XP SP2: Are P2P, Port Scanning, and Port-Opening Programs Slower?

Contributor Icon Contributed by davak Date Icon August 11, 2004  
Tag Icon Tagged: Windows

SP2 limits the number of simultaneous incomplete outbound TCP connection attempts. This is how to test if it effects you.




By design SP2 limits the number of simultaneous incomplete outbound TCP connection attempts. After the rate is reached, subsequent connection attempts are placed in a queue eventually to be resolved at a fixed rate.

Rumors are already around the internet that this slows down programs that open multiple TCP connections at once. Port scanners are a good example of this. Some P2P might be effect as well in theory.

Microsoft now will create a unique event log message with ID 4226 when this rate limiting occurs. Here is how to see if you are affected by this change.

Opening the Event Viewer:

    1. Open Your Control Panel
    2. Click Performance and Maintenance (skip if in classic view)
    3. Click Administrative Tools Folder
    4. Click Event Viewer
    5. In the Event Viewer select System in the left column
    6. Scroll through the events in the right column looking for 4226 errors.

If you click on the error you will see something like this:

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 8/10/2004
Time: 7:36:52 PM
User: N/A
Computer: TECHRX
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ....‚..€
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

If you are seeing a lot of these events in the log, it means that SP2 is limiting your connection frequently.

This may be due to a program you are running. However, trojans and worms open up as many connections as possible. If you are seeing this error frequently, be sure to check your system for such a beast.

I don’t think we really know yet how this will affect P2P and port scanning programs. Using this technique we can quantify the issue in more detail.

For what it is worth, in the last 24 hours, my computer triggered this event only once.

If you are really having problems, you can hack your TCPIP.SYS file. The hack supposedly increases your connections from 10 to 50. Only do this if you are seeing tons of 4226 errors in your event log. Hacking your TCPIP.SYS can be a dangerous thing so be careful.

Previous recipe | Next recipe |
 
  • Anonymous
    Im not getting event log message with ID 4226, as I'm on router,with mac and PC sharing DSL,


    but I still get errors, and slowed down alot,as use bit torrent 24hrs/day(where I downloaded SP2 from)

    I thought the problem was my telecom line?

    :roll:
  • davak
    Perhaps, the new SP2 firewall is limiting your incoming ports. Can you tell a difference with it off?
  • NeVR-C
    Am-I wrong or this limitation is coming from the SP2 install and not the activation of its Firewall ??
  • davak
    The 4226 error as discussed in the parent above has nothing to do with the new firewall. The 4226 errors are from the TCP restrictions in SP2.

    As duah reported slow-downs without 4226 errors, I was wondering if the firewall might be causing his problem.
  • Anonymous
    This is so typical of windows to just go around dictating how things should work.
    I mean, thank god I dont purchase it or I may be really pissed off.
    For now, I'll simply run bittorrent on my linux desktop, like I have for portscanning for years.

    F U C K Wintendoes.
  • tech_2004
    I found the following worked (else the windows file protection service kept putting back the sp2 limited to 10 connection tcpip.sys)

    Aquire the cracked tcpip.sys file ( try suprnova.org )
    Copy/overwrite in this order

    C:WINDOWSServicePackFilesi386
    C:WINDOWSsystem32dllcache
    C:WINDOWSsystem32drivers

    ( Note: your pc might be C:WINNT )

    This will replace your sp2 limited to 10 tcp/ip connections
    (thus limiting p2p programs) to one with a hacked one that
    allows 50 tcp/ip connections.

    I have verified that after SP2 in event viewer I was getting the 4226 message, and after replacing the tcpip.sys the 4226 message has stopped.

    tech_2004
  • Anonymous
    <ul id="quote"><h6>Anonymous wrote:</h6>F U C K Wintendoes.</ul>

    Stop whining. If you don't like it, don't use it.
  • Anonymous
    <ul id="quote"><h6>Anonymous wrote:</h6></ul><ul id="quote"><h6>Anonymous wrote:</h6>F U C K Wintendoes.</ul>

    Stop whining. If you don't like it, don't use it.

    You'd rather bend over and accept Microsofts shaft?

    If I could use something else, I would, but as of now Microsoft have an illegal monopoly and do everything they can to keep games away from Linux.

    Windows Product Activation is just the beginning, sheep, after time youll be so used to it you wouldn't think twice if they asked for your first born.
  • guest
    <ul id="quote">Anonymous wrote:
    Anonymous wrote:
    F U C K Wintendoes.


    Stop whining. If you don't like it, don't use it.


    You'd rather bend over and accept Microsofts shaft?

    If I could use something else, I would, but as of now Microsoft have an illegal monopoly and do everything they can to keep games away from Linux.

    Windows Product Activation is just the beginning, sheep, after time youll be so used to it you wouldn't think twice if they asked for your first born.</ul>

    Please spare us your drama.
    Everyone knows what Microsoft is and isn't capable of doing and being.
    As stated before, stop whining.
    Use something else like the rest of the world that is sick of Microsoft.
  • Anonymous
    He's right, windows is really lame.

    Games??? buy an Xbox or Playstation dood, then format your hard drive and install linux. If you keep your windows around just to play games then you dont deserve to use a computer.
  • Anonymous
    I used to download torrents from suprnova.org till 8/31/04. From 9/1/04. i am not able to download any torrents. When i go to the page - www.suprnova.org, i just dont see the web page at all. I see some ads in the right panel but the main panel is blank and in a few seconds i get a message saying that the page is unavailable. I checked my event log and i do not have any 4226 events in the system.

    Is there any other workaround that regular suprnova users do? I tried to see the website from one of my work machines and i can see the website correctly, but i have a firewall at work that wont let me download any torrents :(

    Any help is appreciated
  • MickeyMouse
    <ul id="quote"><h6>torrent_fan wrote:</h6>I used to download torrents from suprnova.org till 8/31/04. From 9/1/04. i am not able to download any torrents. When i go to the page - www.suprnova.org, i just dont see the web page at all. I see some ads in the right panel but the main panel is blank and in a few seconds i get a message saying that the page is unavailable. I checked my event log and i do not have any 4226 events in the system.

    Is there any other workaround that regular suprnova users do? I tried to see the website from one of my work machines and i can see the website correctly, but i have a firewall at work that wont let me download any torrents :(

    Any help is appreciated</ul>

    Suprnova.org has been like this for a few days now. It has nothing to do with your computer. I am assuming it is from a DOS attack... because of its nature, the site is attacked pretty frequently.

    Alternatively somebody may have poisioned the name servers... I say this because http://69.50.170.100/ actually brings up part of the site.

    Suprnova directs to a series of multiple mirrors. Likely, you are seeing the ad because it is coming from a different host.
  • Anonymous
    thanks for the response Mickey Mouse! i guess i will just wait and keep checking to see when the site is back up!!!

    I did try the IP adress you specified and like you said, only the partial website comes up..
  • Anonymous
    All,

    Since supernova is still down, is there any other reliable website to download torrents?
  • MickeyMouse
    <ul id="quote"><h6>torrent_fan wrote:</h6>All,

    Since supernova is still down, is there any other reliable website to download torrents?</ul>

    Several seem down... I wonder if there was a labor day weekend attack on all of them? Anyway...

    http://www.tvtorrents.com/index.jsp is up.

    It's no suprnova but http://torrentreactor.com/ is up.

    http://torrentreactor.com/ seems up but you need to register to use.
  • bluefox
    Can't seem to see suprnova in IE from an XP station, but IE on a 2K station doesn't have a problem.
  • MickeyMouse
    I suspect it might be blocked from the ISP level.

    Suprnova is mirrored more than you might expect.

    Try to do a google search for "suprnova mirror". Many mirrors are outdated or down... but a few are up.

    This mirror seems to be up right now:
    http://www.wareztorrent.com/index.htm
  • Anonymous
    not a prob its cause they refresh and change their sites now and again for obviouse reasons,instead of using your link in your favs type in to google and link from there,the ip will be diff to your saved one,hope this helps
  • Guest
    I have expirienced that running Norton Personal Firewall OR NIS can cause troubles when using Suprnova.org.
    Clicking any link will cause you to see a "forbidden download" error.
    By temporarily disabling the firewall, you`ll start the requested download problem free. Turning on the firewall again will not stop the download once it is started.

    This has been tested on WinXp Pro SP1 and all updates prior to SP2.
    SP2 was not yet available in my language :)

    U_S_S_Enterprise
  • Anonymous
    jeez, can we get back on topic, there's a million and one forums on the net where you can drible on about suprnova for fcuks sake.

    I was getting a lot of those 4226 errors, did the patch and not gettng any now. tech_2004, why did you have to do all those things, didn't the patch work for you?
  • guest
    my first time posting here, might not post again but whoever has a problem, think about this, SP2 is only limiting outbound TCP/IP connections, therefore your download speed should not be affected over a network, how ever people running xp servers using certain programs for webserver or streaming server and maybe as exchange server, not a good idea though when win2000 is there, but maybe, then the outbound limitation might pose a problem.
    i was thinking the same b4 when i was downloading from torrents, but i realized that if u increase the outbound limit your downlink speed will not be affected, but uplink will be, but it is dangerous to increase the limit to really high because too many outbound connections may make the system unstable and ultimately crash it so its better to leave the settings at defaults. hope this was helpful to some.
  • Anonymous
    <ul id="quote"><h6>duah wrote:</h6>Im not getting event log message with ID 4226, as I'm on router,with mac and PC sharing DSL,


    but I still get errors, and slowed down alot,as use bit torrent 24hrs/day(where I downloaded SP2 from)

    I thought the problem was my telecom line?

    :roll:</ul>
  • gasrwrwa
    where can download torrents for free
  • Guest
    I know very good site where can find lots of torrents
    www.torrentspy.com
blog comments powered by Disqus