MSN Messenger Sends Endless UPnP Packets; Endless Loop with XP's Error-Reporting Feature

Author's note: Thanks to all the readers who pointed out an omission in last week's column about native Windows 2000 processes and Task Manager. After you kill Windows Explorer on the Processes tab of Task Manager, you can refresh the desktop immediately if you restart Explorer using the File, New Task(Run) command on Task Manager's menu. This method is much faster than logging off and logging back on again.

MSN Messenger Sends Endless UPnP Packets
If you let users keep their systems current using Microsoft's Windows Update Web site, you should let them install only those patches listed as Critical Updates. Otherwise, users can load a lot of useless or unnecessary software on their machines, with potentially negative consequences. The following story about the MSN Messenger service that Windows Update recommends to everyone is an example of the negative consequences that can occur.

Several weeks ago when scanning a client’s firewall log, I noticed the firewall was receiving four Universal Plug and Play (UPnP) packets addressed to Port 1900 on the firewall every 25 seconds. Although this amount of traffic from one system doesn't pose a serious Denial of Service (DoS) threat, I wanted to discover the source of the unnecessary traffic and eliminate it. The firewall log includes the source address and source port, plus destination address and destination port for every event. I examined the source address and discovered that all the UPnP packets were coming from one Windows 2000 Professional system.

Next, I researched the UPnP protocol. In simple terms, UPnP is a generic protocol that a client machine uses to locate a server that provides specific resources. I also learned about a UPnP virus that strikes Windows XP, but not Win2K systems, that floods a network with UPnP packets. However, a thorough virus scan with current software didn't uncover a known culprit, so I needed to look elsewhere for the source of the problem. I talked to the user of the Win2K Pro system that was generating the UPnP packets and discovered some important facts. First, she said she routinely installs all the recommended software at Windows Update, and second, she noticed that Outlook slows her system so much that she must log out of Outlook to get a decent response time when using other applications. Armed with this information, I started exploring her Win2K Pro system.

First, I used the netstat –an command to verify that the port generating the UPnP packets was actually open on the Win2K Pro machine. Then, by a stroke of luck, I discovered that her system was running firewall software, so I ran the firewall’s realtime monitor to discover the executable file that was sending the UPnP packets. Armed with the name of the executable file, I searched the hard disk and eventually located the file in the MSN Messenger directory.

The client's LAN has no MSN Messenger-ready server on the LAN, but MSN Messenger still sends a steady stream of UPnP packets to discover a compatible server (like phoning home even when nobody answers). MSN Messenger’s documentation states that the software accesses Outlook’s address book to identify users with whom you might want to chat or play games online. This information explains why the user experienced such a system slow down when Outlook was running. After I removed MSN Messenger, I checked the firewall log to verify that the UPnP packet stream had disappeared. Ah, sweet success.

Several days later, UPnP packets started showing up in my client's firewall log from other systems on which MSN Messenger was installed. Again, when I removed the software, the UPnP traffic disappeared. MSN Messenger is now permanently banned from my client’s network, and I recommend that you adopt the same policy. If you let users install the MSN Messenger software, at some point, the UPnP packets sent by hundreds of MSN Messengers will clog your firewall and slow your Internet connection to a crawl.

XP Sends Endless "Report This Error" Messages
Windows XP has a native error-reporting component that is enabled by default. The component collects failure information from your system and forwards the data to Microsoft, ostensibly to help the XP team troubleshoot and improve the XP code. When XP restarts in response to a fatal error, the error-reporting module prompts you to send information about the error to Microsoft. In some cases, you can get stuck in an endless "Report this error" loop. This loop causes the system to prompt you to report error information every time you restart, even when no error occurred during the previous session (i.e., you did a normal shutdown), and even when you elect not to report the problem. A fix for this error-reporting problem is available for public download. I don’t run XP, so I haven't tested the bug fix; let me know if it solves the problem.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.