Upon installing Service Pack 2 on Wednesday night, 2 programs decided to give me trouble. HP PrecisionScan Pro 3.01 and WinFax (more specifically the NetSatisFAXtion connector) basically died on me. WinFax I figured is possibly hopeless for 2 reasons:
- WinFax is 10.0. It's technically not “XP compatible“ and to make it so would requiring purchasing it all over again. I loathe the product to begin with, so I'm not about to purchase 10 more copies so that it can go from 10.0 to 10.03 (ooh such a big version change).
- NetSatisFAXtion's subscription ran out in January 2002. It would require purchasing a year of support for about the same cost as upgrading 10 WinFax clients.
There may be some way I can make it work again by basically obliterating all of the security enhancements SP2 introduced, but I'm not about to compromise security for one application. Both applications will be obsolete very shortly anyways and all I can say is good riddance to both.
I had a point to this post and it was that HP PrecisionScan Pro's shared scanning stuff over the network breaks when you install SP2. It's due to the security enhancements placed around RPC and DCOM but since I only have to modify 1 machine to make this work (rather than a possible 10 for WinFax), I think I can handle the security risk.
On Wednesday I was doing some web searching for the problem and the best hit I could come up with calls it HP LanScan which I suppose is what they call the network scanning portion though this only runs on the host machine. The solution was laid out in the newsgroup post I found here. The author, Patrick Philippot outlined a potential fix but claimed that he didn't test each individual area to find the magical combination. Rather than expose the one computer to more security problems, I thought it would benefit our company if I were to test each thing individually to find the combination that actually works. These settings must be performed on the host computer only but aren't required on the clients.
Windows Firewall:
- Click Start | Control Panel | Windows Firewall in Classic View or Security Center | Windows Firewall in Category View.
- Click the Exceptions tab | Add Program | Browse. Using the default directories for PrecisionScan Pro 3.0 it can be found here: C:\Program Files\Hewlett-Packard\PrecisionScan Pro 3.0\hpscnsvr.exe and will be added as Share Scanner.
- Click Change Scope and select My network (subnet) only or Custom list to narrow down who can access the scanner.
- Exit Windows Firewall by clicking OK.
Note: These settings are required if the Windows Firewall is turned on.
Component Services:
- Click Start | Control Panel | Administrative Tools | Component Services in Classic View or Performance and Maintenance | Administrative Tools | Component Services in Category View. You can also get there by Start | Run | dcomcnfg.
- Expand Component Services and you will probably get a firewall pop up about Microsoft Management Console. Click Ask Me Later. (I don't think it should pop up because you can do anything you want without requiring the firewall to allow it)
- Click on Computers then right click on My Computer and select Properties.
- Click on the COM Security tab.
- Under Access Permissions click Edit Limits.
- Add Authenticated Users. You don't have to do anything else because the default is set to Local Access which is all that you need. You can add specific users from the domain or a group if you'd like.
- Click OK to apply changes.
- Close the Microsoft Management Console.
Regedit:
- Click Start | Run | regedit to start the registry editor
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT.
- Right click on Windows NT and choose New | Key. Name it Rpc. You could skip this step if you have this key but none of our computers did.
- Right click on Rpc and choose New | DWORD value. Name it RestrictRemoteClients and hit enter. Leave the default value of 0.
- Close regedit.
- Reboot
Note: Editing the registry must be done with extreme caution. I'm not responsible if anything happens, yadda yadda which is why this would be an unsupported patch. Microsoft or HP should be the ones issuing the patch, I just simply stated the steps needed to make it work for now.
The reboot is essential only for the Rpc registry key. I played with the DCOM settings by tweaking a little, restarting the MS DTC, playing with the software, then repeating the process until I found the right combination. The Rpc registry key is a necessity as well as the Access Permissions.
The group policy steps Patrick defines are not needed. They duplicate the Access Permissions and Launch and Activation Permissions and when defined actually prevent you from clicking the Edit Limits buttons. If you enable them in group policy you can disable them by deleting every entry and leaving the section blank. Reopening group policy shows that it's “Not configured” but it still leaves rogue entries in the registry you have to clean up unless you want the Event Log whining. The settings are found in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DCOM. These were the only settings in the key so I removed the key entirely (our computers don't have it, it gets created by group policy). I forget what they're called, but if you have other settings there look for the 2 string values that are blank and most likely those are the ones you can delete.
Heavy duty Rant Disclaimer: The following is highly critical of the problem and the parties involved. This isn't really meant for public consumption as it's mainly me venting steam. If you read the below contents, you have been warned and express that you probably really don't care all too much. Hopefully an official fix will be made and I can shut up.
<BeginRant>
According to Patrick, HP claims this problem is a firewall problem. In an earlier post, he claimed that they said it was Microsoft's problem because SP2 is what broke it. SP2 introduced security enhancements. HP's software is making my computer less secure. Microsoft has given enough warning and documentation about the changes so there's no excuse why HP wouldn't conform to SP2 unless they're just too lazy to update the software. While we're on the subject, why use DCOM in the first place? Are you crazy? I would think passing a scanned image would be better handled by another technology that is actually slighly more up to date. I guess they want to make sure it runs on Windows 95 and ME. The funny thing is, everything scanned is an image. Even if you scan to Word, all it does is insert the image into a Word document. There is no OCR with this software, so why on earth would you use DCOM when using another network transport layer makes much more sense. They probably banged it together in VB5 in an hour and called it a day.
Honestly though, HP cares basically nothing about it's software, probably because it's always bundled free with something. I'm sure the developers get paid, but they probably take a morale hit when they have to make changes to a product they consider dead from the beginning. HP makes great scanners and printers, but I wouldn't trust them with anything else, period.
I guess I'm ragging harshly on HP right now but if I have to be the one to figure out your problem, you've already lost my business. I've done this way too many times and it's just plain annoying now. I can find better things to do with my time than to play the “point-the-finger-and-do-nothing” game. I left that crap back in 3rd grade where it belongs.
I made this post so that hopefully when people search for what I did they can find an actual fix with the precise steps to fix it. I triple checked my tweaks and made sure this is the exact minimal steps to fix the problem. Hopefully others who find this “feature” “broken” can fix it as quicker than I did.
<EndRant>
Update:
- Updated instructions to provide a break down of each section involved. I also included the program I previously marked by ____ which I forgot to add before publishing the post.
- Added “Heavy duty Rant Disclaimer“ and the BeginRant and EndRant tags. I was a little annoyed when I wrote this and it doesn't really need to be read if you are actually going to perform the steps. The only groups that should really care about it are HP, and myself. I don't retract things I say probably in the hopes that I can go back and realize how human I really am, not the pseudo-robotic entity I perceive myself to be sometimes.