Identify Program Failures

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use this procedure when you want to determine if Windows Firewall is the source of your program failures. This procedure is useful if you are troubleshooting.

Note

If the failing program is a service and it is running as a driver, it is not possible to determine from the log file if the failure is related to Windows Firewall. For information about troubleshooting this type of issue, see A System Service Runs in Svchost.exe and Cannot Be Added to the Exceptions List.

Administrative Credentials

No special administrative credentials are required to perform this task.

Special Considerations

No special considerations are required to perform this task.

To identify program failures

You can use this procedure to find any of the following, which can be useful for identifying the source of your problem:

  • Disabled port openings.

  • Dynamic port openings.

  • Dropped packets with push and urgent flags.

  • Dropped packets on the send path.

This method will verify if disabled ports remain closed.

To identify disabled port openings

  1. With the Windows Firewall log file open in Notepad, press Ctrl + F, type the number of port that you know to be disabled, and then click Find Next.

  2. Make sure each log entry corresponding to the port number in the dst-port field does not have OPEN in the action field.

  3. If you find entries corresponding to the port number in which OPEN appears in the action field, write down the source IP address (srcip) and the destination IP address (dstip), and then see Fixing Program Problems for information about troubleshooting the issue.

This method will verify if Windows Firewall is allowing dynamic port openings for programs that use them.

To identify dynamic port openings

  1. With the Windows Firewall log open in Notepad, scroll to the bottom of the file.

  2. Launch the program and watch the log while it is running.

  3. Look at the entries for the port used by the program. If those entries have OPEN-INBOUND in the action field, then Windows Firewall is not the source of the problem. If the port is not opening, see Fixing Program Problems for information about troubleshooting the issue.

The presence of dropped packets that are flagged with push or urgent might indicate that there is a problem with one of your programs.

To identify dropped packets with push and urgent flags

  1. With the Windows Firewall log file open in Notepad, press Ctrl + F, type [space]U[space] or [space]PU[space], and then click Find Next.

  2. Make sure each log entry with U or UP in the tcpflags field does not have DROP in the action field.

  3. If you find entries with U or PU and DROP together, write down the source IP address (srcip), the destination IP address (dstip), and the source port (srcport), and then see Fixing Program Problems for information about troubleshooting the issue.

The presence of dropped packets on the send path is rare, but might indicate that there is a problem with one of your programs.

To identify dropped packets on the send path

  1. With the Windows Firewall log file open in Notepad, press Ctrl + F, type SEND, and then click Find Next.

  2. Ensure each log entry with SEND in the path field does not have DROP in the action field.

  3. If you find entries with SEND and DROP together, write down the source IP address (srcip) and source port (srcport), and then see Fixing Program Problems for information about troubleshooting the issue.

See Also

Concepts

Interpreting the Windows Firewall Log
View the Windows Firewall Log File