Windows time sync broken, Application Monitor blocking svchost.exe

I try to manually timesync system clock to any NTP server and get “host unreachable.” I check the CF logs and find this alert timestamped to each attempt:

Medium - Application Monitor - Application Access Denied (svchost.exe::ntp(123))
Application: c:\windows\system32\svchost.exe
Parent: c:\windows\system32\services.exe
Protocol: UDP Out
Destination: :ntp(123)

I get into the Application Control Rules and try to set up an app hole for svchost.exe, giving it full access. Manual timesyncs still fail, and I still get new app monitor errors in the log.

There is only one path to NTP client success, and that is to set the “Turn Off” option in the Application Monitor. Obviously this isn’t a long term solution, but it at least proves that I’ve set up my CF Network Monitor correctly.

What am I doing wrong? Sure smells like a bug to me (CF v2.3.6.81, app DB v1.2).

Thanks for any guidance… time drift on this box is definitely not cool.

Hi, sorry for the delayed response.

Both svchost.exe & services.exe are not run directly by the user. As such they are held in CPFs Component Monitor. Remove the entry you added to the Application Monitor & review the Component Monitor looking for blocked entries. Given the message you posted, unless the block was temporary (if so a reboot resolves it), then you are likely to find blocks for svchost.exe and/or services.exe.

Application Monitor: User initiated applications.
Component Monitor: System initiated applications or components (DLLs).

I hope that helps.

Thanks for the response. I found no Allow or Block rules applying to either svchost.exe or services.exe in Component Monitor. I’m also a bit curious why all the logged Block events concerning svchost.exe were generated by the Application Monitor, and why I could successfully time sync the XP system clock only after disabling the Application Monitor.

However, the situation seems to be better after reboot. I’ll keep my eye on this situation and try to come up with additional information if I happen to see it again.

Regards,

MA

If you have problem with the time, you should repair it. Download “Dial-a-fix”. http://wiki.djlizard.net/Dial-a-fix and run the program. In the bottom of the window you see a hammer, click on it. In the list, scroll down and click on Reset Time Service. Click on the GO button in the left bottom corner.
Hope this solves your “drifting” time.

Why the Application Monitor? Because it was probably a user initiated event (ie. it started in the Application Monitor).

If it was OK after a reboot, the implication is that svchost was only blocked temporarily (ie. a CPF pop-up for svchost was denied with Remember unchecked). In their own right and as a relationship, both services & svchost can be allowed (svchost is services’ Internet interface). The thing to watch out for is unknown applications and/or components attempting to use either services or svchost.