Applies To:
  • CitectSCADA 5.xx 6.00

If the Windows user is not a member of a group that has administrative privileges on their machine, they will be unable to use the ping driver CTICMP or any other ping utility that does not directly use the Microsoft Windows icmp.dll.

Technical Information:

ICMP packets which are used for diagnostics on a network (and ping being a core diagnostic for connectivity) are denied under anything other than administrator level.

The reason these packets are denied is that they can be maliciously misused. For instance they can use it for discovery of machines on a network (ie by sending a broadcast you can find out what machines are on the network). They can also be used to cause a type of denial of service attack. These are the main concerns but not exhaustive.

If the machine is in a trusted network environment where the network is protected by a firewall that blocks ICMP then it is quite reasonable to allow the machines to transmit ICMP packets. The restriction only stops people originating ICMP which is highly unlikely in a managed private network. The machine receiving a malformed ICMP packet or raw socket type packet would have to have other significant security holes in order to exploit the weakness. Keeping the restriction does not stop any other machine on that network that may have administrative privileges from attacking it. It is purely only stopping people originating.

The problem of using Microsoft’s icmp.dll is that it has been for some time marked as a deprecated utility that will disappear at some stage from the Windows product.

Solution 1

Under Microsoft Windows 2000 and Windows XP you can disable raw socket protection for non administrative accounts by making the following registry change and restarting your computer.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

DWORD AllowUserRawAccess = 1

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

Solution 2

The utility PlusUtils provided in the Citect toolbox uses Microsoft’s icmp.dll for its ping utility. This works regardless of the privileges on the machine.
Note Microsoft has indicated that this library will disappear in a future version without notice and is not part of their official product. At this stage it is not possible to determine if a current library will still work on a newer version of Windows even if it is copied there.

See also:;en-us;195445