Scan questions

Access is denied

Q: How do I deal with the errors “Access is denied” or “Unknown user name or bad password”?

A: These errors can occur for several reasons:

  • Username or password is specified incorrectly.
    Check your username and password.
  • The specified user account does not have administrator rights on the remote machine.
    You need to have administrator access to remote computers to be able to scan them (local administrator or domain administrator rights). If you have logged on as a domain administrator or remote computers have the same name and password for the local administrator account as your account, you can use the Current user scan option. Otherwise specify the user name in full format: DOMAIN\Administrator.
  • Blank password.
    Remote administrator access with a blank password is not allowed starting with Windows XP.
  • The scanned computer has Windows XP Home Edition installed.
    This version of Windows cannot be scanned remotely. It’s an OS limitation, and the Access denied error will be displayed at all times. However, it’s possible to scan XP Home locally by running the standalone audit tool tniwinagent.exe (located in the program’s installation folder) on that machine. It’ll generate an .inv file with scan results, which should be copied to the program’s Storage (it will be imported upon TSD’s next launch or immediately, if TSD is running) or imported by using the Storage main menu or any group’s context menu.
  • Computers are not in the domain and have default settings.
    Workstations running Windows XP, Vista, or later client versions and not connected to a domain don’t allow the local administrator to authenticate as himself by default. Instead, the ForceGuest policy is used, which means that all remote connections are mapped to the Guest account. But again, the administrator rights are required for running the scan. Thus, you need to update the security policy on each computer using one of the following ways:
    • Run secpol.msc, expand Local policies / Security options, locate the Network access: Sharing and security model for local accounts policy, and change its value from Guest to Classic;
    • Disable the Use simple file sharing option in File Explorer’s Folder Options;
    • Modify the registry: set the forceguest value, located in the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” key, to zero.

For Windows client versions starting with Vista, an additional step should be taken: it concerns the User Account Control (UAC). It restricts administrator rights for remote logons in certain cases. You should either disable UAC or make changes to the registry: create a DWORD parameter (name: LocalAccountTokenFilterPolicy; value: 1) in the “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system” key. A reboot may be required.

You can modify both settings easily by running a .reg file with the following contents on such computers (omit the last two lines for Windows XP):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"forceguest"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
"LocalAccountTokenFilterPolicy"=dword:00000001

Port numbers

Q: How can I find which port numbers are used by TSD, so that I can configure the firewall?

A: TSD uses the SMB protocol to scan Windows computers. It can be allowed by enabling the File and Printer Sharing exception in the Windows Firewall or TCP port 445 in other firewalls. You could also enable TCP port 139 (NetBIOS) for older systems.

TCP/IP security limit

Q: How do I deal with the following warning: “TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts”?

A: This warning may appear when you run the network scan under Windows XP SP2/SP3 or Windows Vista SP0/SP1 with port scan enabled. In these operating systems, a controversial limitation of not more than 10 concurrent TCP connect attempts (“half-open connections”) has been introduced by Microsoft to reduce the speed with which malicious software spreads over the networks. When you see this message in the scanner log, it means that the program detects that some computers have no open ports and there is an event with ID 4226 (source: Tcpip) in the system Event Log with the same message. As a consequence of reaching the aforementioned limitation, the program cannot reliably detect whether ports on computers are open or not. That’s why the program starts to ignore the port scan results and connects to all computers using all selected protocols to provide successful scans. This policy remains active during the current session, that is, until the next program restart. To avoid this warning you can do the following:

  • Disable the Scan ports option in the Scanner settings. Note that this will decrease the network scan performance;
  • Patch your system using the widely known patch by LvlLord or this patch (based on the former). However, note that this is illegal according to the Windows EULA;
  • Run TNI on the system that is not affected by this limitation: Windows Server 2000/2003/2008, Windows 2000, Vista SP2, or Windows 7.

No network provider accepted the given network path

Q: How to fix the following error: “No network provider accepted the given network path”?

A: Take the following steps:

  1. Make sure that you can ping the remote computer by network name;
  2. Make sure that the File and Printer Sharing exception is enabled in the Windows Firewall (or that NetBIOS is allowed in any other firewall), or the firewall is disabled;
  3. Make sure that both Client for Microsoft Networks and File and Printer Sharing For Microsoft Networks are enabled in the properties of the network connection on the remote computer;
  4. Make sure that the NetBIOS over TCP/IP setting in the properties of the network connection (Internet Protocol Version 4 – Properties – Advanced – WINS) is set to Default or Enabled and that the TCP/IP NetBIOS Helper service is set to Automatic and started;
  5. Make sure that the Network security: LAN Manager authentication level security policy (secpol.msc  Local Policies – Security Options) is set to Send LM & NTLM responses (option #1) or Send LM & NTLM responses – use NTLMv2 session security if negotiated (option #2);
  6. Run sfc /scannow.

Call was canceled by the message filter

Q: How can I fix the “Call was canceled by the message filter” error?

A: Take the following steps:

  1. Run services.msc on the remote computer and make sure that the Windows Management Instrumentation service is set to Automatic and started;
  2. Make sure that DCOM is enabled: run dcomcnfg, select Component Services – Computers – My Computer, right-click, choose Properties, open the Default Properties tab, and make sure that Enable Distributed COM on this computer is on;
  3. Restart the remote computer;
  4. Run the WMI diagnosis utility from Microsoft;
  5. Follow these tips to repair WMI on the remote computer.
Contents