How to Enable Remote Debugging on Windows XP Service Pack 2

Article
06/30/2010

Microsoft Corporation

February 2004

Summary: Windows XP Service Pack 2 introduces a number of security enhancements that increase security in Microsoft Windows. This document outlines the steps that you need to take in order to enable remote debugging on a Windows XP Service Pack 2 machine. (10 printed pages)

To enable remote debugging on Microsoft® Windows® XP SP2 platforms, the Internet Connection Firewall (ICF) must be configured as follows:

If ICF is in Shielded mode, you will need to perform appropriate actions so that it is no longer in Shielded mode.
If ICF is on, a few ports need to be opened and permissions must be granted to Microsoft® Visual Studio® and other executables that are involved in the remote debugging.
If IFC is off, no firewall configuration is necessary.
In addition, if the user running Visual Studio is not an Administrator on the remote machine, DCOM settings need to be configured.

Below are step-by-step instructions to enable remote debugging. The current user must have Administrator privileges to carry out these instructions. These instructions are for IPV4-based network settings only.

On the Machine with Visual Studio Installed

To run the Internet Connection Firewall application:

From the Start menu, open Control Panel.
In Control Panel, click Network and Internet Connections.
Click Configure your firewall.

The Internet Connection Firewall application runs.
Click the Permissions tab.
Open the TCP 135 port.

DCOM (RPC) uses the TCP 135 port. If your application uses DCOM to communicate with remote machines, this port must be opened. To open this port:
1. Click Add.
2. Select Specify a port.
3. Select the TCP protocol.
4. Type 135 for Port Number.
5. Give a description.
6. Optional: Select Local Subnet only.
7. Click OK.
Open UDP 4500.

This port is used for IP Security. If your domain policy requires that all network communication be done through IPSec, then this port must be opened for any network operation. If your domain policy does not require IPSec, then you can skip this section. To open this port:
1. Click Add.
2. Click Specify a port.
3. Select the UDP protocol.
4. Type 4500 for the Port Number.
5. Give a description.
6. Optional: Select Local Subnet Only.
7. Click OK.
Open UDP 500.

This port is used for IP Security. If your domain policy requires that all network communication be done through IPSec, then this port must be opened for any network operation. If your domain policy does not require IPSec, then you can skip this section. To open this port:
1. Click Add.
2. Select Specify a port.
3. Select the UDP protocol.
4. Type 500 for the Port Number.
5. Give a description.
6. Optional: Select Local Subnet Only.
7. Click OK.
Enable file and print sharing.

To open ports necessary to share files and printers:
1. In the Programs and Services group, select File and Print Sharing.
2. Click Edit.
3. Check the following ports:
- TCP 139
- TCP 445
- UDP 137
- UDP 138
1. Optional: Select Local Subnet Only for each of the ports.
2. Click OK.
Add Devenv to the allow list.

To enable applications that require ports to be opened dynamically during runtime to work properly, you need to add it to the list of programs and services with the appropriate permissions, or "allow list". To do so, follow these steps:
1. Click Select a program.
2. Click Browse.
3. Navigate to the location where Devenv.exe resides and select it. Devenv.exe is normally located at SystemDrive:\Program Files\Microsoft Visual Studio .NET (2003)\Common7\IDE.
4. Click OK.
5. Give a description.
6. Optional: Select Local Subnet Only.
7. Click OK.
8. Click OK again to save settings.

On the Remote Machine

All of the ports that were opened on the debugger machines must be opened on the remote machines as well. Follow the instructions to open TCP 135, UDP 4500, UDP 500, and to enable file and print sharing.

Once that is done, the following executables must be added to the allow list: Mdm.exe, VS7Jit.exe, and MSVCMon.exe.

Add Mdm to the Allow List

MDM is a component that the Visual Studio debugger uses for remote debugging. It needs to be in the list of applications that can open DCOM ports dynamically at runtime. To do this:

Click Add.
Click Select a program.
Click Browse.
Navigate to the location where Mdm.exe resides and select it. Mdm.exe is located at SystemDrive:\Program Files\Common Files\Microsoft Shared\VS7Debug.
Give a description.
Optional: Select Local Subnet Only for each of the ports.
Click OK.

Add Vs7jit to the Allow List

VS7jit is a component that the Visual Studio debugger uses for remote debugging. It needs to be in the list of applications that can open DCOM ports dynamically at runtime. To do this, determine the short file path to vs7jit.exe:

From the Start menu, choose Run.
In the Run dialog box, in the Open text box, enter 'cmd.exe'.
From the Windows command prompt, enter the text below and press ENTER:
for %d in ("%CommonProgramFiles%\Microsoft Shared\VS7Debug\vs7jit.exe" ) do @echo %~sd
Save the output from this command, it should look something like this: 'C:\PROGRA~1\COMMON~1\MICROS~1\VS7Debug\vs7jit.exe'.
Go back to the ICF configuration.
Click Add.
Click Select a program.
Type in the short path to vs7jit.exe.
Give a description.
Optional: Select Local Subnet Only for each of the ports.
Click OK.

Add MSVCMon to the Allow List

MSVCMon is a component that the Visual Studio debugger uses for remote debugging. It needs to be in the list of applications that can open DCOM ports dynamically at runtime. To do this:

Click Add.
Click Select a program.
Click Browse.
Navigate to the location where MSVCMon.exe resides and select it. MSVCMon.exe is located at SystemDrive:\Program Files\Common Files\Microsoft Shared\VS7Debu.
Click OK.
Give a description.
Optional: Select Local Subnet Only for each of the ports.
Click OK.
Click OK again to save the settings.

To Enable Web Server Debugging

To do Web-based debugging, port TCP 80 needs to be opened. This is true for Microsoft® ASP.NET debugging, classic ASP debugging, and ATL Server debugging.

To open this port:

Click Add.
Select Specify a port.
Select the TCP protocol.
Type 80 for the Port Number.
Give a description.
Optional: Select Local Subnet Only.
Click OK.

To Enable Script Debugging (Including Classic ASP Debugging)

To debug script code running on a remote machine, the process hosting the script code must be added to the allow list. For classic ASP debugging, script code is usually loaded into dllhost.exe or inetinfo.exe. For script running in Internet Explorer, script code is usually loaded into iexplore.exe or explorer.exe.

To add Script host to Allow list

Click the Add button.
Click Select a program.
Click the Browse button.
Navigate to the location of the hosting program and select it.
Click Open.
Give a description.
Optional: Click the Local Subnet Only buttons for each of the ports.
Click OK.

For Normal User Mode

If you are running the debugger as a normal user (not as an administrator), you will need a full access right to the directory where the executables reside.

In addition, if you are not an Administrator of the remote machine, you need access and launch permissions. To do this you must obtain Administrator privileges and follow these directions:

Run DCOMCNFG.
Double-click the Component Services node.
Double click Computers.
Select My Computer, and then click Configure My Computer.
In the My Computer dialog box, click the COM Security tab.
Under Launch and Activate Permissions, click the Edit Limits button.
If your name or your group does not appear in the Groups or user names list box:
1. Click the Add button.
2. Add yourself or group.
3. Click OK.
In the Allow column, click Remote Activation.
Click OK to complete the configuration.

Conclusion

The security enhancements introduced in Microsoft Windows XP Service Pack 2 require extra action for developers who need to do development work on these machines. This document outlined the steps necessary in order to successfully prepare to debug a machine with Service Pack 2 installed.