XP SP2: Are P2P, Port Scanning, and Port-Opening Programs Slower?

   Posted August 11, 2004 by David Kirk in Windows

SP2 limits the number of simultaneous incomplete outbound TCP connection attempts. This tutorial explains how to test if it effects you.




By design, SP2 limits the number of simultaneous incomplete outbound TCP connection attempts. After the rate is reached, subsequent connection attempts are placed in a queue, eventually to be resolved at a fixed rate.

Rumors are already around the Internet that this slows down programs that open multiple TCP connections at once. Port scanners are a good example of this. Some P2P might be effected as well in theory.

Microsoft now will create a unique event log message with ID 4226 when this rate limiting occurs. Here is how to see if you are affected by this change.

Opening the Event Viewer:

    1. Open your Control Panel.
    2. Click Performance and Maintenance. (skip if in classic view)
    3. Click Administrative Tools Folder.
    4. Click Event Viewer.
    5. In the Event Viewer select System in the left column
    6. Scroll through the events in the right column looking for 4226 errors.

If you click on the error, you will see something like the following:

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 8/10/2004
Time: 7:36:52 PM
User: N/A
Computer: TECHRX
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ....‚..€
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

If you see a lot of these events in the log, it means that SP2 is limiting your connection frequently.

This may be due to a program you are running. However, trojans and worms open up as many connections as possible. If you are seeing this error frequently, be sure to check your system for such a beast.

I do not think we really know yet how this will affect P2P and port scanning programs. Using this technique, we can quantify the issue in more detail.

For what it is worth, in the last 24 hours, my computer triggered this event only once.

If you are really having problems, you can hack your TCPIP.SYS file. The hack supposedly increases your connections from 10 to 50. Only do this if you are seeing numerous 4226 errors in your event log. Hacking your TCPIP.SYS can be dangerous, so be careful.

 

About David Kirk

David Kirk is one of the original founders of tech-recipes and is currently serving as editor-in-chief. Not only has he been crafting tutorials for over ten years, but in his other life he also enjoys taking care of critically ill patients as an ICU physician.
View more articles by David Kirk

The Conversation

Follow the reactions below and share your own thoughts.