Follow-up on NNNNnnnooooo….!

I just stepped out to Building 40 to grab some lunch, (it's better than the cafeteria in Building 26, and they do better coffee too) and I bumped into Dennis Morgan, he was the lead guy on the firewall in XPSP2. I asked him what the perf impact was on startup with the firewall enabled. His reply had me grabbing my gut with laughter.

"About 5 msec."

This is a classic example of an article making a claim about performace with few, if any, facts to back up the claim.


Comments (9)

  1. Jonathan says:

    There’s so many articles and tweak guides out there that are like that, complaining about how all of these services and background processes use valuable CPU time and system resources. But when you look at Task Manager’s total CPU time for some of these, its like 5 seconds over two weeks of system uptime. Sad how so many people don’t know what they’re talking about.

  2. David Betz says:

    It has nothing to do with performance…bootvis proves that it’s fast. It’s just such a pest. I’m not going to allow each of my services every time I need them. That’s gay…and it’s why hardware wirewalls and routers exist. I recommend you all get nLite and remove that Firewall pest right way(uh yeah take out wordpad and paint while you are at it!)

  3. Drew says:

    So you’re suggesting we publish info like that for customers? Good idea! That probably would have been useful information for PC Magazine, too.

    You know as well as anyone who’s reading your blog that the PC Magazine folks just started turning off anything that they could turn off and still have their machine run. They probably didn’t measure each footprint delta. They almost certainly didn’t time boots with all combinations of services. I don’t even know whether someone does that here at MSFT.

    I should also add that PC Magazine’s recommendations are FAR saner than some other similar list I have seen on the web that shall not be named. The non-pcmag site was advising people to disable cryptsvc. This disabled Authenticode signature verification. The "interesting" side effect was that all updates (whether auto- or downloaded manually) would fail to install. Bad juju! In comparison, PC Magazine’s advice isn’t so bad.

  4. Why do people use this phrase? Are they homophobic or just stupid? After reading his post, I’m leaning towards the latter.

    The XP firewall is a good defense in depth mechanism for many folks, and it’s better than no firewall. I use it.

    A beta of XP I was using survived DefCon 9’s vicious capture the flag network (the only place I ever saw someone trying to compromise my ssh session), so it works in the most hostile network on the planet. Removing it with nLite is just asking for trouble.


  5. If you do have a hardware firewall — and you’ve configured it to allow "your services" through, then that’s great…

    However, the majority of the people out there have no concept of what a firewall is, nor perhaps want to spend the additional $$ for one. As far as the usefulness of software firewalls go, 3rd party programs like Norton Internet Security, Mcaffe Firewall, Zone Alarm and Tiny Personal Firewall demonstrate that there is indeed a market for software based firewalls.

    Blindly telling everyone out there to go and shut the Windows Firewall off — which gives you a pretty darn good software firewall right out of the Windows XP box — I don’t think is the right decision. Additionally, there’s the "Always Allow this Program" so that you only have to see the firewall popup once.

    I, for one, in fact use wordpad on a regular basis for opening documents which are too large for notepad (or .RTFs) but lightweight enough not to warrant opening them in Word.

    Paint — ‘eh paint needs a replacement 😉 but do the benifits of removing these two outweigh the few KB’s of disk space?

    BTW, Routers don’t do anything in terms of packet filtering and port blocking. If you’re using a router as a security solution, you’re sorely mistaken.

  6. Tito says:

    Don’t forget that the host based firewalls like XP’s or Sygate, ZoneAlarm, etc filter based on host application not just on port. A HW firewall sitting on the network can’t tell if the connection going out on port 80 is from Firefox or a rootkit getting new commands.

    Sygate (others may as well) even is able to go far enough to be able to notify you upon a change in dll’s the process has loaded, and prompt for re-authentication. HW firewalls physically cannot do things like this.

  7. Oh NNNNnnnooooo

    1. The ICF doesn’t filter outbound!

    2. No pseudo^Wpersonal firewall can seriously block unwanted outbound traffic: if in doubt, send keypress messages to IE or FireFox started in a hidden window.

    3. Any rootkit which deserves it’s name will hide before PFWs!

  8. miguel angel says:


    how are you?

    i would like to take a coffe with you but it is a very difficult…, because a am in spain.

    i would like to have a site in internet. My site is but i go to build it the system give me a message error and i can not build it.

    i have to intento go to my site with apache server (maybe) and the system maybe dont give me a message error. i have to intent entry to my site with another server program. perhaps you know another taht server. I would like if you know a other server you say me it. if you can go to my page and help me to build it i an greeting you. now i am not at home. i am in a cibercafe. This night i go to intent build my site when i go home.

    in home i have installed a windows 2003 server trial edition (120 evaluate days) and i have problems with my printer (hp deskjet 720 c) because it dont print. I have called to support service in spain and they have said me that windows 2003 server dont support that printer). Maybe you can help me….


    migual angel sequi martinez


Skip to main content