Re: Big problem with Vista clients

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From my PC, I did a gpupdate /force, then rebooted & logged in 3
times. Verified in the logs that domain GP's are being applied. Still
have the problem.
I left the IP settings as static rather than auto as I see that I have
a big red X between the server and the Internet when I look at Network
and Sharing Center. I don't see anything significant in the
Application log; I see several errors in the System log - EventID
1050, Windows Remote Management:

Log Name: System
Source: Microsoft-Windows-WinRM
Date: 3/13/2009 9:06:03 AM
Event ID: 10150
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: adminassistant.whooper.local
Description:
The WinRM service could not use the following listener to receive WS-
Management requests. The listener is enabled but the listener does
not have an IP address configured.

User Action
Check the underlying network configuration to determine if this
listener has at least one valid IP. If the IP is valid, ensure that
WinRM configuration does not exclude that IP address by using the
following command:

winrm get winrm/config/service

Additional Data
Listener transport: HTTP
Listener address: *
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-
AC13-49F1-87DA-5A984A4AB417}" EventSourceName="WinRM" />
<EventID Qualifiers="7">10150</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-03-13T14:06:03.000Z" />
<EventRecordID>51192</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>adminassistant.whooper.local</Computer>
<Security />
</System>
<EventData Name="Unusable Listener">
<Data Name="transport">HTTP</Data>
<Data Name="address">*</Data>
</EventData>
</Event>

The Security log has several Audit Failures, EventID 5152, Microsoft
Windows Security Auditing. Some are to Microsoft, but a bit more than
half are to Akamai Technologies, Qwest (I did a WHOIS at
DNSStuff.com). Here's a sample:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/13/2009 8:58:03 AM
Event ID: 5152
Task Category: Filtering Platform Packet Drop
Level: Information
Keywords: Audit Failure
User: N/A
Computer: adminassistant.whooper.local
Description:
The Windows Filtering Platform blocked a packet.

Application Information:
Process ID: 3912
Application Name: \device\harddiskvolume2\windows
\system32\searchfilterhost.exe

Network Information:
Direction: Outbound
Source Address: 192.168.16.25
Source Port: 53822
Destination Address: 67.132.30.34
Destination Port: 80
Protocol: 6

Filter Information:
Filter Run-Time ID: 67392
Layer Name: Connect
Layer Run-Time ID: 48
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5152</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12809</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2009-03-13T13:58:03.440Z" />
<EventRecordID>932350</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="64" />
<Channel>Security</Channel>
<Computer>adminassistant.whooper.local</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessId">3912</Data>
<Data Name="Application">\device\harddiskvolume2\windows
\system32\searchfilterhost.exe</Data>
<Data Name="Direction">%%14593</Data>
<Data Name="SourceAddress">192.168.16.25</Data>
<Data Name="SourcePort">53822</Data>
<Data Name="DestAddress">67.132.30.34</Data>
<Data Name="DestPort">80</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">67392</Data>
<Data Name="LayerName">%%14611</Data>
<Data Name="LayerRTID">48</Data>
</EventData>
</Event>

Don't know if any one item is significant, or if they are as a group,
or not at all.

I'll now try changing the NIC to auto for IP and see what happens.

Mike
.

Relevant Pages

  • [NEWS] Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * Oracle 8i ... Connecting to the Oracle TNS listener and issuing ... attacker keeps the original connection open. ...
    (Securiteam)
  • Re: WMI/COM and ExecNotificationQueryAsync for Win32_NTLogEvent
    ... because such computer excluded from the network the ping would fail. ... So it seems that I need to set up security ... thing or a WQL query issue, ... listener via ExecNotificationQueryAsync in a C++/COM environment, ...
    (microsoft.public.win32.programmer.networks)
  • Re: WMI/COM and ExecNotificationQueryAsync for Win32_NTLogEvent
    ... local machine (with or without going through WMI)? ... So it seems that I need to set up security ... listener via ExecNotificationQueryAsync in a C++/COM environment, ...
    (microsoft.public.win32.programmer.networks)
  • Re: WMI/COM and ExecNotificationQueryAsync for Win32_NTLogEvent
    ... fact a access denied error. ... I think it might either be a security ... get an error message which does not map to any of the standard error messages ... listener via ExecNotificationQueryAsync in a C++/COM environment, ...
    (microsoft.public.win32.programmer.networks)
  • Re: WMI/COM and ExecNotificationQueryAsync for Win32_NTLogEvent
    ... fact a access denied error. ... So it seems that I need to set up security ... thing or a WQL query issue, since when I call ExecNotificationQueryAsync, ... listener via ExecNotificationQueryAsync in a C++/COM environment, ...
    (microsoft.public.win32.programmer.networks)