0x80072efd WU V5 trying to load 192.168.1.1

I am having the same problem with WU V5 and getting error code
0x80072EFD. I fired up Ethereal to see what it was having trouble
with, and found that WU is trying to open a connection to 192.168.1.1
which, of course, fails.

I am not using a proxy of any sort, my ethernet adapter IP address is
in the 10.0.0.0/8 range, and there are no entries in etc/hosts other
than the default 127.0.0.1. Did MS accidentally leave a hardcoded
IP address in the V5 software?

Jim Garrison

Jim,

Was Oswald guilty ?

Try flushing the DNS cache. Go to Start, Run, type in

cmd

Press Enter or click OK.

At the prompt, type in

ipconfig /flushdns

Press Enter . Exit the command prompt. Reboot and try the same
method you were using to access WU.

OR, Try these URL's :
http://v5.windowsupdate.microsoft.co...ult.aspx?ln=en
https://v5.windowsupdate.microsoft.c...ult.aspx?ln=en


MowGreen [MVP]
===============
*-343-* FDNY
Never Forgotten
===============


Jim Garrison wrote:

> I am having the same problem with WU V5 and getting error code
> 0x80072EFD. I fired up Ethereal to see what it was having trouble
> with, and found that WU is trying to open a connection to 192.168.1.1
> which, of course, fails.
>
> I am not using a proxy of any sort, my ethernet adapter IP address is
> in the 10.0.0.0/8 range, and there are no entries in etc/hosts other
> than the default 127.0.0.1. Did MS accidentally leave a hardcoded
> IP address in the V5 software?
>
> Jim Garrison
>

MowGreen [MVP] wrote:
> Jim,
>
> Was Oswald guilty ?
>
> Try flushing the DNS cache. Go to Start, Run, type in
>

Did that, get same error, except now Ethereal doesn't see
ANY outgoing traffic when I click on Custom Install link
(until WindowsUpdate fetches the errorinformation.aspx
link to display the error page)

The idea that Windows has a DNS cache that survives reboots
is REALLY scary, and breaks the RFCs for DNS.

"Jim Garrison" <> wrote in message
news:...
> MowGreen [MVP] wrote:
>> Jim,
>>
>> Was Oswald guilty ?
>>
>> Try flushing the DNS cache. Go to Start, Run, type in
>>
>
> Did that, get same error, except now Ethereal doesn't see
> ANY outgoing traffic when I click on Custom Install link
> (until WindowsUpdate fetches the errorinformation.aspx
> link to display the error page)

Then there may be some clues about that in the WindowsUpdate.log
which you can find by comparing the entries made for each occasion.


>
> The idea that Windows has a DNS cache that survives reboots
> is REALLY scary, and breaks the RFCs for DNS.

dnscache seems to be really pretty transitory except for entries
which originate from HOSTS. What is in HOSTS?
Note that HOSTS may not be where you think it is due to malware.
E.g. use the following command to see what is in use:

netsh diag show adapter /v | find /i "DataBasePath"

(Works on XP. Otherwise just search registry for that value name.)


Are you using

ipconfig /displaydns

to see what the dnscache actually contains or just speculating about
how that address is being found?


Although you say you aren't using a proxy are you sure you aren't
configured for one? E.g. check with proxycfg
and msinfo32 /category IEConnectivity
commands.


Have you checked for malware and its residual effects?

If this is XP Pro I would appreciate it if you would load ipseccmd
from its Support Tools so you can try

ipseccmd show filters

In any case I would also be interested in whether this command
shows anything when you have the problem:

netsh interface ip show type=LSP


For an interactive FAQ for XP networking issues try
http://www.michna.com/kb/wxnet.htm

E.g. check the box "Internet Explorer cannot display some web sites..."
and look at the open entries in the Results section.


HTH

Robert Aldwinckle
---

Thanks for the response. Here are the results of trying
your suggestions. I also have a case open with MS Support on this,
and will post any resolution.

Robert Aldwinckle wrote:
> netsh diag show adapter /v | find /i "DataBasePath"

DatabasePath = %SystemRoot%\System32\drivers\etc

That file contains:
127.0.0.1 localhost

> Are you using
>
> ipconfig /displaydns
>
> to see what the dnscache actually contains or just speculating about
> how that address is being found?

Speculating. Turns out my speculation may be incorrect.
Running windowsupdate after a reboot and monitoring network traffic
with Ethereal reveals the following exchange:

myhost -> A/D Server: DNS query for wpad.athens.int
Response: host not found
myhost -> 192.168.1.1: SYN
myhost -> 192.168.1.1: SYN
myhost -> 192.168.1.1: SYN
myhost -> 192.168.1.1: SYN
myhost -> fetch error page from microsoft.com

athens.int is our internal A/D domain name. We have no host named 'wpad'
and never have had. We also have NEVER had SUS or WUS anywhere in our
domain. I have no idea why it's looking for "wpad" within our domain,
or why it falls back to 192.168.1.1 when it can't resolve it.

>
> Although you say you aren't using a proxy are you sure you aren't
> configured for one? E.g. check with proxycfg
> and msinfo32 /category IEConnectivity
> commands.

msinfo32 not found

>
>
> Have you checked for malware and its residual effects?

Yes.

> If this is XP Pro I would appreciate it if you would load ipseccmd
> from its Support Tools so you can try
>
> ipseccmd show filters

Generic MM Filters
------------------------------
No filters

Specific MM Filters
------------------------------
No filters

Generic Transport Filters
------------------------------
No filters

Specific Transport Filters
------------------------------
No filters

Generic Tunnel Filters
------------------------------
No filters

Specific Tunnel Filters
------------------------------
No filters

The command completed successfully.

>
> In any case I would also be interested in whether this command
> shows anything when you have the problem:
>
> netsh interface ip show type=LSP

netsh interface ip show type=LSP
The following command was not found: interface ip show type=LSP.

netsh interface ip show
The following commands are available:
Commands in this context:
show address - Displays IP address configuration.
show config - Displays IP address and additional information.
show dns - Displays the DNS server addresses.
show icmp - Displays ICMP statistics.
show interface - Displays IP interface statistics.
show ipaddress - Displays current IP addresses.
show ipnet - Displays IP net-to-media mappings.
show ipstats - Displays IP statistics.
show joins - Displays multicast groups joined.
show offload - Displays the offload information.
show tcpconn - Displays TCP connections.
show tcpstats - Displays TCP statistics.
show udpconn - Displays UDP connections.
show udpstats - Displays UDP statistics.
show wins - Displays the WINS server addresses.

>
> For an interactive FAQ for XP networking issues try
> http://www.michna.com/kb/wxnet.htm
>
> E.g. check the box "Internet Explorer cannot display some web sites..."
> and look at the open entries in the Results section.

I have no problems with any sites other than WU.

Jim Garrison wrote:

> Robert Aldwinckle wrote:
>
>> [snip]
>>
>> to see what the dnscache actually contains or just speculating about
>> how that address is being found?
>
> Speculating. Turns out my speculation may be incorrect.
> Running windowsupdate after a reboot and monitoring network traffic
> with Ethereal reveals the following exchange:
>
> myhost -> A/D Server: DNS query for wpad.athens.int
> Response: host not found
> myhost -> 192.168.1.1: SYN
> myhost -> 192.168.1.1: SYN
> myhost -> 192.168.1.1: SYN
> myhost -> 192.168.1.1: SYN
> myhost -> fetch error page from microsoft.com
>
> athens.int is our internal A/D domain name. We have no host named 'wpad'
> and never have had. We also have NEVER had SUS or WUS anywhere in our
> domain. I have no idea why it's looking for "wpad" within our domain,
> or why it falls back to 192.168.1.1 when it can't resolve it.


Take a look here:
http://groups.google.com/groups?hl=e...r=&btnG=Search


>> Although you say you aren't using a proxy are you sure you aren't
>> configured for one? E.g. check with proxycfg
>> and msinfo32 /category IEConnectivity
>> commands.
>
>
> msinfo32 not found

In a command prompt, you will need to do like this:

start msinfo32 /category IEConnectivity

(From Start\Run, you do not need start in front of this command).


What about the output from proxycfg.exe (run it in a command
prompt without using start in front)?




--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

Torgeir Bakken (MVP) wrote:

> What about the output from proxycfg.exe (run it in a command
> prompt without using start in front)?

Now we appear to be getting somewhere:

proxycfg

Current WinHTTP proxy settings under

HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Flags = PROXY_TYPE_DIRECT | PROXY_TYPE_PROXY
Proxy Server = 192.168.1.1
Bypass List = -not set-

What the (*^%*&% is this, how did it get set, and why is it apparently only
affecting WU?

Jim Garrison wrote:

> Now we appear to be getting somewhere:
>
> proxycfg
>
> Current WinHTTP proxy settings under
>
> HKEY_LOCAL_MACHINE\
> SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
> Settings\Connections\
> WinHttpSettings :
>
> Flags = PROXY_TYPE_DIRECT | PROXY_TYPE_PROXY
> Proxy Server = 192.168.1.1
> Bypass List = -not set-
>
> What the (*^%*&% is this, how did it get set, and why is it apparently only
> affecting WU?

I reset the proxy configuration with "proxycfg -u" and this is what
it now says:

Current WinHTTP proxy settings under

HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Flags = PROXY_TYPE_DIRECT
Proxy Server = -not set-
Bypass List = -not set-

However, attempting WU now gets a different error 0x80072ee2 and
it's still issuing a DNS query for wpad.athens.int, a non-existent
host. AFAICT it's no longer attempting to contact 192.168.1.1.

"Jim Garrison" <> wrote in message news:
....
> attempting WU now gets a different error 0x80072ee2

You can find lots of threads about that code.
I think that there is even a troubleshooter article about it now.

http://groups.google.com/groups?q=80...ff=1&scoring=d

(Google Groups search for
80072ee2 OR 0x80072ee2 MVP OR MSFT group:microsoft.*.windowsupdate
- sorted by date to capture current thinking
)


> and it's still issuing a DNS query for wpad.athens.int, a non-existent
> host. AFAICT it's no longer attempting to contact 192.168.1.1.

I suspect if you stopped your monitoring you wouldn't notice a problem.
That wpad thing is probably what IE does when you have checked
Automatically detect settings
(Internet Options, Connections tab, Settings...)


HTH

Robert
---

Robert Aldwinckle wrote:
> I suspect if you stopped your monitoring you wouldn't notice a problem.
> That wpad thing is probably what IE does when you have checked
> Automatically detect settings
> (Internet Options, Connections tab, Settings...)

Those are all disabled