If you can't find what you need, use the site search on the toolbar above.

Windows Firewall Problems

When reading the Knowledgebase articles, be aware that Internet Connection Firewall (ICF) refers to the firewall in XP prior to Service Pack 2. In Service Pack 2 the firewall was renamed to Windows Firewall.

Description of the Windows Firewall feature in Windows XP Service Pack 2

This article describes the Windows Firewall feature in Microsoft Windows XP Service Pack 2 (SP2). Windows Firewall is the updated software firewall in Windows XP SP2 that replaces the Internet Connection Firewall (ICF) feature.
How to configure the Windows Firewall feature in Windows XP Service Pack 2

Microsoft Windows XP Service Pack 2 (SP2) introduces a new firewall that helps make your system less vulnerable to attack by malicious users or by malicious software, such virus software. We recommend that you always run with a firewall. Without a firewall, you may be more prone to security issues. We do not recommend that you turn off Windows Firewall, but an option exists to do this. This article describes how to disable the Windows Firewall. If you turn off Windows Firewall, take appropriate additional steps to help protect your system. We recommend that you turn off Windows Firewall only when you really have to and only after you have explored all options to make your system more secure.

Despite the word 'settings' being the the only difference between the names of the next two articles, they are not the same document.

Troubleshooting Windows Firewall settings in Windows XP Service Pack 2

Microsoft Windows XP Service Pack 2 (SP2) includes Microsoft Windows Firewall, the updated firewall software that replaces Internet Connection Firewall (ICF). If Microsoft Windows Firewall is blocking a port that is used by a service or by a program, you can configure the Windows Firewall to create an exception. Windows Firewall may be blocking a program or a service if the following conditions are true: Programs do not respond to a client's request. Client programs do not receive data from the server.
Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2

The Windows Firewall feature of Microsoft® Windows® XP Service Pack 2 (SP2), a replacement for the Internet Connection Firewall (ICF) in previous versions of Windows XP, is a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighbouring network devices on a private network. This article describes how Windows Firewall works, the common problems with using Windows Firewall, and the set of tools used to troubleshoot Windows Firewall issues. This article is intended for network administrators and advanced users who are familiar with Windows XP and Transmission Control Protocol/Internet Protocol (TCP/IP).
Windows Firewall may drop ICMP packets on a Windows XP SP2-based computer that has more than one network adapter

You are using a Microsoft Windows XP Service Pack 2 (SP2)-based computer that has more than one network adapter. On this computer, Windows Firewall may drop Internet Control Message Protocol (ICMP) packets when ICMP is enabled in the firewall configuration. In this scenario, Windows Firewall drops the ICMP reply message. Additionally, information that is similar to the following appears in the firewall log:

DateTime DROP ICMP 169.168.25.1 10.10.1.1 - - 60 - - - - 0 0 - SEND
Netmeeting Does Not Disconnect When You Use It Through a Windows XP Firewall

When you use a Netmeeting client to connect to a remote Netmeeting client on a Windows XP-based computer that is running Internet Connection Firewall (ICF), the connection may seem slow and it does not appear to disconnect when the Netmeeting client disconnects.
Windows Firewall accepts an unfiltered three-second unicast response in Windows XP Service Pack 2

The Windows Firewall feature in Microsoft Windows XP Service Pack 2 (SP 2) accepts a three-second unicast response from any source address. This response is not subject to any filtering.
ICMP packets are dropped even though you have configured the Windows firewall feature to allow ICMP packets on your Windows XP Professional Service Pack 2-based computer

If you configure your computer that is running Microsoft Windows XP Professional Service Pack 2 (SP2) as the endpoint of a Tunnel mode Internet Protocol security (IPSec) connection, packets are dropped. This symptom occurs if you turn on the Windows Firewall feature. Additionally, packets are dropped even though you have configured the Windows firewall feature to allow ICMP packets.
The Media Center Extender may not work after you configure a firewall in Windows XP Media Center Edition 2005

When you install the Media Center Extender for Microsoft Windows XP Media Center Edition 2005, and then you configure a firewall on your system, the Extender may not work.
How Windows Firewall affects the UPnP framework in Windows XP Service Pack 2

This article describes how Windows Firewall affects the Microsoft Windows UPnP framework in Microsoft Windows XP Service Pack 2 (SP2). This article also describes the changes that have been made in Windows XP SP2 to minimize these effects.
The Windows Firewall service in Windows XP Service Pack 2, in Windows XP Professional x64 Edition, in Windows Server 2003 SP1, and in x64-based versions of Windows Server 2003 cannot start if the DCOM Process Launcher Service is disabled

You cannot ping a computer that is running Microsoft Windows XP Service Pack 2 (SP2), Microsoft Windows XP Professional x64 Edition, Microsoft Windows Server 2003 Service Pack 1 (SP1), or an x64-based version of Microsoft Windows Server 2003. If you view the Windows Firewall service in the Services snap-in, the Windows Firewall/Internet Connection Sharing service has not started. This symptom occurs even if the startup type is set to automatic. If the Windows Firewall service cannot start, all incoming connections are refused until the Windows Firewall service starts successfully. Additionally, the status of the Network Connections service and the COM+ Event System service may be in a pending state.
You cannot start the Windows Firewall service in Windows XP Service Pack 2

After you install Microsoft Windows XP Service Pack 2 (SP2), you cannot start the Windows Firewall service. You may experience one or more of the following symptoms:

When you click Windows Firewall in Control Panel, you may receive the following error message:

Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?

If you click Yes, you receive the following error message:

Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.

If you try to manually start the Windows Firewall service by using Services, you may receive the following error message:

Could not start the Windows Firewall/Internet Connection Sharing (ICS) service on Local Computer.

Error 0x80004015: The class is configured to run as a security id different from the caller

The following events may appear in the system event log:

Event ID: 7036
Event Source: Service Control Manager
Event Type: Information Event
Category: None
Description: The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state.
Event ID: 7023
Source: Service Control Manager
Type: Error
Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The class is configured to run as a security id different from the caller
Programs Require Manual Port Configurations with Internet Connection Firewall

Describes some programs that require you to manually open ports so that the programs can work correctly.
Remote Assistance May Not Work if Internet Connection Firewall Is Enabled

When an expert attempts to connect to a novice's computer, the expert may receive the following error message: A Remote Assistance connection could not be established.
Internet Connection Firewall Does Not Filter or Provide Firewall Services During Startup and Shutdown

When you start or shut down your Windows XP-based computer, the Internet Connection Firewall (ICF) does not filter or provide firewall services. During the startup or shutdown process, users can connect to your computer or to any program or service that may be available. Note that other than these two times, ICF works correctly.
How to turn on or turn off the firewall in Windows XP

Explains how to turn on or turn off the firewall feature in Windows XP.
Internet firewalls can prevent browsing and file sharing

Explains that turning on a firewall may keep you from searching or sharing files with other computers on a home network.
You receive an "Access denied" or "The network path was not found" error message when you try to remotely manage a computer that is running Windows XP Service Pack 2

Describes an issue where the default configuration of the Windows Firewall program in Windows XP SP2 blocks incoming traffic on port 445.
How to manually open ports in Internet Connection Firewall in Windows XP

Describes how to manually open ports in Internet Connection Firewall (ICF) in Windows XP to make sure that the programs work correctly when ICF is in use on the local computer or on the gateway computer.
An exception may not show up in the Windows Firewall graphical user interface if you create the exception by modifying the registry

If you create an exception by modifying the registry on a computer that is running Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1), the exception may not show up in the Windows Firewall graphical user interface.
A program is added to the Windows Firewall exceptions list even if you choose to block the program

Consider the following scenario.

The following conditions are true:
  • You are logged on to a computer that is running Microsoft Windows XP with
  • You are logged on to a computer by using a domain user account that has no administrative rights.
  • You start a program that listens on a port.
 After you start the program that listens on a port, a Windows Firewall notification dialog box appears. The Windows Firewall notification dialog box has a Do not display the message after this program check box. You click to select the Do not display the message after this program check box, and then click OK. After you click OK, the program that listens on a port is added to the exceptions list. The exceptions list is located in the Programs and Services box on the Exceptions tab in the Windows Firewall dialog box. However, the program that listens on a port is not checked, and the program that listens on a port appears unavailable.
You cannot modify Windows Firewall settings for an AOL dial-up network connection by using Network Connections in Control Panel in Windows XP Service Pack 2 or in Windows XP Tablet PC Edition 2005

On a computer that is running Microsoft Windows XP Service Pack 2 (SP2) and America Online (AOL) software, you may not be able to perform either of the following tasks:
  • Modify Windows Firewall settings.
  • Use Network Connections in Control Panel to turn off Windows Firewall for an AOL dial-up network connection.
When you right-click the AOL dial-up network connection, the Properties command does not appear on the shortcut menu.
You cannot configure Windows Firewall settings or Security Center settings on a Windows XP Service Pack 2-based client computer that is in a Windows Small Business Server 2003-based network

After you install Microsoft Windows XP Service Pack 2 (SP2) on a client computer, you may experience the following symptoms when you log on to the network:
  • Windows Firewall is disabled. You cannot use the Windows Firewall tool in Control Panel to turn on Windows Firewall or to configure Windows Firewall settings on the Windows XP SP2 client computer. When you try to configure Windows Firewall settings, some options are appear dimmed, and you may receive the following message:
    • For your security, some settings are controlled by Group Policy.
You experience this symptom even if you previously clicked On (recommended) in the Windows Firewall dialog box to turn on Windows Firewall.
  • You cannot use the Security Center item in Control Panel on the Windows XP SP2 client computer to manage security settings.
  • These symptoms occur if either of the following conditions is true:
    • You install Windows XP SP2 on a client computer that is located in a Microsoft Windows Small Business Server (SBS) 2003-based network.
    • You have joined a client computer that is running Windows XP SP2 to a Windows SBS 2003-based network.
Firewall program exceptions that are more than 260 characters cannot be configured by using Group Policy on a Windows XP Professional SP2-based computer

On a Microsoft Windows XP Professional Service Pack 2 (SP2)-based computer, you use Group Policy to configure Windows Firewall settings. You use the Windows Firewall component that is available in the system administrative template to define firewall program exceptions. However, the firewall program exceptions that are more than 260 characters cannot be configured by using Group Policy.

Note: You can define firewall program exceptions that are more than 260 characters by using the Windows Firewall program interface.
You can use Windows Firewall to help protect network bridge connections in Windows XP Service Pack 2

With Microsoft Windows XP Service Pack 2 (SP2), the Windows Firewall has been updated so that you can enable it on network bridge connections. This article describes how to enable, disable, and configure the Windows Firewall on network bridge connections.
How to Play Internet Games Through a Firewall or Proxy Server in Windows XP

This article describes how to play Windows-based Internet games through a network firewall or proxy server. These games include Internet Backgammon, Internet Checkers, Internet Hearts, Internet Reversi, and Internet Spades.
You cannot start the Windows Firewall service in Windows XP SP2

After you install Microsoft Windows XP Service Pack 2 (SP2), you cannot start the Windows Firewall service. Specifically, you experience one or more of the following symptoms:
  • Windows Firewall/Internet Connection Sharing (ICS) is not displayed in the Services list in Control Panel.
  • Windows Firewall/Internet Connection Sharing (ICS) is displayed in the Services list, but you cannot start this service.
  • You receive the following error message when you try to access Windows Firewall settings:
    • Due to an unidentified problem, Windows cannot display Windows Firewall settings.
Firewall ports that you must open when you connect an Xbox 360 console to a Windows Media Center-based computer

This article describes the firewall ports that you must open for an Xbox 360 console to work correctly with a computer that is running Microsoft Windows XP Media Center Edition.
Windows Firewall may block some programs from communicating over the Internet after you install Windows XP Service Pack 2

After you install Windows XP Service Pack 2 (SP2), some programs may seem not to work. By default, Windows Firewall is enabled and blocks unsolicited connections to your computer. This article discusses how to make an exception and enable a program to run by adding it to the list of exceptions. This procedure enables the program to work as it did before the service pack was installed.
You cannot turn on or turn off the Windows Firewall setting on a Windows XP Service Pack 2-based computer

You cannot turn on or turn off the Windows Firewall setting on a Microsoft Windows XP Service Pack 2 (SP2)-based computer.
You cannot scan images with a network scanner when Windows Firewall is turned on in Windows XP Service Pack 2 or in Windows XP Tablet PC Edition 2005

If you turn on Windows Firewall and then select Allow this computer to use a network scanner in the Scanner and Camera window in Control Panel, you cannot use the Scanner and Camera Wizard to access a network scanner.
Exceptions that you added to Windows Firewall by using Remote Assistance while you were logged in to Windows Messenger or MSN Messenger have not taken effect

After you add exceptions to Windows Firewall by using Remote Assistance while you are logged in to Microsoft Windows Messenger or Microsoft MSN Messenger, you notice that the exceptions have not taken effect.
"Windows Firewall has blocked this program from accepting connections from the Internet or network" message appears when you save a file to an FTP Web site in Office

When you try to save a file in a Microsoft Office 2007 or Microsoft Office 2003 program to an FTP server, you receive the following Microsoft Windows Security Alert:

Windows Security Alert

To help protect your computer, the Windows Firewall has blocked some features of this program.

Do you want to keep blocking this program?

Name: program name
Publisher: publisher name

Windows Firewall has blocked this program from accepting connections from the Internet or network. If you recognize the program or trust the publisher, you can unblock it.

Remote Assistance May Not Connect to a Multiple-Homed Windows XP Computer with the Personal Firewall Feature Enabled

When you use a multiple-homed Windows XP-based computer with the Personal Firewall feature enabled, remote users may not be able to connect to the computer in response to a Remote Assistance request.

Also, if you are using a Windows XP-based computer with one network adapter and a modem with the Personal Firewall feature enabled, Remote Assistance does not open the firewall port on the modem connection.
Windows XP SP2 Firewall blocks offers of Remote Assistance

When you use the Windows XP, Help and Support, Offer Remote Assistance feature to offer assistance to a novice using a computer running Windows XP Service Pack 2, the Remote Assistance connection can not be created.
How to use a script to programmatically open ports for SQL Server to use on systems that are running Windows XP Service Pack 2

Microsoft Windows XP Service Pack 2 (SP2) includes Windows Firewall. Windows Firewall is an enhanced version of Internet Connection Firewall (ICF). By default, Windows Firewall is enabled on computers that are running Windows XP Service Pack 2. Windows Firewall will block some network connections that use TCP/IP, that use Named Pipes, or that use Multiprotocol Remote Procedure Call (RPC). This blocking can affect Microsoft Data Engine (MSDE), Microsoft SQL Server 2000, and Microsoft SQL Server 2005.

If you have an application that requires SQL Server or MSDE to have access to the network by using Named Pipes, by using TCP/IP, or by using RPC, you can use the scripts that are provided in the "More Information" section to open the required ports programmatically instead of using Windows Firewall.

Two scripts are included in this article. The first script programmatically configures Windows Firewall to allow SQL Server to listen on the network on all protocols. The second script programmatically configures Windows Firewall to allow SQL Server to listen on TCP/IP only.
You cannot start Windows Messenger after you install Windows XP Service Pack 2

When you try to start Windows Messenger after you install Microsoft Windows XP Service Pack 2 (SP2), Windows Messenger does not start, and you receive the following warning message:

Security Alert
To help protect your computer, Windows Firewall has blocked this program from receiving unsolicited information from the Internet or a network.
Name: Windows Messenger
Publisher: Microsoft Corporation

When you disable the Windows Firewall service on your Windows XP Service Pack 2-based computer, the Computer Browser service stops after five minutes and Event ID 7023 is logged in the Event Viewer

When you disable the Windows Firewall service on your Microsoft Windows XP Service Pack 2 (SP2)-based computer, the Computer Browser service stops after five minutes and the following event is logged in the Event Viewer System log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: <Date>
Time: <Time>
User: N/A
Computer: <Computer Name>
Description: The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.

You may receive a "Remote Assistance failed" error message on a Windows XP-based Internet Connection Sharing client computer that uses the Internet Connection Firewall feature

Consider this scenario: You send a Remote Assistance invitation to a Windows XP-based Internet Connection Sharing host computer from a Windows XP-based Internet Connection Sharing client computer. The client computer has the Internet Connection Firewall (ICF) feature enabled. You receive an error message that is similar to the following:

Remote Assistance failed. Please try again.
You receive a "The page cannot be displayed" error message when you access a Web site that is hosted on a Windows XP SP2-based computer

When you host a Web site on a computer that is running Microsoft Internet Information Services (IIS) version 5.1, and you apply Microsoft Windows XP Professional Service Pack 2 to the computer, you may receive the following error message when you access the site:

The page cannot be displayed. Can't find server or DNS error.

If you use the local browser, you can display the page.
Error Message When You Run the "Ipconfig /Renew" Command

When you run the ipconfig /renew command at a command prompt, you may receive the following error message:

An error occurred while renewing interface local area connection: The system cannot find the file specified.
How to manually enable TCP/IP on Windows XP Service Pack 2 for SQL Server 2000

This article describes how to determine if SQL Server is using a static or a dynamic port, and how to manually enable TCP/IP on Microsoft Windows XP Service Pack 2 for Microsoft SQL Server 2000.

By default, Windows Firewall is enabled on computers that are running Windows XP Service Pack 2. Windows Firewall closes ports such as 445 that are used for file and printer sharing to prevent Internet computers from connecting to file and print shares on your computer or to other resources. When SQL Server is configured to listen for incoming client connections by using named pipes over a NetBIOS session, SQL Server communicates over TCP ports and these ports must be open. SQL Server clients that are trying to connect to SQL Server will be not be able to connect until SQL Server is set as an exception in Windows Firewall. To configure Windows Firewall in Windows XP Service Pack 2 to allow SQL Server 2000 to listen for TCP/IP traffic on a static port, use the steps that are listed in the "More Information" section.
RIP Listener does not update the route table with new route information

If your Microsoft Windows XP-based computer is running Routing Information Protocol (RIP) Listener, RIP Listener may not update the route table with new route information.

This issue may occur if a firewall is preventing RIP Listener from receiving route information that is sent by routers that are using RIP version 1. When you install Windows XP Service Pack 2 (SP2), Windows Firewall is turned on. If your computer has Windows Firewall or another firewall turned on, incoming UDP port 520 may be blocked.
You no longer receive Print status notification messages when you print to a network printer after you install Windows XP Service Pack 2

After you install Microsoft Windows XP Service Pack 2 (SP2), you no longer receive Print status notification messages when you print to a network printer. This problem occurs even though all the following conditions are true:
  • The File and Printer Sharing option is selected on the Exceptions tab of the Windows Firewall dialog box.
  • The appropriate ports are opened for the subnet for the File and Printer Sharing option.
  • The client computer and the print server are both on the same local subnet.
Windows Firewall may drop the connection request when a host computer tries to connect to a client computer that is running Microsoft Windows XP with Service Pack 2

On a client computer that is running Microsoft Windows XP with Service Pack 2 (SP2), Windows Firewall may drop the connection request when the host computer tries to connect to the client computer. This problem occurs if the following conditions are true:
  • The client computer uses a program that is located on a file server.
  • The program is in the client computer's Windows Firewall exception list.
  • The shared folder on the file server is mapped to a drive letter.
  • The path of the file server is a Distributed File System (DFS) path.
  • The file server program authenticates against a host computer.
Certain Administrative Templates from the Windows XP Security Guide may prevent you from starting the Windows Firewall service in Windows XP Service Pack 2

After you install Windows XP Service Pack 2 (SP2), you cannot start the Windows Firewall service. You may experience one or more of the following symptoms:

When you click Windows Firewall in Control Panel, you may receive the following error message:

Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?

If you click Yes, you receive the following error message:

Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.

If you try to manually start the Windows Firewall service by using Services, you may receive the following error message:

Could not start the Windows Firewall/Internet Connection Sharing (ICS) service on Local Computer.

Error 0x80004015: The class is configured to run as a security id different from the caller