Internet Connection Sharing: "Generic Host Process... has encountered a problem and needs to close..." error when client connects

Problem: Soon after a client computer attempts to connect to the Internet
via my Internet-Connection-Sharing host, the host throws up a dialogue box
"Generic Host Process for Win32 .. has encountered a problem and needs to
close" (or something very similar). Neither client nor (usually?) host can
subsequently connect to the Internet; the connection is shown as "Connected"
in the Network Connections view, but I can't make it disconnect without
rebooting. Sometimes the client can connect for a while, before the
failure. If the broadband connection isn't running, it appears that the
client spontaneously connects to the Internet, as a "Connect?" dialogue
appears on the host. "Generic Host Process..." turns out to be svchost
running one or more dlls.

Nothing relevant can be recognised in the event log. Lengthy searches of
TechNet CDs, google.com/microsoft and support.microsoft.com have drawn a
blank. So did a detailed comparison of process listings before and after.
Any ideas?

Configuration:

Host: Windows XP Professional (SP1) patched-up-to-date, connecting to
BTOpenworld Broadband via USB ("squashed" frog modem). Ethernet connection
to client via crossover cable. TCP/IP is the only protocol installed.
Firewall: ZoneAlarm Pro (configured for ICS). Switching ICS to another
(dial-up) connection also brought up the failure dialogue. IP: 192.168.0.1

Client: Windows 95 (blush), firewall ZoneAlarm (free). Printing and
file-sharing works ok. IPX and NETBEUI also installed. File and Printer
Sharing and Windows Client installed. Obtains IP address from host.

Grateful for any ideas!

--
######################
## PH, London ##
######################

On Sun, 24 Aug 2003 12:43:49 +0000 (UTC), "Philip Herlihy"
<(E-Mail Removed)> wrote:

<snipped>
<BTW Philip, nice post>
>Problem:
>"Generic Host Process for Win32 .. has encountered a problem and needs to
>close" (or something very similar). Neither client nor (usually?) host can
>subsequently connect to the Internet;

>Nothing relevant can be recognised in the event log.
>Configuration:
>
>Host: Windows XP Professional (SP1) patched-up-to-date, connecting to
>BTOpenworld Broadband via USB ("squashed" frog modem). Ethernet connection
>to client via crossover cable. TCP/IP is the only protocol installed.
>Firewall: ZoneAlarm Pro (configured for ICS). Switching ICS to another
>(dial-up) connection also brought up the failure dialogue. IP: 192.168.0.1
>
>Client: Windows 95 (blush), firewall ZoneAlarm (free). Printing and
>file-sharing works ok. IPX and NETBEUI also installed. File and Printer
>Sharing and Windows Client installed. Obtains IP address from host.

This all looks to be as it should be.

>Grateful for any ideas!

What motherboard does the XP machine use? (Some motherboards have
problems with the USB ports, and won't run with the speedtouch frog
modem)

Has the problem started recently?

Are you using the latest drivers for the speedtouch frog?

They should be available at <http://www.speedtouchdsl.com/>

(I say should because the site seems to be having some problems at the
moment)

Derek
--
"You must be the change you wish to see in the world." - M Gandhi

Thanks for the reply. The host is a recent Dell laptop, and I've been using
the modem for 3 months without problems. I've updated the drivers within
the last 2 months. (I'll look again, though).

I had no problems with the same model laptop running Windows 2000. Can't
persuade the Missus to upgrade... (sigh)...

--
######################
## PH, London ##
######################

"Derek" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sun, 24 Aug 2003 12:43:49 +0000 (UTC), "Philip Herlihy"
> <(E-Mail Removed)> wrote:
>
>
> What motherboard does the XP machine use? (Some motherboards have
> problems with the USB ports, and won't run with the speedtouch frog
> modem)
>
> Has the problem started recently?
>
> Are you using the latest drivers for the speedtouch frog?
>
> They should be available at <http://www.speedtouchdsl.com/>
>
> (I say should because the site seems to be having some problems at the
> moment)
>
> Derek
> --
> "You must be the change you wish to see in the world." - M Gandhi

I do have the latest Alcatel driver (201).

--
######################
## PH, London ##
######################

"Philip Herlihy" <(E-Mail Removed)> wrote in message
news:biasn8$pvv$(E-Mail Removed)...
> Thanks for the reply. The host is a recent Dell laptop, and I've been
using
> the modem for 3 months without problems. I've updated the drivers within
> the last 2 months. (I'll look again, though).
>

I don't think that's it. The host machine is patched with everything
Microsoft offer for my machine, I have a firewall (ZoneAlarm Pro) and I've
scanned my entire machine (and the client, as a mounted drive) with the
latest Norton antivirus files. No problems if the client isn't connected,
either. Port 135 is blocked, and intrusions regularly show up (blocked) in
the firewall log. Stumped!

--
######################
## PH, London ##
######################

"Derek" <(E-Mail Removed)> wrote in message > Ok, in that case I'd
suggest that you download and manually install
> the patch for the Blaster worm (MS03-026), since the symptoms you're
> describing with the "Generic Host Process for Win32" are a shoe-in for
> a system being hit by probes for the vulnerability, or possibly an
> undetected infection.
>
> A description of the worm can be found at:
> <http://www.microsoft.com/security/incident/blast.asp>
>
> The patch for Windows XP is at:
>
<http://www.microsoft.com/downloads/d...406c-c5b6-44ac
-9532-3de40f69c074&displaylang=en>
>
> I'd also suggest that you block port 135 for *all* traffic, and
> download a stand-alone utility to remove the specific virus, such as
> McAfee/NAI Stinger, which can be found at:
> <http://vil.nai.com/vil/stinger/>
>
> >I had no problems with the same model laptop running Windows 2000. Can't
> >persuade the Missus to upgrade... (sigh)...
>
> You can shut all of the eye-candy down on XP, and then, after a
> suitable period, substitute W2K; I'm sure she won't notice ;-)
>
> Derek
> --
> 'It's called a "contract" because that's what the typeface does towards
> the bottom.' - James "Kibo" Parry

On Mon, 25 Aug 2003 11:19:17 +0100, "Real nwsy"
<(E-Mail Removed)> wrote:

>OK is anyone else keeping count of how many fully updated XP machines are
>reporting ICS connectivity loss of some kind? I'm up to three in the last
>week on this NG.

There are two recent updates that play with the networking and remote
access side of XP.

817778 (Overview of the Advanced Networking Pack for Windows XP),
which alters both the TCP/IP stack and the XP built-in firewall.

823980 (MS03-026: Buffer Overrun in RPC May Allow Code Execution),
which patches the RPC service.

I'm starting to wonder if one of them breaks ZoneAlarm.

Derek
--
"Things can happen to browsers in magical libraries that can make having
your face pulled off by tentacled monstrosities from the
Dungeon Dimensions seem a mere light massage by comparison." -- Pterry

On Mon, 25 Aug 2003 10:03:44 +0000 (UTC), "Philip Herlihy"
<(E-Mail Removed)> wrote:

>I don't think that's it. The host machine is patched with everything
>Microsoft offer for my machine, I have a firewall (ZoneAlarm Pro) and I've
>scanned my entire machine (and the client, as a mounted drive) with the
>latest Norton antivirus files. No problems if the client isn't connected,
>either. Port 135 is blocked, and intrusions regularly show up (blocked) in
>the firewall log. Stumped!

Humour me for a while, Phillip.

1) Goto Start->run.
type, including the quotes: tasklist >"my documents\tasks.txt"
then click OK.

2) Goto Start->run
type, including the quotes: tasklist /SVC >>"my documents\tasks.txt"
then click OK.

(This will create a small file in My documents, called tasks.txt,
which lists the running programs and services on your machine.)

4) Post the contents of the file "my documents\tasks.txt" here, by
cutting and pasting the file contents to a post. (Some news servers
won't allow you to post attachments to these groups)

Derek
--
Imagine a stegosaurus wearing rocket powered roller skates, &
you'll get a fair idea of it's elegance, stability & ease of crash recovery.
-- Lionel Lauer (posting in asr.)

>
> There are two recent updates that play with the networking and remote
> access side of XP.
>
> 817778 (Overview of the Advanced Networking Pack for Windows XP),
> which alters both the TCP/IP stack and the XP built-in firewall.
>
> 823980 (MS03-026: Buffer Overrun in RPC May Allow Code Execution),
> which patches the RPC service.
>
> I'm starting to wonder if one of them breaks ZoneAlarm.
>

Now why wouldn't that surprise me in the slightest.

If you google that 6 digit number I bet you'll see a few comments on sites
like annoyances.com or whatever it is.

On Mon, 25 Aug 2003 15:06:37 +0100, "Real nwsy"
<(E-Mail Removed)> wrote:

<crosspost trimmed>
>> There are two recent updates that play with the networking and remote
>> access side of XP.
>>
>> 817778 (Overview of the Advanced Networking Pack for Windows XP),
>> which alters both the TCP/IP stack and the XP built-in firewall.
>>
>> 823980 (MS03-026: Buffer Overrun in RPC May Allow Code Execution),
>> which patches the RPC service.
>>
>> I'm starting to wonder if one of them breaks ZoneAlarm.
>>
>
>Now why wouldn't that surprise me in the slightest.

Because you're old, cynicial, and far too familar with Microsoft
needing two attempts to get their patches right?

>If you google that 6 digit number I bet you'll see a few comments on sites
>like annoyances.com or whatever it is.

Actually, there is very little that mentions these.

Most of the sudden ICS/ICF failures I've seen can be backtracked to
"things" altering the TCP/IP stack; "things" in this context mostly
meaning adware, spyware, or browser tool bars, which hook into the
stack to do their misbegotten tasks, and have a habit of downloading
new, *improved*[1] components invisibly to the user.

All of which is why I'm interested in seeing the task and service
lists for machines suffering from this problem.

I've also seen people install out-of-date firewalls and cause
themselves all kinds of interesting troubles.

[1] Kaaza being a noticable offender in this respect.

Derek
--
"Share and Enjoy" - Sirius Cybernetics Corporation
"Embrace and Extend" - Microsoft Corporation

On Tue, 26 Aug 2003 13:47:15 +0100, "Real nwsy"
<(E-Mail Removed)> wrote:

>"Derek" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .

>> Most of the sudden ICS/ICF failures I've seen can be backtracked to
>> "things" altering the TCP/IP stack; "things" in this context mostly
>> meaning adware, spyware, or browser tool bars, which hook into the
>> stack to do their misbegotten tasks, and have a habit of downloading
>> new, *improved*[1] components invisibly to the user.
>
>On the subject of toolbars updating unbeknownst to the user, can I praise
>Google's new toolbar and its excellent adblocker! A nice surprise for once!

You can praise anything you like ;-)

>I think I'm getting unnecessarily Sherlocky about this glut of fouled DHCP
>reports, seeing patterns in the chaos & all that. It occurred to me that
>more than a few networks all with ICS hosting on a fully updated XPpro box
>all seem to have the same problem within the same timeframe.
>
>Seems like more than a coincidence.

Agreed; And, since ICF/ICS depends on the RPC service, exploits using
the recent RPC vulnerability would look like a suspect, especially
since the release of the patch from MS seems to spurred someone on
(There's a peak in the number of "Generic Host Process" problems
around the 20th July, 4 days after the patch was released, suggesting
an exploit was in the wild, before the blaster worm became
widespread).

Derek
--
"Hello Kitty realized that there was only one way to resolve this messy
issue: an explosive orgy of mindless violence punctuated by
a few snappy one-liners." (J. Austin Wilde, 'The Day Sanrio Died')