Resolving problems caused by Windows XP Service Pack 2

This page is primarily aimed at Windows system administrators and support staff, but if you are having problems with a Windows XP system after installing Service Pack 2, you should look here for possible solutions.

This page will be updated as new issues and solutions are found.

• Problems running applications after installing SP2
• Errors occur when using remote administration tools
• Errors occur when using DCOM Applications
• Microsoft CRM software failures
• Windows Firewall issues
• Windows Messenger file transfer issues
• Popup blocker and Webmail
• Data Execution Prevention
• Outlook Express issues
• Issues related to browser security
• Firewire speeds drop to 100 Mbit after installing SP2
• Norton Antivirus issues
  
  
• Related links

Several of the changes introduced in SP2 may affect the way certain applications work. If you find that an application is not working properly after installing SP2, you may be able to make adjustments that allow it to run normally again. For details and troubleshooting steps, see the following Microsoft support articles:

• 884130 - Programs that may behave differently in Windows XP Service Pack 2
• 842242 - Some programs seem to stop working after you install Windows XP Service Pack 2
• You receive a "Data Execution Prevention" error message in Windows XP Service Pack 2
• Troubleshooting Windows Firewall settings in Windows XP Service Pack 2

Error messages

• Unable to access the computer Computer_Name. The error was Access is denied.
• Unable to access the computer Computer_Name. The error was The network path was not found.
• Failed to open Group Policy object on Computer_Name. You might not have appropriate rights.
• Details: The network path was not found.
• An object (Computer) with the following name cannot be found: "Computer_Name." Check the selected object types and location for accuracy and ensure that you have typed the object name correctly, or remove this object from the selection.
• Computer Computer_Name cannot be managed. The network path was not found. To manage a different computer, on the Action menu, click Connect to another computer.
• System error 53 has occurred. The network path was not found.

If you see any of these messages when trying to use Management Console snapins to manage a remote computer, it may indicate that the remote computer is running Windows XP and that it has had Service Pack 2 installed. If you need this functionality, you will need to open TCP port 445 in the Windows firewall on the remote computer.

If you have developed or use a Windows application that uses DCOM (Distributed Component Object Model) components, installing Windows XP SP2 on the computer that serves the application may cause the application to stop working.

If you implement a COM server and expect to support remote activation by a non-administrative COM client or remote unauthenticated calls, then you should consider whether that's the best configuration. If so, you will need to change the default configuration for this feature.

If you implement a COM server and you override the default security settings, confirm that the application-specific launch permissions ACL grants activation permission to appropriate users. If it does not, you will need to change your application-specific launch permission ACL to give appropriate users activation rights so applications and Windows components that use DCOM do not fail. These application-specific launch permissions are stored in the registry. For more information about launch permissions, see "LaunchPermission" on the MSDN Web site at http://go.microsoft.com/fwlink/?LinkId=20924.

At particular risk with SP2 are older applications written to call "unregistered" or "anonymous" COM objects, VARs said. In the name of higher security, XP SP2 will demand to know a lot more about the distributed applications it calls.

There will be problems with any Visual Basic application written before Visual Basic 5 and any DCOM application written prior to 2001. Of particular concern are cases where Visual Basic Applications Edition has been used to extend Excel, Word or Access.

Microsoft says that the bulk of consumer applications will run as before, but corporate applications that have been customized may offer a changed user experience. Those who are used to an application behaving in a certain way may now see new dialogue boxes warning them that what they want to do may be dangerous should they want to continue.

Windows Firewall (previously called Internet Connection Firewall or ICF) is a software-based, stateful filtering firewall for Microsoft Windows XP and Microsoft Windows Server™ 2003. Windows Firewall provides protection for PCs that are connected to a network by preventing unsolicited inbound connections. [Note: stateful packet filtering is the process of forwarding or rejecting traffic based on the contents of a state table maintained by a firewall. When stateful filtering is used, packets are only forwarded if they belong to a connection that has already been established and that is being tracked in a state table.]

After installing Windows XP Service Pack 2, Windows Firewall is enabled by default. This might create application incompatibility if the application does not work with stateful filtering by default. It may also conflict with other active software and hardware firewalls.

If the Windows Firewall service fails to start, boot-time security remains in effect. This means that all incoming connections are blocked. In this case, an administrator will not be able to remotely troubleshoot the issue because all the ports will be closed, including the port used by Remote Desktop.

By default, the Windows SP2 firewall may limit Windows file sharing to computers on the local subnet. This restriction can be removed manually through the use of Windows Firewall administration tools, such as the Netsh Helper or the Firewall Control Panel. For instance, the four ports associated with Windows file sharing can be opened up to allow access from any computer on the UVic network by configuring the exception list, using a custom scope such as 142.104.0.0/255.255.0.0. Exceptions can also be made for specific applications.

By default, RPC will not function through Windows Firewall. All services and applications that use RPC are affected, including file and print sharing, remote administration and Remote Windows Management Instrumentation (WMI) configuration. However, Windows Firewall can be configured to allow RPC to work for services.

Complete configuration details for the new Windows Firewall can be found on the Microsoft TechNet web site.

New restrictions have been placed on Windows Messenger. These restrictions may have the effect of blocking some file transfers. Files are blocked when they are sent from someone not in your contacts list and they contain potentially dangerous content. To resolve this problem, add the sender to your contacts list.

With SP2, Internet Explorer now includes a popup blocker. The blocker is enabled by default. Once SP2 is installed, anyone using Webmail may find that it no longer functions correctly. The solution is to create an exception for the affected webmail site (e.g. webmail.uvic.ca for UVic's webmail server). Alternatively, the popup blocker could be disabled.

When a popup is blocked, a message appears in the new Information Bar. Users can click on the Information Bar and take various actions, including viewing the blocked popup, changing blocker settings and adding the site in question to an allow list.

Data execution prevention (DEP) marks all memory locations in a process as non-executable unless the location explicitly contains executable code. The primary benefit of data execution prevention is that it prevents code execution from data pages such as the default heap, various stacks and memory pools.

Some application behaviors are expected to be incompatible with data execution prevention. Applications which perform dynamic code generation (such as Just-In-Time code generation) and that do not explicitly mark generated code with Execute permission might have compatibility issues with data execution prevention.

Some drivers may also be affected by DEP. Issues related to Physical Address Extension (PAE), code generation or other techniques to generate executable code in real time, direct modification of system page table entries (PTEs), direct memory access (DMA) transfers and map register allocation are of particular concern.

The preferred method for resolving DEP problems is to obtain updates for affected applications and drivers. Alternatively, the System Control Panel may be used to exclude individual applications from DEP checks (Control Panel->System->Advanced->Performance Options->Data Execution Prevention). As a last resort, DEP can be disabled system-wide using the /EXECUTE flag in BOOT.INI.

With SP2, Outlook Express now has a setting that forces all incoming email to be read as plain text, regardless of how they were originally created and sent. If you use Outlook Express for email, we recommend that you enable this setting to reduce the possibility that your computer will be compromised via email. Unfortunately, using this setting prevents searching for text within an email message. This setting is not enabled by default.

Another new setting in Outlook Express prevents displaying images from elsewhere on the web. This setting is enabled by default. If you notice that images in email messages are no longer displaying, this setting may be the reason. You can disable the setting, but this is not recommended. Individual images and other blocked content can be viewed by clicking on the External Message Information Bar that appears when external content is blocked.

See the next section for more Outlook Express issues.

In Windows XP Service Pack 2, the prompts that are used for file downloads, mail attachments and program installation have been modified to be both more consistent and clearer than they were previously. In addition, Windows XP displays the publisher of an executable file to the user when executable files are selected in either Internet Explorer or Outlook Express. This allows the user to determine whether the executable file should be allowed to run.

Once SP2 is installed, an attempt to download an executable file with Internet Explorer may be blocked if the publisher is on the blocked publisher list. The Manage Add-ons dialog in Internet Explorer (Tools -> Manage Add-ons) may be used to unblock blocked publishers.

Similarly, Outlook Express present publisher information for email attachments and will block attachments from publishers on the blocked list. The Manage Add-ons dialog in Internet Explorer may be used to unblock blocked publishers.

Internet Explorer will also present publisher information for add-ons before they are allowed to be installed. Add-ons modify the behaviour of Internet Explorer and are essentially executable files. Again, add-ons from blocked publishers will not be allowed to install or run, but the Manage Add-ons dialog in Internet Explorer may be used to unblock blocked publishers and to enable or disable add-ons.

Many of the security prompts previously displayed by Internet Explore have been replaced with a less obtrusive but still obvious Information Bar. Since alerts that appear on the Information Bar do not prevent further navigation, users may miss the opportunity to download and install a required add-on if the site developer assumed Internet Explorer will display a security dialog. Web site developers will need to change the behaviour of their web sites to get around this. In the meantime, the solution is to obtain the required add-on and install it manually. The Information Bar can also be disabled.

Internet Explorer add-ons are now monitored and when a crash is detected, an attempt is made to isolate the crash to an add-on. If the crash seems to have been caused by an add-on, that add-on is disabled and Internet Explorer is allowed to continue running normally. If you observe unusual behaviour associated with add-ons, this may be the cause.

Downloads, ActiveX and other active content that is initiated by a web site without user interaction now appears in the Information Bar. Clicking the bar allows a user to allow the specific content and adjust settings.

According to some reports, installing SP2 reduces the speed of firewire connections from 800 Mbit to 100 Mbit. If you encounter this problem, try installing the Firewire drivers again after installing SP2. Reports indicate that this should fix the problem.

Symantec/Norton Antivirus products may not be detected properly by the new Windows XP Security Center. Even if Norton Antivirus is installed, updated and running correctly, the Security Center may warn that no antivirus solution was detected. This is not a serious problem but Symantec is developing a patch to correct it. Symantec has an SP2 FAQ on their support site for their regular products and another for their corporate products.

Related links

General SP2 information

Security topics

SP2 troubleshooting

Security Center and Security Alerts

Windows Firewall

Pop-up blocker