Setting The MTU In Windows Vista

Long ago, when I first heard of the dynamic tuning in the Windows Vista TCP/IP stack, I envisioned the manual setting of the static MTU to be a thing of the past. Unfortunately, I was wrong - the MTU is still a fixed setting, in Vista.

The legendary tool, DrTCP, which is used by everybody to change the MTU in Windows 2000 and XP, doesn't work under Windows Vista. Fortunately, Microsoft now allows us to adjust the MTU using the "netsh" command. As other commands in Windows Vista, you run "netsh" using the command window, in Administrative mode.

To see what interfaces you have on your computer, type

netsh interface ipv4 show subinterfaces

To change the MTU, type
netsh interface ipv4 set subinterface "Local Area Connection" mtu=nnnn store=persistent

Local Area Connection is the name of the network connection on your computer, from the list obtained above.
nnnn is the desired value for MTU.

Reboot after making the change.

>> Top

Windows Vista And The IPX/SPX Protocol

Along with providing IPV6 as a default network protocol in Windows Vista, Microsoft made another major change to the protocol stack there - they eliminated the optional IPX/SPX selection. Microsoft now does not support IPX/SPX, in any way.

Windows Vista does not provide a NetWare client or the IPX/SPX protocol.

You can get a Novell client, from Novell. We haven't confirmed that this is IPX/SPX, though.

>> Top

Windows Vista Is Maturing

Windows Vista is maturing, and based upon various complaints about different issues, Microsoft has started issuing comprehensive updates.

In September, Microsoft issued (KB938979): An update is available that improves the performance and reliability of Windows Vista. Last week, Microsoft updated that update, with (KB941649): An update is available that improves the compatibility, reliability, and stability of Windows Vista.

Among the issues hoped to be mitigated by this update are the Vista Printing problems of various symptoms. We'll be watching the effects of this update, closely.

>> Top

The Run Window

Many times, when I ask somebody to diagnose their problem, I'll ask for useful material like an "ipconfig" log. I'll ask that they

Open a Command window, and type "ipconfig /all".
and they respond with
I did. A window opened, and closed, and I couldn't read a thing.

What was just described was not the Command window, it was the Run window.

The Run window works great, for Windows applets. Use the Command window for Command applications. Simply type "cmd" here, and hit the Enter key, or the OK button, when you are producing a diagnostic log that I request.

And a Command window should open for you.

>> Top

Changes In Internet Explorer Security May Affect Local Network Access

Many owners of third party firewalls such as Norton Internet Security and Zone Alarm, which filter access between computers by zones, are used to the idea that personal firewall settings can affect the ability of various computers on their local network to be accessed from other computers.

Recent changes to Internet Explorer may also have an effect on how your computers, on your local network, are accessed from each other. If you use My Network Places (aka Network in Windows Vista), you may be accustomed to seeing all computers on your local network listed with a Network Location of "Local Network".

Some owners of computers running Microsoft Windows are reporting that local shares now list with a Network Location of "Internet".

It appears that this oddity can be controlled through the (Internet Options - Security - ) Local Intranet - Sites wizard in Control Panel.

This is the default setting, causing local computers to be listed as "Internet".

This is the currently effective setting, causing local computers to be listed as "Local Network".

This behaviour appears to be independent of the status of Windows Firewall. It's quite likely that this will affect more than just the display of the various computers in My Network Places.

>> Top

Producing a PathPing Log For Analysis

Many network problems that affect your access to the Internet, such as the currently obnoxious "Server Error 1-500", can be better understood, if we can understand how you are connecting to the servers in question. A pathping log, similar to a traceroute log, but easier to read, is very useful in this case.

  1. Open a command window.
  2. Type "pathping >c:\pathping.txt" (less the "") at the command prompt.
  3. Type "notepad c:\pathping.txt" (less the "") at the command prompt.
  4. Copy, and paste, the entire log, as displayed in Notepad, into your email or forum post. Please don't munge, or disguise, any details.
It really is simple - when you know how. Just be generous - and precise (see the spaces in the commands?).

Here's a sample log.

Tracing route to []
over a maximum of 30 hops:
0 []
1 []
2 []
3 []
4 []
5 []

Computing statistics for 200 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 []
3/ 100 = 3% |
1 37ms 3/ 100 = 3% 0/ 100 = 0% []
0/ 100 = 0% |
2 33ms 3/ 100 = 3% 0/ 100 = 0% []
0/ 100 = 0% |
3 40ms 3/ 100 = 3% 0/ 100 = 0% []
0/ 100 = 0% |
4 42ms 5/ 100 = 5% 2/ 100 = 2% []
0/ 100 = 0% |
5 35ms 4/ 100 = 4% 1/ 100 = 1% []
0/ 100 = 0% |
6 41ms 3/ 100 = 3% 0/ 100 = 0%
3/ 100 = 3% |
7 42ms 7/ 100 = 7% 1/ 100 = 1%
0/ 100 = 0% |
8 45ms 6/ 100 = 6% 0/ 100 = 0%

Trace complete.

>> Top

Bundled AntiVirus and Personal Firewalls - A Windows Networking Challenge

For several years after antivirus and personal firewalls became typical (and highly recommended) components in personal computer protection, many computer owners would confuse the two. Typical comments

What do you mean my computer has a virus? I have a firewall.
How could my computer have been hacked? Norton AntiVirus says my protection is fine!
would be common in many help forums.

With Windows XP, Microsoft first gave us Internet Connection Firewall, later renamed as Windows Firewall. They then took Windows Firewall, paired it with their recently acquired Antivirus program, and called that Windows OneCare.

The name "OneCare" has always intrigued me. Any person of British personality might pronounce that, with an accent, as "WanKare". Please ask one of your British friends, if you have any, what "WanKare" implies.

So fast forward to the present, please. It appears that the firewall component in Windows OneCare doesn't integrate with Vista, as well as Windows Firewall does. With Windows Vista, when you change the Network Location Type to "Private", Windows Firewall automatically adjusts itself to permitting Windows Networking on that computer. Depending upon the state of NetBIOS Over TCP, Windows Firewall will open the correct TCP ports.

If you have Windows Vista with OneCare, and you can't get Windows Networking working, check the network NetBT, and firewall port, settings, carefully. Make sure that they are compatible, and make sure that the setup of your network, and all existing (and currently working) computers matches the Vista / OneCare settings.

It's possible that any third party firewall may work no better than OneCare, in terms of Network and Sharing integration. If you have a problem with Windows Networking (file / printer sharing), the most frequently seen cause of such problems is NetBT and / or personal firewall settings. This will apparently be true under Windows Vista, just as under any previous operating system.

>> Top

Producing a TraceRt Log For Analysis

Many network problems that affect your access to the Internet, such as the currently obnoxious "Server Error 1-500", can be better understood, if we can understand how you are connecting to the servers in question. A tracert log is very useful in this case.

  1. Open a command window.
  2. Type
    tracert >c:\tracert.txt
    at the command prompt.
  3. Type "notepad c:\tracert.txt" (less the "") at the command prompt.
  4. Copy, and paste, the entire log, as displayed in Notepad, into your email or forum post. Please don't munge, or disguise, any details.
It really is simple - when you know how. Just be generous - and precise (see the spaces in the commands?). If you're having a problem with "", target that instead.
tracert >c:\tracert.txt
If you may be having a DNS problem, find out the IP address of the server, and target it, for comparison.
tracert >c:\tracert.txt

Here's a sample log.


Tracing route to []
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms
2 40 ms 43 ms 41 ms
3 42 ms 41 ms 43 ms
4 54 ms 55 ms 55 ms
5 * * * Request timed out.
6 51 ms 53 ms 51 ms
7 53 ms 51 ms 53 ms
8 268 ms 275 ms 271 ms
9 270 ms 269 ms 269 ms
10 280 ms 283 ms 283 ms
11 297 ms 299 ms 283 ms []
12 283 ms 339 ms 285 ms []

13 114 ms 115 ms 113 ms
14 118 ms 117 ms 117 ms
15 144 ms 137 ms 141 ms
16 142 ms 137 ms 139 ms
17 178 ms 171 ms 167 ms
18 175 ms 173 ms 175 ms
19 176 ms 181 ms 177 ms
20 176 ms 177 ms 175 ms []

Trace complete.

You have two classes of information there. The list of IP addresses are very important, to understand the path that your traffic may take, between your computer and the Google server.

The timings (or lack of them, as in "Request timed out") are not always easy to interpret. A difference of 200+ ms (as in hops 7 and 8 above) may represent a real problem, or it may be the result of the two hops being on opposite ends of a busy or long communication line, as in a trans continental trunk line.

In many cases, a router (represented by one of the IP addresses in the list), though it will identify itself in the list, will prevent you from probing it for a timed response. The error "Request timed out" won't be as significant as the IP addresses.

Sometimes, the problem won't be immediately obvious from one traceroute log. If your problem comes and goes, a tool like PingPlotter will help you look for a problem over time.

>> Top

Windows Vista - Which Edition Should I Choose?

The choice of whether to choose Windows Vista Home or Business, or any other edition, or any similar edition of Windows XP, varies - and not always strictly according to network environment, or to intended use. Some business people claim to be using Vista Home (Basic, in some cases), in their operations.

Based on help requests, I'd guess that the most relevant distinctions, between the various editions of Vista (and XP), are:

  • Backup solutions. Vista Business, Enterprise, and Ultimate include integrated "Complete PC Backup". Vista Home only allows for data backup.
  • Choice of file sharing. A computer running XP Home will only use Simple File Sharing. All editions of Vista will let you select Password Protected Sharing On, or Off. This was a significant issue in XP, that isn't relevant in Vista.
  • Domain membership. A computer running Vista Home (Basic or Premium), cannot join a domain.
  • Number of simultaneous incoming connections. Vista Home Basic limits you to 5 simultaneous incoming connections, while Vista Home Premium, Business, Enterprise, and Ultimate will limit you to 10.
  • Remote access to the desktop. Vista Business, Enterprise, and Ultimate, provide Remote Desktop, which integrates tightly into the Windows structure. For Vista Home, and for other operating systems, you will need VNC, or a similar product.
  • Remote access to the operating system. A computer running XP or Vista Home can't be managed remotely, nor can its problems be diagnosed remotely.
  • Token based access. A computer running Vista Business, Enterprise, or Ultimate, will use token based access. You'll authenticate once (possibly automatically) to a server, the client will setup a token, and use that token in the future. With Vista Home (Basic or Premium), you'll authenticate each time that you create a connection to a server.

As always, Your Mileage May Vary.

Identify Your Edition Of Windows Vista
Windows Vista has 5 significant editions. The 5 are not directly comparable to the 5 editions of Windows XP. A sixth edition, Vista Starter, is available only in developing countries, and has rather limited networking capabilities.
  • Vista Home Basic.
  • Vista Home Premium.
  • Vista Business.
  • Vista Enterprise.
  • Vista Ultimate.

If you want to make a detailed comparison, and look at other decision making possibilities, you may want to read additional articles:

>> Top

A Computer For Virginia, USA

Are you into jokes? If you live in the East Coast region of the USA, you've probably heard this one.

Q: How many Virginians does it take to change a light bulb?
A: At least 3. One to do the work, the others to remember how great the old one was.

But the Great State of Virginia is moving into the future, and so should computer owners. We have to let go of the past, and get rid of computers running Windows 95, 98 - and yes, ME and 2000. At least, we need to stop requiring Microsoft to "support" them. Microsoft simply can't retain backward compatibility to every historical edition of Windows, forever; sometime, computer owners have to roll forward, into the present.

If you can't network your computer running Windows 98 with a computer running Windows Vista, because the computer running Windows 98 "locks up", is that a Vista problem? The Windows 98 operating system (and the aged hardware running it) has limits. Those limits may not be seen until you try to exceed them, but they are limits in the Windows 98 operating system (or the hardware).

If Internet Explorer Version 6 won't display certain web sites, is that a fault of Microsoft, of the web site producer, of the web site host, or maybe should you accept just a bit of the blame too - since you keep using it? Internet Explorer V6 is very old software - it's buggy, it lacks features, and it's frequently patched to foil the bad guys. Microsoft can't patch it forever, though.

Every computer system contains internally located parts, or externally attached devices. Internally located parts, classically located on "expansion cards", are designed to be swapped in and out, in cases where one has failed or you simply want a better unit. Mass storage (aka "disk drive" controllers) processors, multimedia (aka "sound" / "video") processors, network ("Ethernet" / "WiFi") processors, are internally located parts. Fax machines, modems, and printers are externally attached ("peripheral") devices.

Internal and peripheral devices require drivers, a set of programs that connect a specific device (processor) to a specific operating system. If your computer is going to support your video card, you have to have the drivers for that video card, written to support that operating system.

Generally, the drivers are written by the manufacturer of the component in question. Possibly (but not always) they will be certified by Microsoft, for the operating system.

Every component, internal or external, like every person, is mortal. One day, the video processor, on your computer running Windows 98, will die. When that happens, what chance is there that you can go buy a replacement? You can maybe find a newer model by the same vendor, but what chance is there that the vendor will have written drivers, for that model, that support Windows 98?

Go to your favourite computer store this week, and look.

Then think about what you're doing, and move forward.

Windows Vista And Personal Storage Space

Except for the flashy new GUI, Windows Vista is similar to Windows XP and earlier versions of Windows. This allows people who are used to Windows to adjust to Windows Vista. But there are subtle differences, such as where personal data is stored.

In Windows XP and earlier versions of Windows, your personal storage would be part of your user profile. Your documents might be stored in a folder in "C:\Documents and Settings\(Your AccountName)\My Documents".

In Windows Vista, "C:\Documents and Settings\" has been reorganised, and your personal storage will now be part of "C:\Users\(Your AccountName)\". To provide backward compatibility with older versions of Windows, Vista still will recognise the path "C:\Documents and Settings\(Your AccountName)\", but will retain it as what it calls a "junction point". A junction point is the Vista term for an object that doesn't exist, except virtually.

When you use Windows Explorer (or its Vista equivalent), and try to open "C:\Documents and Settings\(Your AccountName)\My Documents\", you should get "C:\Users\(Your AccountName)\My Documents\", labeled as "C:\Documents and Settings\(Your AccountName)\My Documents\", assuming that you have permissions properly setup.

This is more complicated, when a computer running Windows Vista is a client, and a computer running Windows XP is a server. If the client reports getting "access denied" when trying to open a file in "C:\Documents and Settings\(Your AccountName)\My Documents\", it may be referring to "C:\Users\(Your AccountName)\My Documents\" on the server. "C:\Users\" doesn't exist in Windows XP.

Ad-Hoc Networking

Microsoft Windows is called a Network Operating System. Computers running an operating system like Microsoft Windows (any of the many versions) were designed to be networked. As I've said elsewhere, if you have one computer, you have the beginning of a network.

The minimum complement of equipment, that you need for a computer network, is 2 computers and the appropriate networking components. The simplest networking component set would be two Ethernet adapters (one in each computer), connected by a bit of Ethernet cable, generally (but not always) a cross-over cable.

That's an ad-hoc Ethernet network. It's similar to hub (router / switch) based Ethernet networking, but without a hub (router / switch).

You can also have a network without any Ethernet cable, if you replace the Ethernet adapters with WiFi adapters. That's called an ad-hoc WiFi network.

An Ethernet based ad-hoc network is frequently limited to 2 computers. An Ethernet cable has just 2 ends - to get any more, you need a hub (router / switch). With a WiFi based ad-hoc network, you can have any number of computers connected, with minimal effort.

But there are several disadvantages to ad-hoc WiFi networking.

  • One of the biggest is security. The minimum acceptable standard for WiFi security is WPA. Unfortunately, WPA requires a WiFi Access Point, to manage authentication / encryption. With no WAP, you're limited to using WEP to protect yourself, and WEP just isn't adequate security.
  • With a router "in charge" of the network, you'll generally get more throughput. Client - server (with the server in charge) is more efficient than peer - peer (with no one in charge).
  • Most WiFi equipment, in ad-hoc mode, will only operate in 802.11b mode, and get up to 11M of bandwidth total.
  • Without a router, and a DHCP server built-in, you'll have to use ICS (if you're sharing Internet service), or pre-assign fixed IP addresses to each computer.
  • You'll have to pre-assign channel number and SSID on each computer, as the normal WiFi Client won't find your ad-hoc network by scanning. Nor will it give you a signal strength indicator.
  • You won't be able to disable SSID broadcast (not that this is a bad thing). In ad-hoc mode, SSID broadcast is forceably enabled.

Remaining aware of the limitations of ad-hoc WiFi, see specific details of the setup process

For a quick LAN, ad-hoc WiFi is OK. In an otherwise secure environment (maybe a single conference room deep within your office complex) it's perfect for a quick conference, and application sharing. For long term, really secure networking, though, you can't beat a properly setup, router (WAP) based network.

>> Top

Windows Vista And Routers

As I've written separately, the networking stack in Windows Vista is significantly different from the networking stack in previous versions of Windows. These differences are discussed, in detail, by experts like Joe Davies of Microsoft.

Like any improvements, the many improvements in networking, in Vista, use more resources - memory and processor - on the host computer. Resources on any peripherally connected computer - or router - will likewise be used more intensively. In testing Vista, Microsoft engineers found out that older routers won't perform as well when used with computers running Vista, as with computers running earlier versions of Windows.

As you integrate your computer running Windows Vista with the rest of your network, you'll find a few challenges with the various computers running other operating systems. Those differences you'll have to work around, with configuration changes.

If you get a new computer running Vista, and your router is a few years old, it's time to replace the router too. Or at least upgrade the firmware - if any is available - obtained from the vendor.

For more discusssion:

>> Top

Windows Vista, And Administrative Shares

Under Windows XP and earlier versions of Windows, any administrator of a server could gain access to any portion of any drive on the server, through the network. Even if no share was defined, any drive was always available, in its entirety, to anybody with administrative access.

This ability was known as an administrative share. Besides any explicitly defined shares, every server would have a "C$" share (and a "D$", etc, for additional drives). The shares weren't browsable - they wouldn't show up in Network Neighbourhood, and a server with no explicitly defined shares would even show up, at all, under Windows XP. But anybody with administrative access could map a share to "C$" and have access to the entire C drive, instantly.

Windows Vista has removed the administrative share from the default server configuration. Fortunately for many, this ability can be restored, with a simple registry entry.

For registry key [HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ system], add a DWord value LocalAccountTokenFilterPolicy of "1". Then restart the computer.

>> Top

The Command Window, In Windows Vista

Many problems in Windows can best (or sometimes only) be resolved by commands entered in a command window. This is still true, on computers running Windows Vista. Under Vista, you will use the command window slightly differently from earlier versions of Windows.

A Command Window (the title may vary, widely)

  • Click the Start button.
  • Click All Programs.
  • Click Accessories.
  • Right Click on "Command Prompt".
  • Left click on "Run as Administrator".
  • Click the Allow button if it asks you for permission.
  • A new window, with varying title, will open.
  • Now type whatever you need, into the Command Prompt window, with the cursor positioned for you after the ">", and hit the Enter key after each command.
  • Remember to allow for the Path, and the location of the program that you're running, if necessary.
  • Close the window when convenient.

If you run ipconfig, for instance, as

C:\Users\YourAccount>ipconfig /all

you will get the ipconfig output there in the command window. This is good to look at briefly, but isn't very good to copy. Copying from the command window can be done, but will be hard to read.

Redirected Output
By redirecting the output, you can view it and / or copy it in a more convenient way, so it's suitable for posting online. Instead of typing

C:\Users\YourAccount>ipconfig /all


C:\Users\YourAccount>ipconfig /all >ipconfig.txt

With the latter command, instead of getting the ipconfig output there in the command window, all you'll see in the command window is another "C:\Users\YourAccount>". Then, type

C:\Users\YourAccount>notepad ipconfig.txt

and Notepad will open with the ipconfig output in a more viewable, and copyable, format.

(Note): If you get an error "Access denied" when you run a command and redirect the output, you may be attempting to redirect output into a file in a folder that you aren't permitted to write into.

Try redirecting into a folder that you are permitted to write into. If the command window opens in "C:\Users\YourAccount", just redirect there.

C:\Users\YourAccount>ipconfig /all >ipconfig.txt

C:\Users\YourAccount>notepad ipconfig.txt

Concatenated, Redirected Output
Do you need the output from two commands, run one after the other, presented in a text file? Be sure to concatenate the output from the second onto the first, don't overlay the first.

C:\Users\YourAccount>browstat status >browstat.txt
C:\Users\YourAccount>browstat listwfw pchucklan >>browstat.txt

Note the ">>" in the second command; that concatenates the output from the second command, after the output from the first command.

Finally, type

C:\Users\YourAccount>notepad browstat.txt

and Notepad will open with both browstat outputs, one following the other, in browstat.txt.

>> Top

AutoTuning In Vista Maybe Not Ready For Prime Time

As you surf the web, you will be in conversation with dozens of web servers, and each conversation might have different latency and stability issues. On a less stable (or low bandwidth) connection, a small Receive Window would be a good idea; on a more stable (or high bandwidth) connection, a larger window gives much better performance. With Windows XP and previous, you were limited to a single Receive Window setting, which would apply to all Internet connections, all of the time.

One of the long awaited features in Windows Vista was the ability for it to dynamically determine the Receive Window size, by individual connection. Receive Window Auto-Tuning is one of the many significant improvements in Windows Vista, in my opinion.

For a few owners of computers running Windows Vista, connectivity to the local network, or the Internet, may be problematic. Symptoms are very like the well known MTU Setting problem - some servers, some of the time, can't be contacted, or give poor performance. Copying files locally, from one computer to another, may be fast in one direction, and agonizingly slow in another.

But we know that your local network isn't running through a router, so how would an MTU setting affect your local connection?

The MTU isn't always the culprit in this case. If you have an older firewall or router, that doesn't support Windows Scaling (an essential component in Receive Window Auto-Tuning), you may have this problem. Apparently the lack of Windows Scaling can affect local performance too.

If you are faced by symptoms like an MTU setting problem, that involve a computer running Windows Vista, first try disabling Auto-Tuning. In a Vista command window (Run as Admin), enter

netsh interface tcp set global autotuning=disabled
netsh interface tcp set global autotuninglevel=disabled

Then shutdown and restart.

Try Internet access with Auto-Tuning shut off, and see if things stabilise. If they do, see if you can upgrade or replace your router. Check with the vendor, and see if a firmware update is available; if not, consider replacing the router. If your router is incapable of supporting Windows Scaling, it may lack other features that you will also enjoy.

Besides RWin AutoTuning, look at other possible problems with Windows Scaling, in Windows Vista and Scalable Networking.

If you see no improvement in your symptoms, turn Auto-Tuning back on before making other changes. Layered Troubleshooting principles suggest one change at a time.
netsh interface tcp set global autotuning=normal
netsh interface tcp set global autotuninglevel=normal

Note the lexicographical variations expressed, above. Some experts state that the relevant keyword is "autotuning", others state "autotuninglevel". There is also a confusion about the value for "autotuning" / "autotuninglevel", which may be either "enabled" or "normal". I suspect that there are two possibilities, "autotuning=enabled" and "autotuninglevel=normal", but I haven't found an authoritative reference, discussing the possibilities.

For more information, see

>> Top

Network Printing From A Windows Vista Computer

Long ago, a printer would be a device, attached directly to your computer. The earliest computers called a printer a "Line Printer", and let you connect your printer to a physical post on your computer. Some computers might have up to 3 physical ports - labeled "Line Printer 1", "Line Printer 2", or "Line Printer 3", abbreviated as "LPT1", "LPT2", or "LPT3".

Then network printing was made possible. You could setup a printer, locally attached to your computer on LPT1, and share it with your neighbours. You had YourComputer, and you could designate your printer to be shared as YourPrinter1. Similarly, your neighbour might have TheirComputer, and a printer shared as TheirPrinter1. If you wanted a second printer to use occasionally, you could setup your programs to print to LPT2 on your computer. You could redirect your LPT2 to print to "\\TheirComputer\TheirPrinter1".

Then somebody else started writing programs to print directly to "\\TheirComputer\TheirPrinter1", without involving "LPTn".

Now, accessing either a directly attached printer ("LPT1"), a network attached printer redirected (LPT2 redirected to "\\TheirComputer\TheirPrinter1"), or a directly networked printer ("\\TheirComputer\TheirPrinter1") involves specific code in the printer drivers, both in your computer (the client), and in the other computer (the server).

None of these options are magical, and not all printers will have drivers that will support all 3 ways of using the printer. Some drivers will claim to support all 3, but depending upon how your computer, and your neighbours computer is setup, one may work better than another. That's reality.

It appears that not all printer drivers, written for Windows Vista, support the old LPTn standard. If you can't get your network printer to work as "LPTn" redirected to "\\TheirComputer\TheirPrinter1", try bypassing the LPTn redirection.

  1. Install the Vista printer driver on your Windows Vista computer.
  2. During installation, you'll be prompted to connect the printer to your computer. Choose the option to proceed with installation without connecting the printer.
  3. After installation completes, open the Printers wizard from the Windows Vista Control Panel.
  4. Right click on the entry for the new printer, and choose Properties.
  5. Go to the Ports tab.
  6. Click Add Port, select Local Port, then click New Port.
  7. For the port name, enter the network path and share name of your printer (ie "\\TheirComputer\TheirPrinter1").
  8. Click OK, and verify that the new port is selected.
  9. Click OK to close the printer properties.

(Update 10/30): If you're experiencing these, and similar problems with printing, try the Vista Compatibility, Performance, and Reliability Comprehensive Update.

>> Top

Determining The MTU To A Single Server

If you have connectivity to the Internet in general, but not to some servers, some websites load slowly, or if problems come and go, you may have a problem with the size of the messages that pass between you and the web site in question. The Maximum Transmission Unit, aka MTU, is a setting on your computer, that controls the size of the messages.

Depending upon what networks are accessed, between your computer and a given web site, the MTU that you can use will vary. If you make your MTU exceedingly small, you'll be able to avoid an MTU related problem, but loading a complete web page will take a long time. If you make the MTU too large, you'll see a variety of symptoms.

  • Some web pages may load incompletely.
  • Some web pages will give you a white screen.
  • Some web pages may return the old familiar
    404 Not Found
  • Some web pages may return another old favourite
    The connection has timed out.
    The server at is taking too long to respond.

Determining your MTU will be a matter of patience and persistence, using the "ping" command repeatedly. You'll run "ping", as with all text based commands, in a Command Window.

Note here that if your computer is running Vista, you may also want to first try checking the setting for Receive Window AutoTuning.

I start by verifying that I have connectivity - period. I check the problem web site, in this example You should check the web sites that you are having problems accessing, since different target servers may have differing MTU related problems.


Pinging [] with 32 bytes of data:

Reply from bytes=32 time=13ms TTL=58
Reply from bytes=32 time=14ms TTL=57
Reply from bytes=32 time=14ms TTL=57
Reply from bytes=32 time=14ms TTL=57

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 14ms, Average = 13ms

If I see anything different,


Ping request could not find host Please check the name and try again.

Then, I know that I have a different problem - maybe a DNS problem, or even LSP / Winsock / TCP/IP corruption.

Hoping that I'm seeing the first example above, I'll see what MTU I can use. I now know that the IP address, in this case, is And I know that (in this case will respond to me, with 32 bytes of data. But 32 data bytes is way too small.

So, I'll see what MTU I can use. The maximum that anybody can use is 1500, which includes a 28 byte header. You specify the amount of data, not including the header, in the ping command. Start with a data size of 1472.

And I'll ping using the IP address, so I don't involve DNS - deal with DNS problems, separately.

Now I ping with additional parameters, "-f" (lower case of "-F" = "Do not fragment"), and "-l" (lower case of "-L" = "Send buffer (data) of this size") options.

C:\>ping -f -l 1472

Pinging with 1472 bytes of data:

Reply from bytes=1472 time=83ms TTL=58
Reply from bytes=1472 time=84ms TTL=57
Reply from bytes=1472 time=87ms TTL=57
Reply from bytes=1472 time=84ms TTL=57

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 83ms, Maximum = 87ms, Average = 84ms

That's a good return, and tells me that I don't have an MTU problem. If I had seen either of two other results

C:\>ping -f -l 1472

Pinging with 1472 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

That's a fragmentation error from a router, or a server, telling me that my MTU is too large, and I set it to not fragment.

C:\>ping -f -l 1472

Pinging with 1472 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

That could be a normal "This server isn't online" message. But since I did my baseline connectivity test (above) I don't think that this is the case. In this case, a router or server is simply dropping my ping request, as above because my MTU is too large, and I set it to not fragment. This is called a "black hole" router or server.

Both a black hole error (router or server simply dropping my ping) and a fragmentation error (router or server telling me that I have a problem) tell me that I have to reduce my MTU. I'll start by reducing it by 20.

C:\>ping -f -l 1452

Pinging with 1452 bytes of data:

Reply from bytes=1452 time=83ms TTL=58
Reply from bytes=1452 time=84ms TTL=57
Reply from bytes=1452 time=87ms TTL=57
Reply from bytes=1452 time=84ms TTL=57

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 83ms, Maximum = 87ms, Average = 84ms

So 1452 is good, but maybe too small. So now, I'll try making it bigger, in steps of 2.

C:\>ping -f -l 1454

Pinging with 1454 bytes of data:

Reply from bytes=1454 time=83ms TTL=58
Reply from bytes=1454 time=84ms TTL=57
Reply from bytes=1454 time=87ms TTL=57
Reply from bytes=1454 time=84ms TTL=57

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 83ms, Maximum = 87ms, Average = 84ms

Again, too small. Keep going up by 2.

... (later)

C:\>ping -f -l 1466

Pinging with 1466 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

OK, 1466 is too large. Back down by 2 to 1464. Add the 28 byte header, giving me an MTU of 1492. This is a common value for the MTU, for many who can't use 1500.

Do you see the technique used? I found the MTU, by bracketing it. I started from a value too large (1472 data bytes), went down by 20 (to 1452, though I might have gone progressively lower) to a value too small, then up by 2 (to 1466) again too large. Then back down to the largest value where no error was seen (1464, in this case), an even number.

There's nothing magical about the sequence "Down by 20, Up by 2". You can use any sequence that pleases you. Try "Down by 60, Up by 20, Down by 2". Or "Down by 80, Up by 8, Down by 2". It's your computer. The point is to find the largest data size that you can successfully ping the target server with, then add the 28 bytes for the header, giving you the maximum MTU that you can use.

Note that I said "maximum MTU". If you find out that "" is accessible with an MTU of 1492, but "" isn't, you'll have to repeat the process, from the beginning, using "" as the target. Always target the problem web site.

Once you know what MTU to use, if your computer is running Windows 2000 or XP, you can set it using the free tool DrTCP, from DSLReports. Download DrTCP, into any convenient folder, and run it from there. You'll be changing the "MaxMTU" or "MTU" value under Adapter Settings. If you have multiple network adapters, be sure to choose the one that provides the Internet service.

If your computer is running Windows Vista, you can set the MTU by using the "netsh" command. If your computer is running Vista, you may also want to first try checking the setting for Receive Window AutoTuning.

The MTU isn't an efficient tuning factor, but you have to use it. It's part of IP networking, and your access to the Internet.

>> Top

The Weak Point In Your Internet Service - The Power

If you have a typical Internet service, you likely (hopefully) have 2 mysterious network devices, connected between your computer and your ISP's service.

  • The modem (dialup, cable, or DSL) connects directly to the wire coming out of the wall.
  • The router connects between the modem, and your computer.
Both the modem and router have power supplies - also known as "wall warts", because they have big plugs - 3 - 4" cube shaped, that make it hard to find a power outlet with room to plug it in. If you have these, you should know what I mean.

Recently, I thought that my router was slightly faulty. Several times / week, I was losing Internet service, even though the diagnostic lights on my DSL modem, and the router, were normal. Restarting both the modem and router would restore my service, but only until the next time.

I bought a universal power supply at Radio Shack for $15 or so, and swapped it for the power supply for the router for a while, but saw no improvement in the symptom. Service was going out too frequently - first a couple times / week, then daily, and finally multiple times daily. I put the vendor power supply for the router back in service, took the replacement universal power supply, and tried it on the modem, and the problem was solved.

It's summer time here in North America, and I'll bet heat sensitivities are part of the problem. If your Internet service has been acting up on you for a few weeks, and you've been pestering your ISP with no results, check your equipment, and start with the power supplies.

In this situation, the "universal power supply" is a key item. Each different electronic device - modem, router, or what have you, will have differently designed power requirements. Plug size, polarity, and voltage will differ from device to device. In my case, my modem uses 6V DC +, and my router uses 12V DC +. Being able to try the same power supply on both units, by simply changing the switch on the wall wart, made it possible for me to solve my problem.

When you setup the power supply for your modem or router, read the instructions carefully. Plug size (6 choices) is obvious. Polarity and voltage are not obvious, but getting them right is essential. In most cases, the wall warts from the vendor will have clearly labeled requirements, with both polarity and voltage obviously described. Carefully following the instructions with the replacement power supply, you can swap units in a couple minutes.

>> Top

Driver Problems Causing Intermittent Network Problems

Recently, on computers running Windows Vista, and occasionally on computers running Windows XP, you might start the process of copying a relatively large file from one computer to the other. The copy process starts out smoothly (ruling out complex issues like name resolution, or permissions, or even visibility).

Well into the copy process, with several Megs of file content copied, the process abruptly terminates with a monolithic message

The network location is no longer available

Well, what now? Did the other computer go off the network?

So, you start layered diagnostics.
And, you find no problem, with either the copy source, or target. Maybe you try copying in the other direction, or start the copy from the other computer, and sometimes this will make a difference.

Frequently, the cause of this problem will be simple. With Windows Vista having been on the market for a rather brief amount of time, the vendors of the various networking adapters are still developing drivers for their products. Either the vendor of the network adapter in your Vista computer has not produced a driver specifically written for Vista, or the driver produced has not been sufficiently tested.

So now, you contact the vendor, and ask about a newer driver. But go to the vendor, not to Microsoft.

>> Top

No WiFi Connectivity? Check The Power Settings

So you just got yourself a new laptop computer, and of course a WiFi router so you can use the new computer while lying in bed (no we won't discuss why you want that). And you followed all of the instructions, and you run the WiFi client setup where it lists networks for you to connect to, and you see

No wireless networks are within range.

Dohh! Guess you won't be surfing the web from the bed after all.

But before you give up, and take it all back to the store, check everything again. To start, check power. There are up to 4 power settings, and yes, I will describe the obvious ones too.
  • The laptop has a power switch.
  • The router should (but probably doesn't) have a switch. But check the power cord. Of course, since you just ran the router setup (connected by Ethernet cable), the router must be on. OK, move on.
  • If the laptop has built-in WiFi, it's got a power switch for the radio. The radio is the part of the WiFi device that uses the most power, so every laptop lets you turn the radio off. Most laptops ship with the radio turned off, so you won't use it without knowing that it's on. Read The Manual.
  • Check the router setup, and make sure that the radio there is on. Most WiFi routers ship with the radio turned off, so you don't set one up, with the radio on, without knowing that it's on. This keeps you from inadvertently providing free Internet service to your neighbours. Again, Read The Manual.

Always check the power, after you set everything up. Then check all of the physical issues again.

>> Top

Microsoft Windows And Authentication Protocols

How many of you use an ATM (here we're discussing an Automated Teller Machine, not an Asychronous Transfer Mode network) in public, casually? If someone is waiting in line behind you, to use the machine next, do you let him (her) stand immediately behind you, and possibly shoulder surf your PIN, as you enter it?

Not if you're smart.

Long ago, in the beginning of computer use, you'd use a simple password to protect your secrets. Entering the password would use a protocol called Challenge Handshake Authentication Protocol.

  • Who are you?
  • What's your password?
  • Thank you, you may Enter the secret chamber now.

But CHAP was insecure, similar to using your ATM PIN in public, casually. So more secure protocols were developed. Kereberos was an initial attempt at surpassing CHAP. For an allegorical (easy to read) discussion about Kereberos, see Designing an Authentication System.

From the early days of Windows, LAN Manager, the key network component on your Windows computer, eventually developed into a portion of Windows Networking. With LAN Manager, Microsoft developed LAN Manager challenge / response, aka LM Authentication. LM Authentication became part of Windows 95 and 98 ("Windows 9x").

With Windows NT, which was the first Business Class Operating System, Microsoft developed NTLM ("New Technology LAN Manager") Authentication, and added Kereberos. And with NT V4.0 SP4, they developed VTLM V2 Authentication. Computers running Windows 2000, and Windows XP, will negotiate individually with every other computer, and use either LM, NTLM, or NTLM V2 Authentication, the best protocol that's mutually usable, in all conversations with that computer.

Vista, by default, only uses NTLM V2 Authentication. If you have Windows 9x computers, this won't work out of the box, since Windows 9x is limited, in default, to LM authentication. If you're networking Windows 2000 and XP with Vista, they will all use NTLM V2, with no problem. If you add a computer running Windows 9x, or an NAS device with an unknown operating system, into the discussion, you have 2 choices.
  • Downgrade Vista. Let it use LM Authentication, when necessary. Microsoft doesn't recommend this. To do this, edit the registry, and set value LmCompatibilityLevel, in [ HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Lsa ] to "1". If you're having a problem with your NAS device, this may be your only solution, since not all NAS devices can be easily upgraded.
  • Upgrade your Windows 95 / 98 computer, to (KB239869): use NTLM V2. Microsoft recommends this solution.

Choice of which workaround to use must center around your personal plans, and details of your network. If you have more computers running Windows 9x than Vista, downgrading Vista (to that of Windows XP and 2000) would be the obvious choice. If your long term picture involves getting more computers running Vista, and retiring the Windows 9x computers (which would make a lot of sense for several reasons), then upgrading Windows 9x makes more sense. Of course, with Windows 9x as it is, I'd not be too anxious to disturb its configuration any more than necessary. Maybe learning repetitively how to tweak Windows Vista isn't a bad idea.

For more details, see Microsoft: File and Printer Sharing in Windows Vista: Cannot Authenticate to a Shared Folder....

>> Top

File Sharing And Printer Sharing Are Not The Same Thing

If you have a computer, you probably use it to access the Internet. You are, quite likely, reading this article from your computer. If you have more than one computer, you probably have connected them together to share the Internet connection, plus you may be sharing files and / or a printer between them.

You share files, and printers, using two important network components in Windows Networking.

  • Client For Microsoft Networks goes on any computer accessing another computer.
  • File And Printer Sharing For Microsoft Networks goes on any computer being accessed by another computer.
  • Most computers using Windows Networking will need both components, as most Windows computers function in both ways.

Both file sharing, and printer sharing, require authentication and authorisation, which is how you prove to the operating system that you have the right to access a given file or printer. Once you get past the authentication and authorisation issues, you should have file sharing working. File sharing works as an integral component of the operating system.

Printer sharing, however, involves another layer of challenges. Every printer that you might connect to your computer requires its own set of drivers. The drivers are specific both to the printer model and to the operating system. You will need the right drivers on both the server (where you connect the printer), and on the clients (where you use the printer).

The drivers are written by the printer vendor, and subject to their limitations.
  • Newer printers may only be supported for newer operating systems, and older printers my not be supported at all. If the vendor doesn't have drivers that support the operating system on your computer, you're out of luck.
  • Not all printers are designed for network use. If the drivers don't support network use, you're out of luck.
  • You do know to always check directly with the vendor for updated drivers and firmware, whenever installing a new printer? This especially applies if one of the computers is running the latest model of Windows (currently Vista).
  • And consider how you address the printer, when setting up the client.

If you have a typical $100 desktop printer, note another detail. Less expensive printers will use more resources on the server. Printer serving is a graphic process, and can use significant amounts of CPU and memory (both physical and virtual) in printing a document of any complexity. You may want to host the printer on your newer computer, because that's the computer that you'll be using the most.

If you host the printer on an older computer, you'll probably be using the network more from your newer computer. With Ethernet and a switch (NAT router) connecting the two computers, network use will be a minor issue. With WiFi, which is half duplex, if both the client and server are connected wirelessly, you'll get a possible network conflict.

The client computer will be sending to the WiFi router / Access Point, and the router will be sending to the server computer, and both on the same WiFi channel. Printing thru a WiFi network can take more than twice as long as printing thru an Ethernet network, as the router has to constantly switch between receiving from the client, and sending to the server.

Since you can only test the printer on a properly setup client and server relationship, it's a good idea to get file sharing working first. Get the sharing issues out of the way, then concentrate on the drivers issue. This is a basic layered troubleshooting technique.

>> Top

Electrical Issues In Ethernet Networking

If you wire your house with Ethernet, you'll have a houseful of computers, all connected to the power system, and all connected to each other through the Ethernet network, and through the electrical system ("mains"). This is an obvious, but not trivial, issue.

With all computers connected within the same building, it's not a major issue. All computers are connected to the same main power supply, fed through the same power feed from the electric company, and grounded at the power distribution panel (electric meter et al). All computers, on properly maintained electrical and Ethernet networks, should have the same ground potential.

If you're lucky enough to have a large property, maybe you have a garage or shed out back of your house, with a separate electrical feed. If you decide to install a computer out there, networking that computer won't be a trivial issue. Getting past the issue of running cable between the two buildings (bury it, and risk underground problems), or string it through the air (and risk birds and other wildlife damage), you have a major code and safety issue.

Two separate buildings will have different ground potentials, amplifying the damage from lightning strikes. To fulfill electrical code requirements, you must ground electrical feeds, to separate buildings, separately. If you run Ethernet cable between your buildings, and lightning were to strike one building, the lightning would possibly travel from one computer to the other, through the Ethernet cable, and eventually to ground at the other building.

If you were unlucky enough to be working at either computer when this happened, you'd probably not live to worry about it. If you were lucky enough to not be in front of a computer, you could at least kiss the computers goodbye.

Even ignoring the possible damage from a lightning strike, a computer network with different computers connected at different ground potential won't do much for network stability. A properly functioning network depends upon ground at every network point having the same (identical) voltage level. Any variances, as can happen between any two separately grounded objects, will cause chronic and intermittent packet loss.

The bottom line? If you can't ground both ends of the Ethernet cable very securely, fiber or WiFi is a much better choice for connecting two separate buildings. Fiber-Optic cable doesn't conduct electricity, just light. And WiFi isn't a physical media at all.

If you have 2 buildings, limit the dangers of lightning to each building alone. Don't tie the two together, inadvertently.

For more discussion:

>> Top

SMB Protection Requires Careful Setup

Server Message Blocks, or SMBs, are the life blood of Windows Networking. On high security networks, you can create secure channels between the server and client, to ensure security of SMBs. You can provide authentication (digital signing) and / or encryption (digital encryption) of SMBs, similar in nature to WPA, as used in WiFi security.

However, just as WiFi connectivity being prevented by improper setup of WPA, necessary use of Windows Networking can be prevented by by improper setup of SMB protection. Both SMB Encryption and Signing must be setup consistently on your network. If any of your clients don't support either protection, it's best that you don't require it on your servers.

When you try to connect a Windows client computer to a server, you may see

The account is not authorized to log in from this station.

If a server requires SMB encryption or signing, all workstations must provide it, if they are going to connect to that server. SMB Signing has been supported since Windows 98 and NT V4.0. Non-Windows operating systems, such as Apple and Linux / Unix, may or may not support SMB Signing. Be consistent in your LAN, however you choose to set it up.

For computers in a workgroup, you configure SMB Encryption and Signing using the Local Security Policy editor. For computers in a domain, the Local Security Policy editor is available, but settings may be overridden by Group Policy.

You will have settings for both the server (incoming SMBs) and the workstation (outgoing SMBs), and settings for encryption (to prevent snooping) and signing (to prevent spoofing). You'll find settings under Local Policies - Security Options. Domain member, Microsoft network client, and Microsoft network server Policy Categories all contain relevant settings.

Note both server and workstation services, and thus these settings, apply to most Windows computers. And note the difference between Enabling SMB Signing (where both computers that enable SMB Signing, and those that don't, will be able to connect to each other) and Requiring SMB Signing (where only computers that enable SMB Signing will be able to connect to each other).

For more detail, see:

>> Top

Beware The Honeypot

Many, Many years ago, when the USA was first settled, nobody worried about the neighbours. Anybody living in the wilderness was happy to see another human being - and if you went out to work in the fields during the day, you'd leave the front door latched (don't want the pigs or chickens wandering through the house), but nobody locked anything. If you had a front porch, you'd have an easy chair or two, and a bucket of water there for your guests. Anybody wandering by was free to "set a spell and have a drink".

When WiFi was first developed, nobody cared about freeloading. If you had a WiFi AP, you connected it to your Internet service, and left it open. Anybody wandering by was welcome to "set a spell, and borrow the connection". Then freeloading got serious - people like Walter Nowakowski, in Toronto, became common.

People would protect themselves, and WEP was developed. And people learned to crack WEP.

Some of the more ingenious WiFi owners became devious.

If I have a WiFi AP that's protected, and my neighbour has an AP not protected, any wardrivers will be using my neighbours, right? Nobody is going to go after a protected AP, when there's an unprotected one nearby?

and continued with
OK, if a wardriver sees 2 APs, he can't tell that's not two different people. I'll setup an unprotected AP, and wardrivers can use that.

Kind of like the front porch with the chairs and water bucket.
Yet there was more.
Why should I let folks use my connection, to download kiddie porn? The FBI will notify my ISP, and I'll lose my service. OK, disconnect the Internet from the open AP.

and the open AP became a Honey Pot. You can connect, but you aren't going anywhere.

Some WiFi security experts even laugh about the wanna be wardrivers. Maybe even keep logs by MAC address. The ones who really have idle time to kill might even use NetStumbler or similar software to seek out, by triangulating, the hapless wardriver, maybe take his picture or taunt him otherwise.

The really nasty ones might attach a computer, with a spoofing DNS server, and let you think (initially) that you're connecting to "". Then they will try to serve you the hack of the week, from their computer. An old 486 laying around would be perfect for this task. Who cares if it takes 5 minutes to respond? That wardriver isn't going anywhere. Who cares if he gives up?

So, if you are using WiFi, and you're attached to an easy and seemingly available AP that you don't know about, use common sense.
  • Use PingPlotter or a similar tool to make sure that it actually connects somewhere.
  • And, for heavens sake, protect your computer!
  • And learn the difference between seeing
    Connected to XXXXXXX - Signal quality xxxxx.
    and actually having a connection, to the legitimate Internet.


>> Top