Home arrow About Phex arrow FAQs arrow Windows Issues arrow The Windows XP SP2 connection limit. (Event ID: 4226)
Latest Release
01 Feb 2009
The Windows XP SP2 connection limit. (Event ID: 4226) PDF Print E-mail
Written by GregorK   
Tuesday, 24 May 2005

If you are using Windows XP, you must have noticed all the fuss about Service Pack 2. It introduced an array of security "enhancements": dual direction firewall, several long overdue IE improvements, memory protection and the crippling of the TCP/IP stack.

Hang on, how is crippling of the TCP/IP stack a security enhancement?

Windows XP SP2 limits half-open connections (SYN) to a maximum of 10 (the previous limit was over 65,000). This is supposed to slow down certain viruses because their spreading strategy is to try to connect to a high amount of random IP numbers.

The drawback with this connection limit is that other legitimate network intensive applications can be slowed down as well. Applications like security network scanners, peer-to-peer (P2P) applications or a combination of network applications that a power user may be using (VPN, FTP, p2p, RDP, SSH, "Firefox on steroids" and more).

To me it sounds awfully lot like treating the symptoms instead of the cause which would have been to tighten up Windows security to prevent virus infections in the first place.

There is a way to tell whether your daily networking activities are being affected by the patch. Each time your computer tries to establish more than 10 half-open connection, a system event will be logged in Windows. It looks something like this:
EventID 4226: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts

Access the event viewer by Start / Control Panel / Administrative Tools / Event Viewer / System. Sort by Event and scroll down to 4226. If you only have a few occurrences, I would not worry about it but if you see many daily occurrences it's time to look into why they are appearing.

There are two scenarios:
1. You computer may be infected with a virus/worm that is trying to spread
2. You are a networking power users and your applications are being stalled by the XP SP2

If you have anti virus software running and you scan your computer regularl ywith anti-spyware software like AdAware then case 1 is not likely.

You can find out which process is responsible for the many half-open connections with the command "netstat -no". Half-open connections will have a state of other than ESTABLISHED. Note the PID (process id), open Task Manager and locate the process and application responsible for the half-open connections.

The second case means that SP2 is stalling your work. An unofficial patch will modify the locked tcpip.sys and let you set the limit to whatever you wish. 50 half-open connections is a reasonable limit or you can set the limit back to 65,535 which it was before the SP2. The patch is called EventID 4226 Patcher and can be found on LVL Lord's web site: LVLlord downloads.

Certain Microsoft updates may replace the TCPIP.SYS with a new locked version but LVLLord has been quick on updating the patch. When you run the patch, it will tell you how many connections are currently allowed.

This article was taken from http://blog.davidkaspar.com
Last Updated ( Thursday, 09 November 2006 )

Copyright 2001 - 2009 Phex Development Team - All Rights Reserved.
Get Phex - P2P Gnutella filesharing program at SourceForge.net. Fast, secure and Free Open Source software downloads

Please visit our supporters
Amazon.com or Amazon.de