Tweaks + Secrets - Part 2Go to Windows XP ©Tweaks + Secrets Contents
8-16-04 Updated WinXP/2003 Original ©Trick in TIPSXP.TXT, part of W95-11D.EXE:
XP/2003 FIREWALL GUIDE
Dedicated to Pierre, the inspirational force behind this guide. Definition: The FireWall (FW) is
a hardware and/or software based two-way monitor, detector and filter (blocker/unblocker) of ingress/inbound [incoming = originated from internet/network computer(s)] and egress/outbound [outgoing = originated from local
networked computer(s)] data/packets, set to block/prevent/stop and/or allow/permit/proxy the transmitting (broadcast) of unauthorized, personal, private and/or local/network computer data/packets to dedicated internet/network
based servers/applications and the receiving (download) of unauthorized, internet/network based adware, malware and/or spyware data/packets from reaching/infesting the local/network computer(s).
More info.The Microsoft Internet Connection Firewall
(ICF) installs as part of Windows XP (Home + Professional Editions) and Windows 2003 Server (Standard, Enterprise,
Datacenter + Web Editions), but lacks some of the advanced features found in similar 3rd party
Windows Vista Firewall is even worse, because it gives the user a false sense of security by not prompting
whenever it detects an attack/intrusion, according to ZDNet
ICF is a Windows XP/2003 built-in internet based intrusion prevention tool designed for users of broadband
(xDSL, Cable, Satellite digital modems) and dial-up (analog modems) connections, who are unaware of intrusion threats and of
the need for protection, extends the NAT (Network Address Translation) driver, provides ICMP blocking options and activity
NAT is explained @ Wikipedia.
More info @ MSKB.
features similar functionality to most hardware based firewalls built into network/broadband routers, a combination of packet
and gateway filtering.
FYI: Microsoft acknowledged that ICF blocks ONLY IPv4 traffic, NOT IPv6, without installing Advanced Networking Pack (ANP) for Windows XP/XP SP1/XP SP1a! Windows XP SP3 installs ANP!
Windows Firewall NEW
- All Windows XP 32-bit users MUST install Service Pack 3 (SP3), which installs among many security vulnerability + bug fixes the NEW version of ICF renamed to Windows Firewall
- All Windows 2003 32-bit + 64-bit and Windows XP Professional 64-bit users MUST install Service Pack 2 (SP2).
Stateful inspection is explained @ Wikipedia.XP SP2 WF BUGS:
- host based stateful packet + application inspection filtering aimed to stop
incoming (unsolicited) traffic that does not correspond to either traffic sent in response to a computer request (solicited
traffic) or unsolicited traffic specified as allowed (excepted traffic).
- certain level of protection from malicious users
+ programs that rely on unsolicited incoming traffic to attack computers/networks.
- enabled by default for all active
- global configuration options applicable to all active connections.
- set of rules (accessed via dialog boxes)
for local configuration.
- computer startup (before Logon) protection.
- excepted traffic can be specified by scope and/or
application file name.
- IPv6 + Peer-to-Peer (P2P) networking protocols support.
- configuration options can be applied via
Netsh + Group Policy.
CONCLUSION: To raise
your level of protection efficiently, get a network/broadband router with built-in basic hardware firewall AND a better, customizable software firewall [mostly free(ware)].
- packet filtering does NOT block the Remote Assistance connection service!
- outbound/outgoing (egress) packet
filtering is NOT available!
- packet filtering warnings are NOT available!
Free(ware) Windows Firewalls Compared + Reviewed.ICF/WF can be activated 5
Defaults are set mainly
for outbound traffic, and out-of-the-box ICF/WF blocks only a few ports and protocols Microsoft deems unsafe, which is way
too risky for every day browsing. :(
- Automatically (Windows XP SP3 ONLY): after successfully installing Windows XP SP3, at the begining of the first boot
(before the Logon screen), you will be prompted to enable the new Windows Firewall. MUST do so unless you are using a better 3rd party FW!
whenever you create a new Internet/Network connection you will be asked if you want to take advantage of the XP Firewall Services. Check the Yes box to
enable ICF/WF for your particular connectoid.
- Default (Windows XP SP3 ONLY): right-click the Windows Security Taskbar tray icon
→ select Open Security Settings → check the Windows Firewall box → click OK.
- Manually: open
Control Panel → (double-)click Network Connections → right-click on your Internet/Network connection name → select
Properties → Advanced tab → check the "Internet Connection Firewall" (Windows XP Pre-SP2 + 2003 ONLY) or "Windows Firewall"
(Windows XP SP3 ONLY) box → click Apply/OK.
- Manually (Windows XP SP3 ONLY): open Control Panel → (double-)click
Windows Firewall → select the General tab → check the "On (recommended)" box → click OK.
Therefore it is strongly advised to tweak them manually to enjoy a safer Internet
experience: select the Network Connection Settings tab → click the Settings button → customize ICF/WF to your needs.
good news is ICF/WF blocks RPC calls to TCP port 135 (see port list below for details) by default. :)
Start by making
rules (as you should with any decent FW) for each app, domain, protocol, port etc, separately for outbound and/or inbound,
A rule set does one of two things: (1) blocks [disables] or (2) unblocks [enables] a particular
app/port/protocol/domain/IP/server/computer/etc from/to access(ing) the internet as a whole, or targets one or more specific
internet/network(s) port(s)/domain(s)/server(s)/computer(s).ICF/WF info + guides:Windows Firewall free(ware) tools: Definitions of terms used here:
FYI: See my Glossary for terms definitions.Most frequently
used (a.k.a. common, known, assigned) ports in alphabetical order [can't surf without them ;)]:
- Port: Positive integer number used to identify an endpoint to a logical connection among TCP/IP and UDP networked computers/devices/terminals. Each assigned port number
transmits/receives specific data.
- Protocol: Standardized format for transmitting/receiving data among
- TCP Protocol: transmits/receives data among connected computers/devices/terminals
while forming a session, ensuring delivery and error checking.
- UDP Protocol: transmits/receives data among connected
computers/devices/terminals without forming a session, confirmation, nor error checking.
- Internet Protocol (IP) Address:
- IPv4 Standard (old):
32-bit identifier (numeric address) formed of a group of four 1-3 digit positive integer numbers separated by dots (.)
used to identify a networked computer/device/terminal. Format:
where xxx = any positive integer number between 0 and 255.
Requires network hardware + software capable of Network Address Translation
- IPv6 Standard (new):
The IPv6 address contains 2 logical parts:
128-bit identifier (hexadecimal address) formed of eight groups of 4 hexadecimal digits, each group representing 16 bits (2 octets) separated by colons
(:) used to identify a networked computer/device/terminal. Format:
- 64-bit network prefix and
- 64-bit host address, usually
detected and generated automatically from the interface MAC address.
where xxxx = any 4 digit 16-bit hexadecimal
number, from 0000 up to ffff (case insensitive); leading zero(es) may be omitted (example): 0000 can be abbreviated as 0 .
Requires network hardware + software capable of:Local/private/intranet networked computers/devices/terminals can be assigned any random (unique) IP
address specific only to that particular network. Internet/public IP addresses must be registered with a Regional Internet Registry (RIR):
AfriNIC, APNIC, ARIN, LACNIC or RIPE to avoid duplication.
Most frequently used Trojan/Zombie ports [malware, MUST
- DCE [port
135] = Distributed Computing Environment endpoint resolution mapper [RPC (Remote Procedure Calls) locator service]. Used by fault tolerant networks to
remotely manage services and distributed applications. Always block if not using such services/apps.
Broadcast port for
messaging purposes only, used for example by Microsoft Windows Media Player (WMP) to send personal data [talk about privacy!
:(] from users' computers to their spamming/spying "dedicated" servers.
Windows XP/XP SP1/XP SP1a/XP MCE/2003 users MUST INSTALL this Microsoft Fix (English) in order to close
RPC service (port 135) from unauthorized requests, and avoid being "infected" by the Blaster/MSBlast/Lovesan Worm!
Pre-SP1 RPC Fix [2.84 MB].
Pre-SP2 RPC Fix [3.08 MB].
Windows XP SP2, XP SP3, 2003 SP1 + 2003 SP2 include this Fix!
- DHCP [ports 67/68 + 546/547] = Dynamic Host Configuration Protocol assigns dynamic
IP addresses to network devices, mandatory for net access. Never block.
- DNS [port 53] = Domain Name System (or
Service) translates internet Domain Names (alphabetic) into IP addresses (numeric). Must be always open. Let through
- Finger [port 79] = Interface protocol for RUIP (Remote User Information Program) connections. Always block,
unless using it.
- FTP [ports 20 (data) + 21 (control)] = File Transfer Protocol used for uploading and downloading
files to and from FTP host servers, which can block unauthorized access by requesting user id and/or password. Block only for
outbound (outgoing), unless user id and/or password required to log on to specific servers.
- Gopher [port 70] = Old
text based data retrieval protocol, very rarely used nowadays. Always block if not using any Gopher apps.
- HTTP [port
80] = HyperText Transfer Protocol defines the way web browsers communicate (through client outgoing requests followed by
host incoming reactions) with host servers located on the WWW (World Wide Web), which constitutes the largest internet
"slice". Mandatory for web access. Always let through, unless you refuse to surf the web. ;-/
- HTTPS [ports 443 +
445] = HyperText Transfer Protocol Secure. Used by SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
protocols, for example in web based monetary transactions. Block only if you do not make any purchases over the internet
nor wish to access any secure web pages.
- Ident/Auth [port 113] = Identification/Authentication protocol used by
some servers (like IRC) to uniquely recognize a user or computer upon query. Block only if not using IRC or similar
- IMAP [port 143] = Internet Message Access Protocol (gradually replaced by IMAP4) used for
sending and retrieving email to and from dedicated servers. Unblock only for email apps using the IMAP
- NetBIOS [ports 137 (name), 138 (datagram) + 139 (session)] = Network Basic Input Output System. API
(Application Programming Interface) used on LANs (Local Area Networks). Always block, unless using NetBIOS on your
network(s) and/or on the network(s) you connect to.
- NNTP [ports 119 + 563] = Network News Transfer Protocol used
to post, distribute and retrieve USENET messages. Block only if not using USENET.
- NTP [port 123] = Network Time
Protocol (UTC based) standard used by dedicated atomic clock servers to adjust periodically the CMOS clock time on client
computers accurately. Block only if not using this feature.
- Ping [various ports, server dependent] = Packet
Internet Groper used for troubleshooting IP address connections through ICMP (Internet Control Message Protocol). Always
block, unless testing your machine's MTU (Maximum Transmission Unit) by "pinging" your ISP (Internet Service Provider).
- POP3 [ports 110 + 995 (TLS/SSL)] = Post Office Protocol version 3 used for sending and retrieving email to and
from dedicated servers. Unblock only for email apps using POP3 standard.
- SMTP [port 25] = Simple Mail Transfer
Protocol used for sending email by clients to servers and among servers. Unblock only for email apps.
- SNMP [ports
161 + 162] = Simple Network Management Protocol is a set of protocols for managing complex networks. Unblock only if
using SNMP based network(s).
- TCP [various ports, application/server dependent] = Transmission Control Protocol
mandatory for connecting to and exchanging information with any host computer. Let through on individual rule/app/server
- Telnet [port 23] = Character based protocol used by Unix/Linux/BSD machines. Always block, unless using
any Telnet apps over the internet/network(s).
- TFTP [port 69] = Trivial File Transfer Protocol used for uploading
and downloading files to and from TFTP host servers, which do not restrict access. Block only for outbound
- UDP [various ports, application/server dependent] = User Datagram Protocol. Try to block when
possible, especially to prevent private info "leakage". Broadcast ports for messaging purposes only, used for example by
Real(One) Player (RP) and Microsoft Windows Media Player (WMP) to send personal data [talk about privacy! :(] from users'
computers to their spamming/spying "dedicated" servers.
There are a total of 65535 ports (a.k.a. address numbers), used by
networked computers to create logical connections, and categorized as follows:
- 123 + 10100 = GiFt.
- 146, 17569, 34763 + 35000 = Infector.
- 623 =
- 901, 902 + 903 = Net-Devil.
- 1243, 6776 + 27374 = Subseven.
- 1560, 2001 + 2002 = Duddies.
- 2800, 3000, 3700
+ 7000 = Theef.
- 3128 = Masters Paradise + RingZero.
- 5151 = Optix.
- 7410 = Phoenix II.
- 9696 = Ghost.
11051 + 15094 = Host Control.
- 12345, 12346 + 20034 = NetBus.
- 12348 + 12349 = BioNet.
- 25685 + 25686 =
- 31337 = Back Orifice.
More port info:Note that port numbers are assigned on per application/server approval basis by IANA (Internet Assigned Numbers Authority), the world wide (global) profit-free
organization responsible for managing and distributing internet ports to companies, businesses, vendors, ISPs etc.
- 0-1023 =
standard (known) ports: see examples above.
- 1024-49151 = registered ports (regulated): assigned by IANA to net
based services (e.g. ISPs).
- 49152-65535 = dynamic (private) ports (unregulated): unassigned, thus some are
available to knowledgeable hackers for privacy invasion purposes. :(
posts periodically a complete list of all ports (must
be in public domain) and entities currently using them.Also, open the %windir%\System32\Drivers\Etc\SERVICES (plain
text) file in Notepad and take a look at the Microsoft list of known/used ports.ICF/WF guidelines: when you let an
app through, open ONLY the TCP/UDP port(s) you know it needs to use in order to operate over the internet/network(s), and
close ALL OTHER ports, especially the ones you know are on the "black" list: some of the known exposed (dangerous) ports are
listed after you complete the security port scan tests at Gibson
More internet security resources.A blocked app means that all its ports/protocols
are closed as far as it is concerned, both outbound (outgoing) and inbound (incoming).
You also need to make it work with
your particular apps, and at the same time have some degree of protection from "unscheduled outbound travellers".
from the Stargate SG-1 sci-fi TV series (Stargate theatrical film
spin-off).]Try not to block/unblock both TCP and UDP within the same rule for the same app/protocol, make separate rules for each, as you should also for outbound and inbound, respectively.Note that
software based firewalls are never as secure as network/internet
routers/switchers/splitters that have built-in hardware based firewalls (low level = block unwanted apps/ports before reaching the OS), because it is very difficult and time consuming to block every dangerous port from
within the OS (high level = block unwanted apps/ports after reaching the OS).
Example: software FWs do NOT filter/protect NOR provide firewall services whenever you start up or shut down your machine! Therefore, during the
startup and/or shutdown routines ANY user can connect to your computer and/or to ANY running services/applications... feeling vulnerable already? :(That's why I strongly recommend, especially
if surfing on broadband (xDSL, cable, satellite or Wi-Fi), and/or using more than one computer to access the internet, to purchase a good
multipurpose 4-port (or more, depending on your needs) router with built-in hardware firewall and IPv6 capabilities. Your best bet is a wireless broadband router with 4-port 10/100/1G Ethernet switch with auto-speed sensing and Wi-Fi encryption. See also this review.IMPORTANT: Always allow full access to these 2 XP OS services (both files reside in the
%windir%\System32 folder, usually C:\Windows\System32):
- Alg.exe (Application Layer Gateway Service) = integral part of the built-in ICF/WF, controls
FTP connections among other functions. Needs to run for the ICF/WF to work properly.
- Svchost.exe (Generic Host Process for Win32 Services) = integral part of XP OS, mandatory to
run at all times, it canNOT be stopped or (re)started manually, loads/unloads/manages internal/external 32-bit DLLs/other services, and in normal conditions more than one Svchost.exe instance/thread will always be
As an avid internet user, I can't rely on XP's rudimentary firewall to take care of business [nor should you! ;)], so I strongly recommend to install one of these freeware firewalls.FYI:
Firewall + Security resources.Back to XP's ICF/WF...
Go to: Control Panel
→ Networks → your Internet/Network connection →
Properties → Advanced → Parameters → Services list
→ Adjust → Description of Service → type your own
description [i.e. Windows Messenger UDP] → Name/IP box → type your computer or IP name/address
→ External Port → check TCP or UDP → click OK or press
Note that a port you want open and an internal port unfortunately mean the same thing in Microsoft's "lingo". :(
Now create a new rule for each port you want opened (or closed), folowing the port table
examples below for known applications.
Here are only a few, but you need to study the manufacturer's documents/guides regarding specific port numbers assigned to your particular net apps, games, tools
MSKB: Programs that may require to open ports manually.FYI: See "INTERNET TIME THROUGH FIREWALL", also in TIPSXP.TXT [part of W95-11D.EXE], to learn how to synchronize your PC time with a dedicated time server while using
ICF/WF.Back 2 Contents
8-29-02 WinXP ©Trick in TIPSXP.TXT, part of W95-11D.EXE:
|App/Game name||TCP port(s)
used||UDP port(s) used|
|XP native apps:|
|NetMeeting||389, 522, 1503, 1720, 1731|
|3rd party apps:|
|America OnLine (AOL)||5190-5193||5190-5193|
|AOL AIM||443, 563, 4099, 5190|
|Black and White||2611-2612, 6500, 6667, 27900 |
|Crimson Skies||1121, 3040, 28801, 28805|
|Counter Strike Servers||26000-30000|
Reign 2||3100, 3568, 3999||3100, 3568,
|Earth & Beyond||21 (patch)|
Force||26000, 27500, 27910, 27960|
|Halo PC||80||2302, 2303|
|MSN Gaming Zone||2880-29000, 6667|
|MSN Gaming Zone DirectX ||2300-2400, 47624|
|Need for Speed||9442||6112|
|Need for Speed 3||1030|
|Quake II/III Servers||26000-30000|
|Quake III||27960 (add 1 for each
|Rainbow Six||2346, 2347,
2348||2346, 2347, 2348|
|Tiberian Sun||1140-1234, 4000||1140-1234, 4000|
SINGLE CLICK SHUTDOWN
Did you know that in Windows XP you can shut down your computer from the (eventually DOS prompt) command line box?
Moreover, you can do this by clicking your mouse only once. :)
All you need to do is... right-click on an empty Desktop
spot → select New → Shortcut → type shutdown followed by a space, and then enter one or more of the parameters
listed below → click Next → type a suggestive name for your new shortcut → finally, click Finish.
This is the
Shutdown.exe (located in %windir%\System32, usually C:\Windows\System32) syntax:
shutdown [-i|-l|-s|-r|-a] [-f] [-m \\computername] [-t xx] [-c "Text"] [-d[u][p]:xx:yy]
Valid command line switches:
-a = Abort system shutdown in progress ONLY IF the -t xx
timeout option was already set to ANY value other than 0. ALL switches except -l and -m are ignored during abort.-c
"Text" = Text comment (case insensitive) to be displayed in the Message area of the System Shutdown window. MUST be
enclosed between quotes. Maximum allowed 127 ASCII characters.-d [u][p]:xx:yy = Reason code for shutdown:NOTES:
u = User code.-f =
Force running applications to close without warning.-i = Display the shutdown interface (GUI). MUST be the first
option!-l = Log off the current user of the local computer (default action). CanNOT be used with the -m option
unless the current user has Administrator rights, in which case the -m switch takes precedence.-m \\computername =
Remote/network computer name (most always case sensitive) to log off/restart/shut down. Current user MUST have Administrator
rights to be allowed to use this switch!-s = Shut down the local computer.-r = Shut down and restart
(reboot) the local computer.-t xx = Set shutdown timer to timeout for xx seconds. IF NOT specified defaults to 20
seconds. Allowed values between 0 and 99 seconds. The -a switch is the ONLY one that CAN be used during the timeout
p = Planned shutdown code.
xx = Major reason code. Positive
integer number less than 256.
yy = Minor reason code. Positive integer number less than 65536.
example:shutdown -s -c "Shutting down!" -t 3tells your computer to shutdown after waiting
for 3 seconds while the System Shutdown window will display text above in the Message area.Optional: after you're
done creating your customized shortcut for shutdown → right-click on it → select Properties → enter your desired key
"combo" in the Shortcut Key box (example: Ctrl + Alt + End) → click OK/Apply.
- The dash () in front of these
switches can be replaced by a forward slash (/).
- Spaces are NOT required to separate the shutdown command
from ANY following switches, but ARE required to separate ANY switch from its following parameter(s), if any.
From now on just left-click on your
shutdown shortcut or hit that key combination to turn off/restart/log off your XP computer. :)FYI:
Windows NT4/2000 owners can use this similar 3rd party ShutDown command line
tool [40 KB, freeware].Back 2 Contents
5-23-02 WinNT4/2000/XP/2003 Registry ©Trick in TIPSXP.TXT, part of W95-11D.EXE:
GET BACK YOUR CD/DVD
This is a two part BUG fix.
BUG:After installing/uninstalling Roxio (Adaptec) Easy CD Creator and/or DirectCD on/from your Windows
NT4/2000/XP/2003 system, your CD-ROM/CD-R(W)/DVD-ROM/DVD-R(W)/DVD-RAM drives may get suddenly lost. :( The CD/DVD drive
icon(s) may disappear from My Computer, Windows Explorer and any other disk/file browsing app. Also, if you try to
view/open/run any CD/DVD based folder/file, you may encounter several popup messages linked to one of these error Codes:
19, 31, 32, 39 and/or 41.FIX:But these BUGs can be fixed by hacking your
- BUG:Users of CD/DVD (re)writing
software (Roxio/Adaptec Easy CD Creator + DirectCD, Ahead Nero Burning ROM etc) may bump into error messages such as "No
ASPI devices installed" while using any of these utilities.
This is due to a flaw into the Adaptec ASPI Layer
ASPI stands for Advanced SCSI Programming Interface, but this applies to ALL
(E)IDE/ATAPI/SCSI CD-R(W)/DVD-R(W)/DVD-RAM drive owners.FIX:Start by installing the
current Windows NT4/2000/XP/2003 Standard ASPI Layer drivers from Adaptec.
Direct download [510 KB, free].
Make sure to use
the INSTALL.BAT file provided with the package to copy ONLY the appropriate drivers for these Win32 OSes:
ASPI32.SYS (in %windir%\System32\Drivers) + WNASPI32.DLL (in %windir%\System32).
Open Windows Explorer and
delete (if present) WOWPOST.EXE + WINASPI.DLL from %windir%\System.
Reboot when done.
(also included) to make sure you have properly upgraded to version 4.7x.
Now copy & paste text between lines below
into Notepad and save this as a .REG file [name doesn't matter, only the extension does :)]:-----Begin cut & paste here-----
------End cut & paste here------Finally, double-click on
the REG file in Windows Explorer.
Reboot one more time.
Done.NOTE: If still having problems
using your Roxio recording software, replace 2 with 1 on the "Start" line above, and then merge (run)
the modified .REG file into your Registry one more time.FYI: Similar fixes:
You must be logged on with Administrator rights to be allowed to edit the Registry.
Fire up Regedit or
Regedt32 and go to:
sure Read only mode is disabled in Options menu.BACKUP this Registry key BEFORE MAKING ANY CHANGES:
→ click Registry from the File menu → select Export Registry File... → browse to your desired
location → type a file name
→ click Save.
Now look in the right hand pane for these 2 REG_MULTI_SZ Values: "UpperFilters" and
"LowerFilters". Right-click on each one, select Delete and click OK.
Close the Registry Editor and restart Windows
The catch is that after doing this you may also lose your CD/DVD recording capabilites. :(
In this case,
check this Roxio Support page for software
patches/updates/fixes [free subscription required!], and install the current ones applying to your particular
These Roxio Support pages may also provide some help:Uninstalling
and/or reinstalling the affected Roxio software may also solve this issue.
If none of these methods work, then open
Windows Explorer and (double-)click the REG file created when you backed up the Registry key above to restore the original
values. Restart Windows when done.FYI: More info + FIXes @ Microsoft:Back 2 Contents