Delayed File and Folder Opening

I have two PC's on a LAN, one XP Pro SP1 (with all patches except SP2, which caused me considerable grief) and one NT4.0 SP6. Mostly the NT Workstation 4.0 machine is serving the XP machine, but sometimes it's the other way round. Both are running Sygate 5.5-2710 (I have a broadband internet connection). A little while back I started to find that whilst working on the XP machine there was occasionally a delay of about 10s between my double-clicking on a file or folder, and the file or folder opening. This has slowly got worse (it happens more often). It makes no difference whether the data file is dragged across the LAN or not (all the XP apps are local). I don't recall doing anything special before this all started.

Cutting a long story short, today every time the delay happened I nipped over to a revved-up Command Prompt and ran netstat -oa, and each time I caught a SYN in progress with the NT machine. The chances of me doing that if everything was working must be vanishingly small.

Here's the relevant line:

TCP XXX:4387 aaa.bbb.ccc.ddd:http SYN_SENT 1320

XXX is the XP machine, aaa.bbb.ccc.ddd is the NT machine, and PID 1320 is svchost.exe (please excuse the name/address paranoia - it doesn't really say XXX or aaa.bbb.ccc.ddd).

Meanwhile, Sygate on the NT machine reports that it is blocking packets from the XP machine on port 80 (HTTP) at the precise moment the delay happens. Either side of this are enless requests to port 138 and 139 (SMB).

Can anyone tell me please why the XP machine trying to send a request on port 80 (a request that seems to serve no purpose), which component is broken, and how do I fix it? There's no web server on the NT machine, BTW.

I've run AVG and Adaware on the XP machine, and AVG on the NT machine with no horrors found.

 

You can track this problem down with...

You can track this problem down with Port Explorer from DiamondCS. Port Explorer is a port enumerator. It will tell you what processes are communicating on the network. It will capture the packets for you too. Port Explorer is not free, but worth every penny.

You can then use Process Explorer from Sysinternals to track down which service is using SVCHost.

You may want to post this problem on Wilders Security forum as well. The people there are real sharp and know how to use Port Explorer.

 

I agree with Close_Hauled that you may well be under attack (although he wasn't quite so blunt) via File & Print Sharing.

Since you only have a couple or three machines to deal with, you can easily make a couple of tweaks and close a potential security hole.

- Install NetBEUI on all your PCs.
- In the bindings section, unbind file & printer sharing from TCP/IP and just leave it bound to NetBEUI.
- Block all traffic, in or out, for ports 138/139. While you are at it, I'd suggest using hosts or lmhosts files for local name resolution and blocking port 137 as well.

I'm guessing that in addition to adding to the security of your network, you'll take care of the speed issues you posted about.

 

One other tool that I forgot to mention.

HTTPLook is a packet sniffer/protocol analyzer designed specifically for HTTP.

I had a similar problem to this once with a friend’s small office network. He had a mixed NT/XP environment too. I made him upgrade to XP to resolve the issue. But if you really want to track it down, you can use the tools that I mentioned.

 

OK thanks. As you probably gathered from my tests I suspected malware too. I want to try and track down what is the cause of the problem, because I could disable it by changing my network, forget it, and have it bite me later because I didn't kill it. There's a whole pile of protection between me and the outside world, so even if something has snuck in it will also have to cross a minefield trying to get out.

I've downloaded Process Explorer and have it running now. All instances of SVCHOST have been launched by SERVICES.EXE, even during "delay time ". From there going back up the tree I have WINLOGON.EXE, SMSS.exe, System and finally System Idle Process. Maybe SVCHOST.EXE has turned nasty for some reason. Using Process Explorer shows (if I've understood this correctly) on the Threads tab that the instance of SVCHOST causing the problem has webclnt.dll loaded, which sounds significant. I see this is a service for "creating, accessing, and modifying Internet-based files ". Hmmm - too much functionality for my liking. Other services loaded are the uPNP discovery service (pointless on this LAN) and something I've not encountered before "Remote Registry ", which allows "remote users to modify registry settings on this computer ". That sounds like something not just to turn off but delete with a stick of dynamite.

I should add that the XP machine dual boots Linux, and the NT machine serves the Linux alter-ego too, so any changes to my within-LAN communication must be compatible with Linux too.

The speed issue is caused by whatever the problem is. Basically SVCHOST is trying to connect the NT machine on port 80, being rejected (ie ignored), timing out, and then everything procedes as normal.

I'll nip over to Wilders Security in a minute.

 

Windows NT and XP in a mixed environment.

I do not believe that you have a malware issue. My past experience makes me believe that it is an issue between XP and NT and how they communicate with each other over the network. In a pure 2000/XP environment, you do not need to enable NetBIOS over TCP/IP. If you add an NT box to the network, then you do. Name resolution is handled differently between the two operating systems.

WebClnt.dll

Here is an article on NT name resolution vs. 2000

Your XP machine, because it is the newer operating system, is the master browser. I suspect that it is trying to maintain it's browser list when your problem happens. If I had an NT machine in my lab, I could confirm this for you. But we upgraded all of our NT machines to 2000 last year.

You will want to check your event logs on both computers to look for annomolies. Check for forced master browser elections.
Browser descriptions

 

Did you find my post on Wilders Security, Close_Hauled ? If not, that's good, because the concensus on the two fora is converging - see http://www.wilderssecurity.com/showthread.php?p=404732&posted=1#post404732. I do indeed have a browse master contention issue that started a little while back, but because it just appeared to be nothing more than two machines claiming they were the Browse Master, and then forcing an election, I had filed it under "so what?" and had forgotten it :doh:.

I have turned off and disabled the suspect services, and I've had no delays since, but I would like to get to the bottom of this. I will take a close look at those links you posted with great interest on Monday (I've gotta switch to weekend mode now). Many thanks ... and have a good weekend.

 

Good to see that things are working out.

I just went over to Wilders and took a look at your post. Good work on tracking this one down.

 

*Whew* that was a bit of a monster . I had noticed that Windows 2000 and XP machines don't seem to want to play nicely on the network with earlier Windows OS's. Alec over at Wilders reckons it isn't a browser issue, and what he says makes sense. But the two machines are definately slogging it out over who's the master. I suspect I'm never going to get to the bottom of this . Ho hum, at least I no longer have the annoying delay.