be
completed: Clearing NetBT".

I'm sort of running out of things to try. Does anyone have any
suggestions?

Event ID 4311 means that "Initialization failed because the driver
device could not be created." Are there any other relevant messages
in Event Viewer? Anything about TCP/IP Protocol Driver or IPSEC
Driver?

Make sure that the TCP/IP NetBIOS Helper service is running and is
configured to start automatically.

This web page has more information:

http://www.eventid.net/display.asp?eventid=4311&eventno=910&source=NetBT&phase=1
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Martin Kochanski]

Thank you for your quick response. There were no other relevant messages
in Event Viewer.

It turns out that someone was concerned about Windows Firewall leaving
port 445 open to the Internet (even though, in "Exceptions", it's set up
to be "subnet only") and altered
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters to
rename the TransportBindName string. This did indeed prevent my computer
from listening on port 445, but it also (as we have seen) stopped NetBT
working completely. Once I undid that alteration everything was OK.

This does, however, raise the question of the unsecured port 445. Now,
when I am connected to the Internet, netstat quite often reports
ESTABLISHED connections to 'microsoft-ds' on my computer, from remote
dialup computers somewhere else on the Internet. These connections are
of course unwanted and presumably malicious in intent.

1. Is there any way of blocking these connections, since Windows
Firewall won't do it?
2. Are these connections a security risk?

 

[Hans-Georg Michna]

1. Is there any way of blocking these connections, since Windows
Firewall won't do it?

Martin,

I think the Windows firewall will do it if you set a user
defined IP address range, rather than selecting subnet.

If I'm not mistaken, this is a known defect in the firewall,
likely to be fixed soon, but meanwhile the address range should
do.

This is only from memory, so please test it before you rely on
me.

Hans-Georg

 

[Martin Kochanski]

I think I did try the address range yesterday, in the form
192.168.0.0/255.255.255.0, with no apparent effect: the incoming
connections were still there.

Now I've tried 192.169.0.1,192.168.0.4 and that seems to have worked.

Thank you for the tip!

Martin.

 

[Hans-Georg Michna]

I think I did try the address range yesterday, in the form
192.168.0.0/255.255.255.0, with no apparent effect: the incoming
connections were still there.

Now I've tried 192.169.0.1,192.168.0.4 and that seems to have worked.

Martin,

thanks for reporting back!

The security hole is so big that they'll have to do something
about it soon, methinks.

Hans-Georg