Windows 7 Cannot Access XP from Windows 7/8 after updating windows update MS17-010

yusufks

New Member
Hello guys...!

We use various OS such as Windows XP, Windows 7, Windows 8 in our office. In the beginning there's no networking problem, Windows XP can access to higher Windows, and Windows 7/8 can access Windows XP. Everything's fine until installing windows update MS17-010 on last Monday for more secure againts Ransomware outbreak.

Windows Update we installed :
1. Windows XP : kb4012598
2. Windows 7 : kb4012212 and kb4012215
3. Windows 8 : kb4012213 and kb4012216

After installing the Windows update, these problems occur :
1. Windows XP cannot access Windows 7/8 through \\computername or \\ipnumber\foldername, cannot access file sharing and printer sharing
Error message: "Windows cannot find [\\computername\] ....."



2. Windows 7/8 cannot access Windows XP through \\computername or \\ipnumber\foldername, cannot access file sharing and printer sharing
a. Error message (when access updated XP) : diagnose : "The remote device or resource won't accept the connection"

b. Error message (when access non-updated XP) : just usual "Windows cannot access [\\computername\]", no diagnose message.



This is what I've got and done :
1. Ping computername or ipnumber from command prompt is no problem. Windows XP can ping Windows 7/8, vice versa.

2. Windows 7/8 that have not been installed windows update still can access any Windows XP

3. Any Windows XP still can access Windows 7/8 that have not been installed windows update.

4. Any Windows 7 can access any Windows 8, and vice versa.

5. Any same Windows can access each other (Windows XP to Windows XP, Windows 7 to Windows 7)

6. Windows 7: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
I changed SMB1 value from 0 to1, but the value back to zero after restarting.

7. Windows 7 : Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: LAN Manager authentication level
I changed value to "Send LM & NTLM responses", but still nothing changed.

8. Windows Firewall setting and workgroup name are nothing changed just like before installing update.

I need many hands to solve this problem, thank you :)


Yusuf.
 
Last edited:
A wireshark capture on a XP system and a Win 7 system would be helpful in solving this. MS17-010 shouldn't disable SMBv1, do you have system administrators and are they enforcing group policy to disable SMBv1, if they are then that would be why the setting keeps reverting and also why they can't access each other.
 
Yes, we need to know whether you are doing file/printer sharing through Windows folder or drive sharing, or do you have a Microsoft server running your network with a Domain Login; such as Microsoft Server 2008/2012/2016 etc. If you are connecting all these XP/W7/W8 machines together and they first login to a Domain on a server, then those same updates need to be applied to the server PC. And the next question would be are all these XP/W7/W8 machines on the same subnet? If you don't know what that means, then you need to talk to the person that setup your network originally (if not you) or who currently administrates it (also if not you).

Most likely, since you didn't mention Domain networking connecting your PCs together, someone took a shortcut and built a peer-to-peer AdHoc network. This is a lot of work to maintain! :headache: Especially if you don't have Home Networking enabled and turned on for each and every machine connecting to one another. If you don't have your network setup in this fashion, I would urge you to consider making one of your W7/W8 machines a Master and turn on Homegroup networking. Enter the Master code on each of the other subordinate or secondary PCs including the XP machines. This should fix your problem! :up:

Of course, if you are running a Domain with either a single or multiple subnets to connect all your computers into a true LAN, as Neem pointed out, then all bets are off since your servers must be updated with the same W10 security updates as your Client machines. And there are Roaming Profile issues for login scripts that have to be dealt with as well. If you didn't build this little network yourself, again, you need to find the person who did unless he passed or is out of the country etc. and you are stuck with maintaining this network. Another piece of information that would be helpful is to know your PC count on this network; are we talking 5, 10, 25, 100, 500, 1000 PCs??

Best of luck,:encouragement:
<<<BIGBEARJEDI>>>
 
Yes, we need to know whether you are doing file/printer sharing through Windows folder or drive sharing, or do you have a Microsoft server running your network with a Domain Login; such as Microsoft Server 2008/2012/2016 etc. If you are connecting all these XP/W7/W8 machines together and they first login to a Domain on a server, then those same updates need to be applied to the server PC. And the next question would be are all these XP/W7/W8 machines on the same subnet? If you don't know what that means, then you need to talk to the person that setup your network originally (if not you) or who currently administrates it (also if not you).

Most likely, since you didn't mention Domain networking connecting your PCs together, someone took a shortcut and built a peer-to-peer AdHoc network. This is a lot of work to maintain! :headache: Especially if you don't have Home Networking enabled and turned on for each and every machine connecting to one another. If you don't have your network setup in this fashion, I would urge you to consider making one of your W7/W8 machines a Master and turn on Homegroup networking. Enter the Master code on each of the other subordinate or secondary PCs including the XP machines. This should fix your problem! :up:

Of course, if you are running a Domain with either a single or multiple subnets to connect all your computers into a true LAN, as Neem pointed out, then all bets are off since your servers must be updated with the same W10 security updates as your Client machines. And there are Roaming Profile issues for login scripts that have to be dealt with as well. If you didn't build this little network yourself, again, you need to find the person who did unless he passed or is out of the country etc. and you are stuck with maintaining this network. Another piece of information that would be helpful is to know your PC count on this network; are we talking 5, 10, 25, 100, 500, 1000 PCs??

Best of luck,:encouragement:
<<<BIGBEARJEDI>>>
Wow...what a nice and detail response, Bigbearjedi, thank you.

Let me tell you more about piece of information that would be helpful. All XP/W7/W8 machines on the same class C subnet and same workgroup. The machines are on small office, it's about 25 PCs. And we're doing file/printer sharing through Windows folder/drive sharing.

In my opinion the problem is not related to network configuration, but it is related to Windows registry that change some network settings after updating Windows Update.
 
A wireshark capture on a XP system and a Win 7 system would be helpful in solving this. MS17-010 shouldn't disable SMBv1, do you have system administrators and are they enforcing group policy to disable SMBv1, if they are then that would be why the setting keeps reverting and also why they can't access each other.
Thanks Neemobeer for your response. In my opinion I'm sure MS17-010 disable SMBv1, Windows registry or other setting must be changed after updating MS17-010. Because I have some laptops (Windows 7/8) that have not been installed MS17-010, they can access file/printer sharing on Windows XP without any problems.

I also tried change registry on Windows 7/8:
a. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10, Registry entry: Start, changed from 4 to 2 or 3; and
b. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation, Registry entry: DependOnService, changed from “Bowser”,”MRxSmb20″,”NSI” to "SamSS", "Srv"
but the problem still exists...updated Windows 7/8 cannot access file/printer sharing on Windows XP.

Maybe Microsoft won't use SMB1 protocol anymore after updating MS17-010. If there is no way to turn on back SMB1 protocol on Windows 7 or higher...the only solution left is upgrading Windows XP to Windows 7 or higher....
 
You're welcome, and thanks for your information. Now we know for sure you are not using a Domain-based server network, and it is ad-hoc created. Sounds like you may have dismissed my idea about enabling Homegroups; you may not be aware of the fact that hundreds of settings in the Registry have been pre-optimized in the W7/W8 and XP OSes and tie in to lots of .dll files and other system networking files. Trying to tweak the legacy LANMAN settings you are trying to adjust is not going to work; believe me; I helped develop LANMAN (early M$ networking protocol) and was an early beta tester of that technology. That is all NETBIOS based stuff which is decades old; and the only clean way to transition it in a multi-OS windows network is to use Homegroups. That's up to you and it's your network. Upgrading several or most of your old XP machines may help for now; but continuing to run those XP machines without OS support from Microsoft is foolish as there have been no security updates from them since they End-of-Lifed XP supports back in April 2014.:noway: Those XP machines will continue to be more and more of a virus target, and if your employees or the employees of the company you work for attempt to do any type of financial transactions online or make credit card purchases through the Internet on those PCs; they are ripe for getting their bank accounts emptied and Identity theft attacked.:pirate:

Whether or not you are in Management at this company that is employing you to maintain these 25 PCs or you are an Outsourced-IT tech; you have responsibility to tell Upper Management that this is an extremely risky business to continue operating those XP PCs. I agree with your idea to upgrade them; your job depends on educating them that this is the way to go. Not spending the money to do so, is pennywise and pound-foolish. It's your job to convince them--if you can. And, if you are successful you won't have to worry about newer MS updates causing your LAN and the PCs running on it to fall apart and cause you all these headaches.:thumbs_up: Choosing to make all your W7/W8x machines run Homegroups will make your job easier. Unless you can convince them to buy a Server PC, install Server 2012 or newer and purchase that hardware and OS and create and manage a proper Domain network. Most companies are forced to do this somewhere between 50-100 PCs; if they don't, the overhead costs kill them, and if they have to spend tons of money jury-rigging an old out-of-date network with outdated machines running 16-year old Windows, then they may never get it. During my 35+ years of network design and servicing, dozens of companies ignored my advice to do just this and pretty much every one of those are now all out of business. :skull: Most companies doing this that I've worked for have long since gone bankrupt or driven out of business by a virus attack that costs them weeks of downtime and lost sales/revenue. Hopefully, you take this conversation to heart and look at the real issues underlying the poor choice of running an ad-hoc network for that many employees.

Best of luck,
<<<BBJ>>>
 
Windows XP only uses SMBv1. The MS patch only fixes the vulnerability. This is probably a change in authentication that is causing the issue. If you can get the wireshark capture we could determine the issue.
 
Sorry for replying so late, Bigbearjedi :thud:


You're welcome, and thanks for your information. Now we know for sure you are not using a Domain-based server network, and it is ad-hoc created. Sounds like you may have dismissed my idea about enabling Homegroups
Ah about Homegroups, I did tried that, but it only works for Windows 7 or higher. I cannot connect between Windows XP machine to Windows 7 Homegroup.


you may not be aware of the fact that hundreds of settings in the Registry have been pre-optimized in the W7/W8 and XP OSes and tie in to lots of .dll files and other system networking files. Trying to tweak the legacy LANMAN settings you are trying to adjust is not going to work; believe me; I helped develop LANMAN (early M$ networking protocol) and was an early beta tester of that technology. That is all NETBIOS based stuff which is decades old; and the only clean way to transition it in a multi-OS windows network is to use Homegroups. That's up to you and it's your network. Upgrading several or most of your old XP machines may help for now; but continuing to run those XP machines without OS support from Microsoft is foolish as there have been no security updates from them since they End-of-Lifed XP supports back in April 2014.:noway: Those XP machines will continue to be more and more of a virus target, and if your employees or the employees of the company you work for attempt to do any type of financial transactions online or make credit card purchases through the Internet on those PCs; they are ripe for getting their bank accounts emptied and Identity theft attacked.:pirate:

Whether or not you are in Management at this company that is employing you to maintain these 25 PCs or you are an Outsourced-IT tech; you have responsibility to tell Upper Management that this is an extremely risky business to continue operating those XP PCs. I agree with your idea to upgrade them; your job depends on educating them that this is the way to go. Not spending the money to do so, is pennywise and pound-foolish. It's your job to convince them--if you can. And, if you are successful you won't have to worry about newer MS updates causing your LAN and the PCs running on it to fall apart and cause you all these headaches.:thumbs_up: Choosing to make all your W7/W8x machines run Homegroups will make your job easier. Unless you can convince them to buy a Server PC, install Server 2012 or newer and purchase that hardware and OS and create and manage a proper Domain network. Most companies are forced to do this somewhere between 50-100 PCs; if they don't, the overhead costs kill them, and if they have to spend tons of money jury-rigging an old out-of-date network with outdated machines running 16-year old Windows, then they may never get it. During my 35+ years of network design and servicing, dozens of companies ignored my advice to do just this and pretty much every one of those are now all out of business. :skull: Most companies doing this that I've worked for have long since gone bankrupt or driven out of business by a virus attack that costs them weeks of downtime and lost sales/revenue. Hopefully, you take this conversation to heart and look at the real issues underlying the poor choice of running an ad-hoc network for that many employees.

Best of luck,
<<<BBJ>>>
Thank you for telling me very nice opinion and experience, BBJ. It's so detail and helpful :) Your explanation makes me more confident to upgrade XP machines to Windows 7. I'm sure I can convince the Manager to approve this upgrading, it will need process; little by little is no problem.

Server PC + install Windows Server 2012 is really a best option, but the price is more expensive than usual PC and usual Windows. The management may approve to buy a new Server PC, but I'm not sure they'll approve to buy Windows Server 2012 for now. Let it be for now until they understand the important of Windows Server, so they approve to buy it even if the price is more expensive. And of course I'll educate them as best as I can do, and I hope the business profits grow and grow in the future, so the management won't make an excuses "we have no enough budget for this" :greedy_dollars:

It's time to say good bye to Windows XP hehehehe, and prepare to newer Windows platform :)

Thank you!
 
Windows XP only uses SMBv1. The MS patch only fixes the vulnerability. This is probably a change in authentication that is causing the issue. If you can get the wireshark capture we could determine the issue.

Sorry for replying so late, Neemobeer :thud:

About wireshark capture, I upload wireshark_for_Neemobeer.zip special for you :) I hope you could determine the issue. If anything is missing just let me know, I'll redo and reupload :)

Thank you!
 

Attachments

  • wireshark_for_Neemobeer.zip
    18.2 KB · Views: 289
The problem is pretty apparent. The XP and 7 devices are certainly not offering any common smb dialects. Since it's apparent you have Pro editions of Windows, are there domain controllers running in your environment and do you have group policy in effect and sys admins? Because their GPOs will override any local GPs you set.
 
The problem is pretty apparent. The XP and 7 devices are certainly not offering any common smb dialects. Since it's apparent you have Pro editions of Windows, are there domain controllers running in your environment and do you have group policy in effect and sys admins? Because their GPOs will override any local GPs you set.
I don't think there are domain controllers running in our environment, nor have group policy.

It's all happen after updating MS17-010. Here's another wireshark capture I upload for you: Windows XP machine can connect to Windows 8 (not install MS17-010 update), and cannot connect to Windows 7 (MS17-010 updated).
 

Attachments

  • wireshark_xp_to_unupdated8.zip
    29.2 KB · Views: 311
In that dump SMBv1 (NTLM 0.12) is being used for the SMB negotiation.

When you login to the computers do you use the same credentials or are they unique to the computers? Do you see the word DOMAIN: <some domain> on the login screen?
 
In that dump SMBv1 (NTLM 0.12) is being used for the SMB negotiation.

When you login to the computers do you use the same credentials or are they unique to the computers? Do you see the word DOMAIN: <some domain> on the login screen?
No, I don't see the word DOMAIN:<domain_name> on the login screen.

All XP/W7/W8 machines on the same class C subnet and same workgroup (ALFATH).

Each XP machines have one user login (unique for one person) and one root/administrator login.

Each W7/W8 machines have one user login (unique for one person), and one root/administrator login too. Plus one or some user login for sharing access.

Example, a W8 machine (kabagpbyaw) have:
1. User login "kabag" and its password
2. User login root/administrator and its password
3. User login "entershare" and password "sharing"

If a Windows XP wanna connect/access to that W8 machine (type \\kabagpbyaw), there will be user login and password to connect. Enter the correct login and password for sharing, and Windows XP can access file/folder/printer sharing from that W8 machine. That will be happen in the unupdated Windows 7/8 case.

In the updated Windows 7/8 case, user login and password will not show, but it will show error message "Windows cannot find [\\computername]"
 
Back
Top