Archive for June, 2005

The Services Running On Your Computer

June 28, 2005

The Services are the various low-level system processes, that all programs and applications depend upon. Services run independently of who is logged in to a computer; most services start when the computer is started, not after login.

While there are many services provided with the Operating System, all services are not essential on any given computer, and may not be running at any given time.

The essential services must be running, yet other services may have to be NOT running, on your computer. You must make the decision, based upon how your computer is to be used. You set each service in question appropriately.

You can start, stop, change startup status, and / or query the status of a service interactively (using a GUI), or from a command window (using a script).

You can use the Services wizard, interactively.

  • Control Panel.
  • Administrative Tools.
  • Services.
  • Find the service in question, and double click on it.

Do you need the service running?

  • What is its Status? If not Started, then Start it.
  • What is its Startup Type? If not Automatic, then set it to Automatic.

Do you need the service not running?

  • What is its Status? If not Stopped, then Stop it.
  • What is its Startup Type? If not Disabled, then set it to Disabled.

If the service wouldn’t start, or if its Startup Type wouldn’t change, it may have a dependency. Look on the Dependencies tab, under “This service depends upon the following system components”. Make sure that everything there is present on the computer, and all services listed are Started.

You can also use the Services Controller, aka “SC”, from a command window. Observe the spaces in the examples below; they are essential.

  • To find ot the status of the browser service, enter

    sc query browser

  • To stop the browser service, enter

    sc stop browser


  • To start the browser service, enter

    sc start browser


  • To disable the browser service at startup, enter

    sc config browser start= disable


  • To enable the browser service at startup, enter

    sc config browser start= auto


For more information about the Services Controller, see Using Sc.exe and Netsvc.exe to Control Services.

If no help yet, check Event Viewer for additional clues.

For more information about the many services, the Internet expert is BlackViper, and you can (currently) refer to a mirror of his website Windows XP Home and Professional Service Pack 2 Service Configurations.

Note that each service has TWO identities. Some utilities and wizards might use one identity to refer to a service, others might use the other. The Browser Service has, for instance,

  1. Service Name: Browser.
  2. Display Name: Computer Browser.

The Workstation Service has,

  1. Service Name: lanmanworkstation.
  2. Display Name: Workstation.

Don’t be confused if you can’t find a particular service in a list, or if the SC command doesn’t seem to work. Make sure that you know both identities for the service that you’re interested in.


File Sharing On A LAN With Two Routers

June 27, 2005

File sharing on a LAN with a single segment (all computers connected to the same router) is fairly simple. Windows Networking uses requests broadcasted between all computers, transported over NetBIOS Over TCP (NetBT).

  • Browser broadcasts help to advertise the existence of a computer to the others. This enables each computer to be displayed in My Network Places / Network Neighborhood.
  • Name resolution broadcasts help a computer find out the IP address of another computer. With Windows Networking using NetBT, IP addresses are essential.

If you use Windows Networking in its native form, by opening My Network Places, and clicking on a server name, to see a list of its shares, you’re using broadcasts.

Now, you can’t have every computer in the world broadcasting to every other computer. So, NetBT broadcasts, by design, don’t pass thru routers. One router = one subnet = one broadcast domain.

What if you need to have two or more routers on your LAN, but you need to have just one broadcast domain, so you can share files everywhere?

  • The primary router is to be next to the broadband modem, and you have to run a long cable to another room, with a secondary router, to connect wireless computers in there.
  • The primary router ran out of ports, so you used the secondary router to add capacity to your LAN.
  • It’s simpler to run 1 cable elsewhere, and share that one cable using a router, than to run 2 (or more) separate cables from the primary router.
  • Your Internet service includes a modem that can only connect to the primary router. The primary router may be a computer running ICS.
  • The primary router is a wired router, and the secondary router is wireless.

In this example, you’ve got a pair of routers, and 4 computers. Router 1 is connected to your Internet service. Computers A and B, and Router 2, are all connected to Router1. Computers C and D are connected to Router 2.

You have Computers A and B on their subnet (LAN 1), in one broadcast domain, and Computers C and D their subnet (LAN 2), in another broadcast domain.

That’s a perfectly reasonable setup, for Internet service, but it’s not-so-great for file sharing. Computers A and B can see, and access each other. Likewise, Computers C and D can see and access each other. But neither Computer A nor B can see nor access C or D, and vice versa. It would be simpler if you would just get rid of Router 2, connect all computers to Router 1, and everything would be fine.

OK, maybe 2 routers is just something you can’t avoid, but nobody said that they have to both work as routers. What you do is only use Router 2 as a switch (or a WAP, if it’s wireless) – you can still connect the computers to it, but Router 1 will be the only functioning router. It’s a simple solution.

In this exercise, the Router 1 LAN is, and the Router 2 LAN is

  • Don’t connect the WAN on Router 2 to anything. Connect a LAN port on Router 1, and Computers C and D, as peers, to a LAN port on Router 2.
  • Change the LAN on Router 2 from, to (or any other address not in use, and not part of any DHCP scope).
  • Disable the DHCP server on Router 2.
  • Are you using DHCP on your LAN? If so, make sure that the DHCP server, on router 1, has a scope defined large enough to service all of the computers.
  • Restart each computer, so it gets a new IP address. This may always not be necessary with Windows XP, but do it just in case.

And that’s all you have to do. Router 1 is the only router (remember, the router has to sit between your LAN and the Internet, so that has to be Router 1). Router 2 still provides connectivity for Computers C and D, but it’s working now as a switch (or WAP). And all 4 computers – A, B, C, D – are on the same subnet.

Problem solved.

For another description of this solution, see DSLR Forums Using a Wireless Router as an Access Point (#11233)

The Mysterious “Error = 5” aka “Access Denied”

June 24, 2005

Next to an “error = 53” (“name not found”), I don’t know of too many diagnostic messages that can cause so much confusion or uncertainty in the heart of your desktop / network support tech.

An error = 5 message comes in a number of circumstances.

Unlike the “error = 53”, however, the “error = 5” message can come from predictable situations. If you see “access denied” in these scenarios, your system is working as it’s supposed to (or at least, as it’s configured).

  • Look at the complete error message. Some well known, yet obscure, problems can be easily diagnosed, and resolved.
  • If your server is using Guest authentication, you’ll get “access denied” for any activity that requires administrative access. This might be a registry retrieval in “browstat status”, or any attempt to access a protected folder or share, such as (but not limited to) “C$”, “C:\”, “C:\Program Files”, or “C:\Windows”.
  • If your firewall is setup to block file sharing, you’ll get “access denied”.
  • If you just haven’t configured file sharing to allow access to the account in question, you’ll get “access denied”.

The “error = 5” message can, alternatively, come from unpredictable situations.

Looking at the complete text of the message may provide a clue. There are variations on “…access denied”.

  • If the name of a resource can’t be translated to an address, for any reason, you’ll see “…name not found…”.
  • If the resource in question is setup to block you from accessing it, whether you agree with that or not, you’ll see “…insufficient authority…” or the like.

The Mysterious “Error = 53” aka “Name Not Found”

June 24, 2005

Next to an “error = 5” (“access denied”), I don’t know of too many diagnostic messages that can cause so much confusion or uncertainty in the heart of your desktop / network support tech.

An error = 53 message comes in a number of circumstances.

The literal meaning of “name not found” is “I can’t resolve the name of this host to an address”. There are a number of possible reasons for this.

One of the most obvious is lack of physical connectivity between you (this host), and the target. Maybe that host doesn’t even exist. How many times have you mistyped the name of a host that you’re pinging? I’ve done that a few times.

I’ve been working with Windows Networking, and browser issues, for several years. I’ve come to associate “error = 53” (“name resolution”) problems with several possible causes that don’t come from either CKI or hardware faults.

  • Corrupted LSP / Winsock.
  • Firewall problem.
  • Registry settings.
  • Invalid node type.
  • Network components and services not started, or missing.
  • Excessive protocols.

The first three are identified only from experimentation. A corrupted LSP / Winsock is only diagnosed after its been fixed. Many times, you try everything, and I mean everything, to fix a problem. Sometimes you spend days, then somebody says “Try LSP-Fix”. You run it, and that’s the solution. But there are 5 possible solutions for the corrupted LSP / Winsock – LSP-Fix is just one of the 5, and not all 5 work every time.

A firewall problem you only identify after you disable a personal firewall (assuming it disables successfully, which does happen about 1/2 the time). The other half, you go thru the bit with everything else, and even try LSP-Fix and its siblings, to no avail. Then someone discovers a misconfigured or overlooked firewall, and the light goes on in your head. You un install a personal firewall, and your problems are gone.

Registry settings, which are designed for security, can cause many problems, including interfering with name resolution. Here the oddly ubiquitous restrictanonymous setting has been observed to cause problems.

Run “ipconfig /all”. The value of Node Type will tell you if you have a problem. If the Node Type is “Peer-Peer”, and you’re on a small LAN (ie no DNS or WINS server), Peer-Peer won’t work, though any other setting will, though with varying success.

Also in the log from “ipconfig /all”, if you saw the line

NetBIOS over Tcpip. . . . . . . . : Disabled

you would hopefully know to correct that. But even if that line does not show, NetBT might not be enabled, and that will cause this symptom, “error = 53”. Please, explicitly Enable NetBT, except for specific network conditions.

An “Error = 53”, when referring to the master browser in a browstat log, can be caused by the Remote Registry Service not running on the master browser. Running a server with XP Home, as the master browser, is a bad idea – XP Home does not have the Remote Registry Service, as it does not provide for any administrative access thru the network.

Finally, if you spot IPX/SPX or NetBEUI protocols in a “browstat status” log, or IPV6 aka Advanced or Teredo Tunneling in an “ipconfig /all” log, you’ll need to un install that – at least to diagnose the problem. Having unnecessary protocols will hamper name resolution. Name resolution is generally by broadcast – the computer sends out a message to all computers, thru all transports bound to that computer, asking what address the target computer is using. The computer has to wait for each transport to timeout, when no response is received, before trying the next transport, on each query.

Microsoft Unable to Reach a Host or NetBIOS Name discusses other possibilities.

Problems With A Network Adapter Driver

June 22, 2005

A corrupt network adapter driver can cause a wide array of problems. Sometimes, it’s just simpler to un install and re install the drivers for the network device.

  • Start Device Manager. From System Properties, on the Hardware tab, hit the Device Manager button.
  • Find the driver for the network adapter, right click on it, and choose Uninstall.
  • From the Device Manager menu, choose Action – Scan for hardware changes.
  • Restart system if suggested.

Unfortunately, you may not be able to do this until after you un install all protocols and transports bound to the network adapter.

  • From Local Area Connection (or whatever name you have assigned to the network adapter), right click and select Properties.
  • In the connection items list, select all protocols and transports, and hit Uninstall.
  • Restart the computer, and continue with the process above.

Depending upon the number of protocols and transports, and the network adapter, the un install may take several passes too. Be patient and persistent. And consider that you may have to deal with LSP / Winsock corruption, if that’s not why you’re doing this in the first place.

Server Functionality Affected By IRPStackSize

June 21, 2005

Occasionally, you may try to connect to a server, and get a mysterious error message

Not enough server storage is available to process this command.

Checking memory utilisation, you find no problem. Likewise, disk storage is no problem. Now what?

What you should be checking is the server; and neither the disk storage, nor memory utilisation, is the limited resource. You need to check the IRPStackSize. This problem is frequently, but not always, caused by Norton AntiVirus being installed on your server. Articles by Microsoft: Antivirus software may cause Event ID 2011, and by Symantec: How to change the IRPStackSize registry value explain the situation best, and provide a reasonably simple resolution.

NOTE: As stated in both articles, if the registry value IRPStackSize doesn’t exist, please follow instructions and add it, with an initial value of 18. And be persistent in trying new values. Some readers of this website have reported setting the value as high as 48, for success.

NOTE 2: Please note the case and spelling of IRPStackSize. And the value must have data type of REG_DWORD. Both case, spelling, and data type are critical.

How To Get The Most Out Of PChuck’s Network

June 16, 2005

Welcome to PChuck’s Network! Pchuck’s Network is a Blog, and it’s written in Hypertext. Note my general principles, that I state repeatedly in my various articles.

Please observe Legal Discretion when referencing articles posted here.

Please note my Privacy Statement, when you ask for advice in an open forum. There are several ways to contact me – in an online forum, by email, or thru my Guestbook. Most urgent help can be gotten by the first of the three.

Contacting Me
If your message contains a question about a network issue, I strongly suggest that you post a problem report in an open forum, where helpers like me can be found. There are two forums where I normally spend my time (“too much time”, some would say):

Using online forums for help requests is a good idea, for several reasons.

  • You’ll get better help with all the helpers able to see, together, the status of your problem, as it’s resolved.
  • Many helpers keep their email addresses secret, and won’t be interested in sharing them with strangers.
  • You encourage a spirit of community, which is what drives these forums in the first place.
  • You help provide an online record of problems and solutions, again strengthening the idea of using online forums for problem resolution.

If you’re uncomfortable asking for help in an open forum, I’ll ask that you read a some of my articles, to start:

If you feel the need to message me, whether to tell me how great PChuck’s Network is (or to tell me what needs improvement, I can take it), or to ask for assistance (my resources and time permitting), Please Sign My Guestbook. If you provide an email address, only I will see it, and I will be able to write to you. And if you wish to leave additional, confidential details, you can make your entire message Private.

Until I start getting a lot more hits in my GuestBook, though, I’ll probably not check it as often as the open forums. Also, my GuestBook doesn’t integrate well with email, so I can’t guarantee a quick (or immediately helpful) reply. So start with one of the above forums, if you require immediate assistance. Send me a private message, in my GuestBook, if you need special help, and are prepared to wait a while.

A Blog
A Blog is a work in progress. What you see here today may be rewritten, with more detail, tomorrow.

That being the case, you should not plan to get all the information in one visit. Read, what you have time to today, and plan to return here soon, and regularly. But when you return, how will you know what articles have been rewritten? I spend a lot of time rewriting existing articles, as well as writing new ones. Like this article.

As I write, and rewite articles, I link the various articles to each other, and to other websites. I don’t spend any time identifying each new article, or each updated article, in a list that you can examine. Any list would be only as useful as it is customised to fit the needs of each reader, and since each person is unique, this would be an impossible task.

If you would like to create and maintain a list of your own, so you can keep up with changes here, you can get a Newsfeed Reader. This will let you keep up with this website, and any others that interest you, without you having to tediously surf to each website, to look for changes.

The Newsfeed Reader, in combination with the newsfeed attached to the website, will tell you, at your convenience, when an article on PChuck is changed, and let you view the article. There are two conventions for newsfeeds – Atom, and RSS.

Right now, PChuck has an Atom feed, so you will need a Newsfeed Reader that is Atom compatible. If you have Firefox (and I hope that you do), you may get Sage, a free lightweight RSS and ATOM feed aggregator, as a Firefox extension. You could also get a standalone Newsfeed Reader. There are a dozen or so listed at AtomEnabled.

A Hypertext document is a document with many pages, and the various pages linked to each other. It uses the same structure as the web, except that all of the pages are part of the same website, and have the same style.

When you read a book, and you see a reference to another page in the book, you have to interrupt what you’re reading, find the other page, read there, then find your way back. When you read Hypertext, you simply follow the links to the other pages, read what’s there, and hit the Back button in your browser. You have to be able to recognise the links, and follow them.

The links are there to simplify the reading process. If you’re just looking for an overview, you can simply read each page without following the links. If you want the complete picture, with details, you have to follow the links.

Have I lost you? Do you see the 2 phrases follow the links above, one in each paragraph? Click on one, and see what you get. Please. You’ll be helping both of us.

Legal Permissions
PChuck’s Network is subject to change at any moment. You, and your friends, will benefit the most by directly linking to the articles here. Permission is expressly granted for you to extract relevant contents of any article in PChuck’s Network, and post the extracted material elsewhere on the web, or include it in email, if, and ONLY if, you include a working link, to the article from which you are extracting, in your extract. This is for your own good. The web is dynamic, so please use it that way.

You may, if you wish, extract relevant portions of articles, for inclusion in any paper documents. I strongly suggest that you include a link to the original article, and date of copying, if at all possible. Again, this is for your own good.

Internet Connectivity Problems Caused By The MTU Setting

June 12, 2005

The messages sent and received between your computer, and the Internet web servers that you’re accessing, may go thru dozens of networks. The Internet is, by design, dynamic. The networks that you use, to access any server, may change within seconds.

Any one of those networks might have a restriction on the maximum message (packet) size that it will accept. Each computer has a setting, called the Maximum Transmission Unit (MTU), which controls how large it may make any packet. The larger your packets, the fewer packets required for sending or receiving a web page, but the greater chance any network have a problem with your packet size.

Setting the MTU on your computer can be a double edged sword.

  • If you make the MTU too large, some networks will split (fragment) your packets. Some servers may have a problem with fragmented packets, causing the dreaded “Server not available…” error.
  • If you make the MTU too small, your computer will send and receive small packets. You’ll be able to access any server, thru any network, but a web page will require too many packets. The speed that your web pages download will make you think you’re not connected at all.

If you have a problem accessing some websites (or running some programs like email or IM), but not others, or if this problem seems to come and go, you may have an MTU setting problem. The best known examples of this problem are those with dial-up or PPPoE sevice, or those using ICS. An MTU issue can affect anybody, though, and different people (computers) will, almost certainly, be affected differently.

There are multiple factors that combine, to cause your problem.

  1. You are accessing a server that can’t handle fragmented packets.
  2. The route from your computer, to that server, somewhere passes thru a network that encapsulates your packets, and adds header bytes as part of the encapsulation.
  3. The overhead generated, by the encapsulation, causes your packets to be too large for some router between you and the server in question. Your packets then have to be fragmented.
  4. Your MTU is set to the maximum value, to make your packets efficient. You did not allow for enough possible packet overhead, necessitating packet fragmentation.
  • You can control Factor #1, by not accessing servers that are known to have this problem.
  • Factor #2 becomes in issue, most frequently, when your Internet service uses ICS, or uses DSL with PPPoE. Both ICS and PPPoE encapsulate your packets, and generate overhead with their headers. You can possibly control Factor #2, by your choice of Internet service.
  • The Internet being a packet switched service, anybody is subject to Factors # 2 and #3, at any time. You cannot control Factor #2 (short of the latter note), or #3.
  • You can control Factor #4, by adjusting your MTU setting.

Here are several articles discussing the issue further, and offering ways to diagnose and correct it.

When you get ready to adjust the MTU setting, make it easy on yourself. Download DrTCP, from DSLReports, and use it to make the changes for you. Simply copy the downloaded file into any convenient folder, and run it from there.

You’ll be changing the “MaxMTU” or “MTU” value under Adapter Settings. If you have multiple network adapters, be sure to choose the one that provides the Internet service. For instructions about what values to change MTU to, see the articles linked above. Read all 5, and pick the one that you’re most comfortable with.

Note: An MTU problem can be confused with, or masked by, a DNS problem, or LSP / Winsock Corruption. If you’re here after trying the above procedures, unsuccessfully, consider each of the latter possibilities.

File Sharing Under Windows XP

June 11, 2005

Depending upon your specific needs, you can get Windows XP in any one of five editions. Of those five, the choice of the two best known ones – XP Home and XP Pro – will differently affect your ability to share files. Both the Home and Pro editions have their advantages and disadvantages.

Please spend a few minutes deciding how you wish to use your computer, and whether you wish others to use your computer. If your computer is running Windows XP, make sure that you know which edition of Windows XP it is.

Windows XP Home has few options, and is easier for the typical home user to setup. Windows XP Professional (in its various editions) is more versatile than XP Home. It can be used in different ways, depending upon what other computers are on the LAN, and how secure you want your shared data to be.

Simple File Sharing

If your computer runs XP Home, then it has Simple File Sharing already. SFS, which only uses Guest authentication, cannot be disabled under XP Home.

If your computer runs XP Pro, or XP Media Center Edition, it may have SFS. If you want to enable Simple File Sharing on a computer running XP Pro or MCE, from Windows Explorer:

  • Select Tools – Folder Options.
  • On the Views tab, scroll to the end of the long Advanced settings list.
  • Check “Use simple file sharing”.

To use Simple File Sharing on any XP server, Home or Pro, make sure that the Guest account is properly activated, and the password is consistently set (blank or non-blank), on both the client and the server.

Please note the limitations of Guest authentication, when working with Simple File Sharing.


Advanced aka Classic File Sharing

Advanced aka Classic File Sharing is available, as an alternative to Simple File Sharing, on XP Pro or MCE. To use AFS to it’s full advantage, you need to have formatted the drives, on the server, with NTFS. You then need to disable Simple File Sharing. From Windows Explorer:

  • Select Tools – Folder Options.
  • On the Views tab, scroll to the end of the long Advanced settings list.
  • Uncheck “Use simple file sharing”.

Next, identify a folder that you want to share on the network, but share selectively.

  • Setup and use an account (with matching password) on both the client and the server.
  • Make sure that the account is properly activated on the server.
  • In Windows Explore, right click on the folder in question, and select Properties.
  • On the Sharing tab, select “Share this folder” and give the share a name.
  • Hit Permissions, and make sure Everyone has full rights.
  • On the Security tab, find and select your account in the “Group or user names” list. If your account isn’t in the list, Add it.
  • In the Permissions list, make sure your account has the appropriate permissions. And make sure that no other accounts have inappropriate permissions.

Note that, if you want some openly available shares also, this can be done quite easily.

  • On the Sharing tab, select “Share this folder” and give the public share a name.
  • Hit Permissions, and make sure Everyone has full rights.
  • On the Security tab, find and select the group “All Users”, “Everyone”, or “Users”, in the “Group or user names” list.
  • In the Permissions list, make sure the group selected has the appropriate permissions.
  • Setup Guest, (with matching or no password) on both the client and the server.
  • Make sure that Guest is properly activated on the server.

Please note the limitations of Guest authentication, when setting up any share for non-selective access. And if you have a LAN with both XP Home and XP Pro systems, be careful when enabling Advanced File Sharing on an XP Pro system. Unbalanced authentication can have complex results.


Get The Terminology Right Here

When you look at the Welcome screen, and you have multiple users setup on your computer, you’ll see a list (or group) of users, identified by User Name. When you change a password, or the picture associated with that user, you’ll use the User Accounts wizard in Control Panel. Here too, you’ll see a list of users, identified by User Name.

If you rename a user, or if you use any advanced procedures or wizards, there is another very relevant term – account. When you setup a user, using the User Accounts wizard in Control Panel, Account = User Name. For each account / user, a set of subfolders, under “C:\Documents and Settings” is created. This is the user profile.

  • You can change a User Name at any time, but the account, and the user profile, stays the same.
  • You can make much more versatile changes using the Control Panel – Administrative Tools – Computer Management – Local Users and Groups – Users wizard. Here you can change the account name, and profile path.
  • If you disable the Welcome screen, you login using the account name and password.

So, if you ever rename a User, and see elements of the previous name, you now know why.


Activate An Account Properly For Network Access

Whether you’re depending upon the Guest account, or a non-Guest account, for authentication, the account that you use has to be properly activated. You use the “net user” command, or the Control Panel – User Accounts applet, to activate (or deactivate) an account for local use.

There are two possible ways to activate (or deactivate) an account for network access:

  • Run the “net user” command. Enter, in a command window:

    net user AccountName /active:yes

    • (Substitute actual account name for “AccountName”).
    • (Substitute “no” to deactivate).

    NOTE:There are 4 “words” (sequences of non-blank characters) in the command. If you have any doubt about where a space is needed, copy and paste as above (substituting the account name, and “no” or “yes”, as appropriate).

  • Alternatively, for XP Pro only, run (Control Panel – Administrative Tools – ) Computer Management. Under System Tools – Local Users and Groups – Users, find the account (Guest or non-Guest) in question. Doubleclick (or rightclick, and select Properties), and clear (or check) “Account is disabled”.

Finally, for XP Home, or for XP Pro using Simple File Sharing, make sure that Guest, in addition to being activated, has the appropriate rights.

Synchronise Passwords On Accounts

Always synchronise passwords (for the Guest or non-Guest account) on all computers – make them identical (or blank) on each. For best results, make your password policy consistent throughout your network.

To set the password, you need to run the UserPassword applet.

  • Enter, in a command window, “control userpasswords2” (less the “”).
  • Select the account of interest in the User Accounts list.
  • Hit the Reset Password button.
  • Type either a blank, or non blank password, identically, into both “New password” and “Confirm new password” fields.
  • Hit OK twice.

Synchronising passwords can be tricky in a mixed LAN (XP Home and Pro together). With XP Home, the default is to have no password on the Guest account (it is, after all, anonymous). With XP Pro, you have to Disable the Local Security Policy setting, under Security Options, “Accounts: Limit local account use of blank passwords to console logon only”, if your server is going to allow network access by accounts with blank passwords.


Making File Sharing Work

Once you get past the issues involved in accessing the server, such as browsing and name resolution, there are the issues of accessing the data itself – authentication (“Who are you?”), and authorisation (“Do we want you to have access here?”).

What authentication method are you using?

The message

Logon failure: the user has net been granted the requested logon type at this computer.

is easy to resolve under XP Pro, but may require extra effort under XP Home.

With XP Pro, there are a pair of Local Security Policy lists, under User Rights Assignment.

  1. “Deny access to this computer from the network”.
  2. “Access this computer from the network”.
  • If your server uses Guest authentication:
    • “Guest” must NOT be in list #1.
    • “Everyone” must be in list #2.
  • If your server uses non-Guest authentication:
    • Your properly setup, and activated, non-Guest account must NOT be in list #1.
    • Your non-Guest account, or a group of which it is a member (generally “Everyone”) must be in list #2.

Authentication varies depending whether this is a domain or a workgroup.

  • In a domain, you need an activated account on the domain controller.
  • In a workgroup, you need identical, activated accounts, with identical passwords, on both the client and the server.

Authorisation is described in Server Access Authorisation.

If the files and folders in question have been properly setup and shared as above, and you’re getting only partial access (maybe Read, although you intend to grant Write access), check both the Share and NTFS Authorisation lists.

Remember that if you grant access, to the share in question, to “Everyone”, that refers to Everyone who is properly authenticated. Either a properly setup Guest account (on the server), or non-Guest account (for a workgroup, on both the client and server, with matching passwords), is still required.

With XP Home, you don’t have the Local Security Policy Editor. And Simple File Sharing doesn’t give you the ability to set access rights either. In that case, you’ll have to use extra software and procedures.

If you’re using Guest authentication, and still getting “access denied” after all of the above steps, check the restrictanonymous setting.

Even with all of the above advice, there are known scenarios, with varying symptoms, with but one common factor – recent (or not) application of certain Windows Updates.

Next, look at the complete and exact text in any observed error messages. Some very obscure errors have very simple resolutions.

And finally, repeat Troubleshooting Network Neighborhood.


Windows XP In A Domain

Both Windows XP Home and XP Pro can be used in a domain, but in different ways.

A Windows XP Home computer can only join a workgroup, it can not join a domain. Windows XP Media Center has the same internal components as XP Pro; however, XP MCE 2005 will not join a domain either.

If an XP Home or MCE 2005 client computer is on the same network with a domain, the computers in the domain should be visible, in Network Neighborhood, under Entire Network – Microsoft Windows Network – (name of domain). The XP Home / MCE 2005 computer(s) will not, however, be visible from other clients, or from the servers, in the domain, unless there is a browser server available for the workgroup of which the computer is a member (or if that computer is running the browser on its own).

If an XP Home or MCE 2005 client computer is on the network with a domain, the computer can be made a Member of a workgroup with the workgroup name equal to the domain name. This will allow the servers in the domain to be visible, in Network Neighborhood, and will make the client visible from other clients, or from the servers, in the domain.

Users on an XP Home or MCE 2005 client will have to authenticate to any domain servers as they would in a workgroup – using accounts defined locally on each client and server.

A Windows XP Professional computer can join a domain, just as any other Windows NT based computer, and can access domain resources in the same way. However, several XP features will be unavailable:

  • Fast User Switching.
  • Simple File Sharing.
  • Logon Welcome Screen.

Depending upon how your domain is setup, an XP computer may have problems logging in to the domain, and may require changes in the domain itself.


Guest Authentication

Guest authentication is an option under Windows XP Pro with Advanced File Sharing. For XP Pro with Simple File Sharing, and for XP Home, Guest is the only available authentication.

With Guest authentication, you have normally two choices for any otherwise shareable folder: whether to allow access to it, and whether to allow read-only or read-write access. All shared folders and files are equally accessible by everybody with access to the network.

If your server only uses Guest authentication, any shared data is offered, on the network, based upon the status of the Guest account on the server. Other accounts on the server, and on any clients, will not be relevant. Make sure that the Guest account is properly activated for network access.

The Guest account, by definition, is a limited access account, and is similar to anonymous access under Windows. If your server only uses Guest authentication, your computer can’t be accessed with administrative authority, thru the network.

Shares which require administrative access, such as C$, “C:\Program Files”, and “C:\Windows”, can’t be accessed thru the network, if shared using Guest authentication. No matter what authority you are logged in with, to a client computer, when you access any server using the Guest account, those shares, and any folders and files within those shares, will be inaccessible. Any files that you want to be accessible thru the network should be kept in the Shared Documents folder, and they will be accessible to everybody.

Remember that the various folders in “C:\Documents and Settings” contain the personal data for each user of the computer. Those folders, by design, can only be accessed by the owner of the data, or by an adminstrator. Guest is neither of those, and shouldn’t be expected to have access. The public portions of “C:\Documents and Settings”, if at all accessible to Guest, will be read only.

If a computer using Guest authentication is providing browser services for other computers, those other computers, when running browstat, and having no other errors, will show an “error = 5” (access denied) when trying to access the registry on the browser.

Master browser name is: PChuck1
could not open key in registry, error=5 unable to determine build of browser master:5

Other network related tasks, like remote registry access, and remote shutdown, won’t work either. Those tasks require administrative access.

The Guest account may not provide network access if the restrictanonymous setting has the wrong value. The Guest account may not provide network access to specific shares, if the RestrictNullSessAccess setting has the wrong value.

For more information about the Guest account, see Description of the Guest account in Windows XP.

If you feel up to it, you can give additional authority to Guest. How to add authority will depend upon your edition and file sharing.


Non-Guest Authentication

Non-Guest authentication is much more granular than Guest authentication, on a server using NTFS. It is possible only on a server running XP Pro, with Advanced File Sharing. If your server has either XP Pro with Simple File Sharing, or XP Home, you’ll be using Guest authentication.

You authenticate under Advanced File Sharing in 3 possible steps.

  1. If
    • The client is running Windows XP Pro (or Windows 2000).
    • The account that you’re using for desktop access, on the client, is already setup and activated for network access, on the server.
    • Both accounts have an identical, non-blank password.

    your computer will supply the token, and you will be given server access automatically.

  2. If automatic non-Guest authentication is not possible, the server is checked for the Guest account having been activated for network access.
  3. If neither automatic non-Guest, nor Guest, access is possible, you will have to supply the token manually. You will have to login to the server, interactively, using an activated non-Guest account, with correct password.

Once you’re authenticated with a non-Guest account, on a server running Advanced File Sharing, you need to be authorised. Authorisation, under Advanced File Sharing, is much more granular than Guest authorisation under Simple File Sharing.


Windows XP And Other Operating Systems

Windows XP was designed to allow the merger of the two older operating system families – Windows 9x (Windows 95 / 98 / ME – predominantly home systems), and Windows NT (NT / 2000 / 2003 – predominantly business systems). By carefully choosing Advanced vs Simple File Sharing on your computer, it can better operate on the LAN with your older systems.

Simple File Sharing, which is selectable under XP Pro but not under XP Home, uses Guest authentication only. It makes it easier to setup sharing with Windows 9x systems, by simply creating openly available shares.

Advanced aka Classic File Sharing is directly compatible to file sharing under Windows NT / 2000 / Server 2003. It can use Guest, or it can use non-Guest, authentication.

Windows XP will share files with an XBox 360, given a small amount of work.

For additional details describing file sharing issues relevant to Windows XP and to other operating systems, see:


Authentication Protocols

As described above, any connection created between a client and a server involves some form of authentication. The person using a client computer must prove who he / she is, so the server can decide whether to allow access. The simplest form of authentication is a simple account / password exchange. The user inputs the account (public secret) and password (private secret), these are passed to the server, which matches the two against its database.

Original versions of Windows, before NT V4.0, used LAN Manager, which used this procedure. With Windows NT V4.0, NT LAN Manager protocol, slightly more secure than a simple account / password exchange, was used.

For NT V4.1 and later, Microsoft Kerberos, which is considerably more complicated and secure than NTLM, is used. Kerberos, which involves multiple exchanges of identity and shared secrets between a client and the domain controller, and then between the client and the target server, is specifically designed for insecure networks, where snooping of a simple account password exchange would be unacceptable.

For an allegorical description of how Kerberos is designed, providing some background to enable you to tackle the Microsoft links referenced above, see Designing an Authentication System.


Local Access Issues

If you follow recommended procedures, and setup your accounts to allow file sharing, you will have identical, non-blank passwords on the accounts. As I said above, by default, Windows XP Pro requires non-blank passwords for accounts used for network access.

Maybe you’re accustomed to not logging in at all when you turn your computer on – just start it, it comes up with the desktop, and you get to work. Or maybe you’d like to do this, but don’t know how. Well, Ramesh, another MVP, has written up the procedure for making your computer login automatically, in his article Configure Windows XP to Automatically Login.

Background Information Useful In Problem Diagnosis

June 6, 2005

When you need help with your computer, and its behaviour on the network, please remember that the ones who need to help you aren’t in front of it with you. Background information and observations, that you might make or ignore, can be useful in determining the cause of your problems.

Please start by providing details about your network, and about the problem for which you need help.

  • When providing background information, please format it properly. Please don’t munge or hide the details, such as computer names. Don’t interfere with our ability to help you.
  • Describe, as precisely as possibly, what you are doing, and what you are seeing.
  • Provide the complete and exact text, in any observed error messages. Look for details in Event Viewer, if possible.
  • Describe the computers on your network. Identify the operating systems on each computer – Name, Edition (if Windows XP, is it Home or Pro?) (And if XP Pro, is it using Guest or non-Guest authentication?), and Service Pack level.
  • How does each computer, and each other network device connect? Do you have all computers connected, as peers, to a router? Or do you have a host (running ICS) and one or more clients? Make and model of network software and hardware – personal firewalls, routers, hubs, network cards – is useful too.
  • Describe the scope of your problem. If you have more than one computer, does the problem show up on each computer simultaneously? Does it show up on each computer, but at different times? Is there a time of day or day of week pattern?
  • Describe when you first observed the problem. What network, or system changes, did you make just previous to the observation? How long had you had your previous network, and system, configuration, before that change?
  • Describe the workaround that you’re using, when you experience the problem.

Solving system problems is a lot like solving crimes – the smallest detail may lead to the guilty party.

Remember, I can’t watch you when you’re fixing your system, so don’t make me beg for details. Help Us To Help You. For more thoughts on this subject, see How To Post On Usenet.