App Filtering Fix (NT Systems)

Discussion in 'LnS English Forum' started by Kaupp, Oct 11, 2004.

Thread Status:
Not open for further replies.
  1. Kaupp

    Kaupp Guest

    hi

    I discovered a way to fix my app filtering problem on W2K ,I thought it might help someone else if the patch did not correct the problem

    First step I made was to download OSRloader from here: http://hongyver.pe.kr/project/osrloaderv22.zip

    This program will show the order in which the look'n'stop drivers are loading in relation to the tcpip.sys driver which is important because in order for app filtering to function the lnsfw1.sys driver must load after the tcpip.sys

    ok so open up OSRloader and in the load group dropdown menu select PNP_TDI then click on the Group Load Order button

    You should see something like this

    Order.........Service Name.................Start Type...Tag
    ------------------------------------------------------------------------
    1................Gpc...............................Manual........3
    2................lnsfw1...........................System........4
    3................wpsdrvnt........................Disabled......7
    4................ambrap..........................Disabled......6
    5................ndproxy.........................Manual.........ffffffff
    6................Netbt.............................Disabled.......5
    7................Sfilter ...........................Manual..........9
    8................Tcpip.............................System.........4
    9................Ws2ifsl...........................Disabled.......ffffffff




    In the column on the right named TAG you can see in my case the tag for tcpip.sys is 4 and the tag for lnsfw1.sys is also 4 ,I need to change the tag for lnsfw1.sys so it is higher than the one for tcpip.sys

    how and to what do I change the tag ?
    quote from the help file
    "A value greater than the number of entries in the group, indicates that this driver is to be loaded last."
    So in the example shown above there are 9 entries in total so I will change my TAG for lnsfw1.sys to 10

    The OSrloader appears to have a function to do the changes but it wasn't working for me when I try'd it,but that doesn't matter because we can still make the changes pretty fast in the registry on our own :)

    The keys you want are

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lnsfw1

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lnsfw1

    So in each of those keys I changed the value for Tag from 4 to 10 (make sure to backup the registry before making any changes)

    Then reboot for the changes to take effect.


    Finally here are a couple of snippets from my ntbootlog showing before and after the changes were applied

    Before:

    Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
    Loaded driver \SystemRoot\System32\Drivers\lnsfw1.SYS
    Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
    Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
    Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
    Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys


    After:

    Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
    Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
    Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
    Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
    Loaded driver \SystemRoot\System32\Drivers\lnsfw1.SYS
    Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys

    Version: 2.05p2




    regards
    Kaupp
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    thanks you for sharing Kaupp, for sure it is interesting and I hope it will help many users :)

    regards,

    gkweb.
     
  3. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Kaupp,

    I think the change you did is working by chance.

    There is another key that is involved in this driver loading process:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList]
    and especially the PNP_TDI entry in our case

    This key is the list of the tag and specifies the start order of the drivers having the corresponding tag (the first DWORD of the list is the number of tags).
    So "A value greater than the number of entries in the group, indicates that this driver is to be loaded last." is not true. If 10 was put at the beggining of the list, Look 'n' Stop would have been started first.
    And another constraint to have everyting working correctly is to have Lnsfw1 started before netbt which is also complicated to do manually.

    Anyway, the LnsRegPatch is supposed to do the correct job automatically (creating a new tag, and updating the GroupOrderList accordingly) so you don't need to do that manually.

    By the way, I would like to take advantage of this post to give some other information about this issue.
    The first assumption was the TcpIP and lnsfw1 has the same tag value and this is causing the issue.
    This is not correct, there is another registry key for each service which is involved in this process if present: DependOnService.
    The Lnsfw1 service is using a DependOnService set to Tcpip, so according to Microsoft documentation, lnswf1 should be started after Tcpip.
    The root cause issue is there, I don't understand why this is not working on some PC.

    And finally for your complete information, the problem with NAV+FileSharing+Look 'n' Stop not working under 2000/XP is related to the same kind of issue but for SYMTDI.SYS driver which is not loaded at the correct time. The NavRegPatch also modifies the registry with the mentionned keys to fix that.

    Regards,

    Frederic
     
  4. Doing this patch also worked for me!!!... yay!!

    So mabey the problem is Lnsfw1.sys loading before the other drivers?

    eh i dunno.. but it did work chnaged to tag to 10....

    (i guess this mean dont worry about the email Frederic, but thanks for the help anyway!)
     
  5. Kaupp

    Kaupp Guest

    Hi Frederic
    I agree that the patch you created is the best solution for people to use,I admit I don't understand the technicalities of the situation and I would have to agree with you that it was by chance that I got it to work

    I was thinking of what you said here Frederic
    I don't know if this is why I succeeded or not but I have the netbios drivers disabled from loading on my box,so maybe this constraint didn't affect me?

    This issue is complicated for sure and I wish you luck that someday you can get to the bottom of it ;)

    kind regards
    Kaupp
     
Thread Status:
Not open for further replies.