gazaly
03-21-2007, 04:24 PM
Windows XP SP2 and the Event ID 4226 Patch (EvID4226Patch223d)
Windows XP Service Pack 2 introduced an array of security "enhancements": dual direction firewall, several long overdue IE improvements, memory protection and the crippling of the TCP/IP stack. (This patch is only for: Windows XP SP2 and Windows 2003 Server SP1 and up)
Windows XP SP2 limits the maximum concurrent half-open connections (SYN) to a maximum of 10 (the previous limit was over 65,000). This is supposed to slow down certain viruses because their spreading strategy is to connect, to a high amount of random IP numbers. The drawback to this connection limit is that other network intensive applications can be slowed, including Peer-to-Peer (P2P) clients.
There is a way to tell whether your daily networking activities are being affected by the new Windows XP SP2 enhancements. Each time your computer tries to establish more than 10 half-open connections, a system event will be logged in the Windows Event Viewer. It looks something like this:
Event ID 4226: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts
To access the Event Viewer, go to “Start” > "Run" > Enter " eventvwr.msc " > Click "Ok".
Alternate method: "Start" > “Control Panel” > “Administrative Tools” > “Event Viewer”.
Once the Event Veiwer is open, go to "Event Viewer (Local)" > "System" > Sort by "Event" and scroll down to 4226.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDViewer.png
If you only have a few occurrences, this is nothing to worry about, but if you see many daily occurrences there are two possible scenarios:
1) Your system may be infected with a virus or worm that is trying to spread.
2) You are a networking power user, and your applications are being stalled by the Windows XP SP2 limit on half-open connections.
If you have anti-virus software and use it regularly, then case 1 is unlikely.
Check Which Application is Causing the Event ID 4226 Errors
To establish that your network applications are being slowed by the Windows XP SP2 limit on the maximum concurrent half-open connections, use the “netstat” command
Go to “Start” > “Run” > Enter “cmd” in the “Open” box > Click “Enter”.
At the Command Prompt enter: netstat -no | find "SYN"
Half-open connections will have a state of other than ESTABLISHED. In the “Command Window” note the Process ID (PID) in the last column.
(In the example below we can see the Process ID is 2396)
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/netstatpic1copy.png
Now check which Application (Process) is causing the present Event ID 4226 errors. Open the Task Manager and ensure you have the PID column displayed.
Open Task Manager (Ctrl + Alt + Del) > "Processes Tab" > “View” > “Select Columns…” > Check the “PID (Process Identifier)” box > Click “OK”
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDNew4.png
Sort by “PID” (Click the PID heading) and locate the "Process ID (PID)" and the associated application responsible for the "half-open" connections (2396 in the example). If the process in question is your Peer-to-Peer client, Windows XP SP2 is stalling your downloads.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDNew5copy.png
Download and Implement the EventID 4226 Patch
An unofficial patch will modify the locked TCPIP.SYS and let you set the limit to whatever you wish. 50 half-open connections is a reasonable limit or you can set the limit back to 65,535 which it was before Windows XP SP2. The patch is called the "EventID 4226 Patcher" and can be found on LVL Lord's web site: LVLlord downloads - http://lvllord.de/?lang=en&url=downloads
Note: Some anti-virus programs will see the “EventID 4226 Patcher” as malware…it’s not.
To implement the “EventID 4226 Patcher” download and run it (Double Click or Start > Run > "EvID4226Patch.exe"). The patcher will automatically find the windows directory, open a "Command Window", display the present limit and give you the option to increase or decrease the maximum concurrent half-open connections.
To change the limit to "50" enter "Y", to change the limit to another value, enter "C", or to exit without changing the limit enter "N"
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDCommandWindow1copy.png
The "Event ID 4226 Patch" will take a few moments to change the limit on maximum concurrent half-open connections;
when prompted press any key to exit.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDCommandWindow2copy.png
After changing the limit on “Half-open connections”, a “Windows File Protection” Window will come up with the warning: "Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your Windows XP Service Pack 2 CD now".
Changing TCPIP.SYS is the objective, so click “Cancel”.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDNew1copy.png
After clicking “Cancel”, a “Windows File Protection” Window will come up with the warning: "You chose not to restore the original versions of the files. This may affect Windows stability. Are you sure you want to keep these unrecognized file versions?" Click “Yes”.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDNew2.png
You have Successfully Implement the EventID 4226 Patch
After a successful patch, the new TCPIP.SYS will be automatically installed. A system reboot is required for the setting to take effect.
Certain Microsoft updates may reset the limit, or replace the TCPIP.SYS file with a new locked version; LVLLord has been quick on updating the patch.
You must periodically check the patch to ensure it is still active. When you run the patch (Double Click or Start > Run > "EvID4226Patch.exe"),
it will tell you how many connections are currently allowed.
If you continue to see numerous daily “Event ID 4226” occurrences, the Patch can be run again and the limit on maximum concurrent half-open connections, raised incrementally (50 at a time) until no more are seen.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDAzureust.png
µTorrent
Open µTorrent and navigate to > Options > Preferences (Ctrl+P)
In the In the "Preferences Window" > Advanced > Click “net.max_halfopen” > Enter "50" in the "Value" Field > Click "Set" > Click "OK"
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDuTorrent.png
BitComet
Open Bitcomet and navigate to > Options > Prefenences (Ctrl+P)
In the Preferences Window > Advanced > Connection > Max half open TCP connections > Enter "50" in the field provided > Click "OK"
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDBitComet.png
BitLord
Open Bitlord and navigate to > Options > Preferences (Ctrl+P)
In the Preferences Window > Advanced > Connection > Max half open TCP connections > Enter "50" in the field provided > Click "OK"
Note: BitLord supports a maximum of 100 "Half-open" Connections.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDBitlord.png
SHAREAZA
Once the “Windows XP SP2 and the Event ID 4226 Patch” has been applied, it is safe to modify some advanced settings in SHAREAZA’s.
If you make these changes, and have not modified the Windows XP SP2 limits on concurrent half-open connections, SHAREAZA is likely to run poorly.
Downloads.MaxConnectingSources can be set to 20. (This is the most important change)
Gnutella.ConnectFactor can be increased to 4 or 5 to improve connect speed. (Modem or low bandwidth users may want to keep it at 3)
Downloads.ConnectThrottle should be set to 250 - 500, depending on your connection.
(If your router regualarly gives you trouble, you might want to increase this.)
Downloads.MaxFileSearches should be set between 1 and 4. (1 for low bandwidth users, 3 for high.)
To implement these changes, open SHAREAZA and navigate to Tools > Shareaza Settings...
In the Shareaza Settings Window > Click "Advanced", then navigate to each setting.
To changes, Click the "Setting" enter the new "Value" in the "Value Field" and Click "Apply"
When all the desired changes have been made, Click "OK"
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDSHAREZA.png
Windows XP Service Pack 2 introduced an array of security "enhancements": dual direction firewall, several long overdue IE improvements, memory protection and the crippling of the TCP/IP stack. (This patch is only for: Windows XP SP2 and Windows 2003 Server SP1 and up)
Windows XP SP2 limits the maximum concurrent half-open connections (SYN) to a maximum of 10 (the previous limit was over 65,000). This is supposed to slow down certain viruses because their spreading strategy is to connect, to a high amount of random IP numbers. The drawback to this connection limit is that other network intensive applications can be slowed, including Peer-to-Peer (P2P) clients.
There is a way to tell whether your daily networking activities are being affected by the new Windows XP SP2 enhancements. Each time your computer tries to establish more than 10 half-open connections, a system event will be logged in the Windows Event Viewer. It looks something like this:
Event ID 4226: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts
To access the Event Viewer, go to “Start” > "Run" > Enter " eventvwr.msc " > Click "Ok".
Alternate method: "Start" > “Control Panel” > “Administrative Tools” > “Event Viewer”.
Once the Event Veiwer is open, go to "Event Viewer (Local)" > "System" > Sort by "Event" and scroll down to 4226.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDViewer.png
If you only have a few occurrences, this is nothing to worry about, but if you see many daily occurrences there are two possible scenarios:
1) Your system may be infected with a virus or worm that is trying to spread.
2) You are a networking power user, and your applications are being stalled by the Windows XP SP2 limit on half-open connections.
If you have anti-virus software and use it regularly, then case 1 is unlikely.
Check Which Application is Causing the Event ID 4226 Errors
To establish that your network applications are being slowed by the Windows XP SP2 limit on the maximum concurrent half-open connections, use the “netstat” command
Go to “Start” > “Run” > Enter “cmd” in the “Open” box > Click “Enter”.
At the Command Prompt enter: netstat -no | find "SYN"
Half-open connections will have a state of other than ESTABLISHED. In the “Command Window” note the Process ID (PID) in the last column.
(In the example below we can see the Process ID is 2396)
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/netstatpic1copy.png
Now check which Application (Process) is causing the present Event ID 4226 errors. Open the Task Manager and ensure you have the PID column displayed.
Open Task Manager (Ctrl + Alt + Del) > "Processes Tab" > “View” > “Select Columns…” > Check the “PID (Process Identifier)” box > Click “OK”
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDNew4.png
Sort by “PID” (Click the PID heading) and locate the "Process ID (PID)" and the associated application responsible for the "half-open" connections (2396 in the example). If the process in question is your Peer-to-Peer client, Windows XP SP2 is stalling your downloads.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDNew5copy.png
Download and Implement the EventID 4226 Patch
An unofficial patch will modify the locked TCPIP.SYS and let you set the limit to whatever you wish. 50 half-open connections is a reasonable limit or you can set the limit back to 65,535 which it was before Windows XP SP2. The patch is called the "EventID 4226 Patcher" and can be found on LVL Lord's web site: LVLlord downloads - http://lvllord.de/?lang=en&url=downloads
Note: Some anti-virus programs will see the “EventID 4226 Patcher” as malware…it’s not.
To implement the “EventID 4226 Patcher” download and run it (Double Click or Start > Run > "EvID4226Patch.exe"). The patcher will automatically find the windows directory, open a "Command Window", display the present limit and give you the option to increase or decrease the maximum concurrent half-open connections.
To change the limit to "50" enter "Y", to change the limit to another value, enter "C", or to exit without changing the limit enter "N"
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDCommandWindow1copy.png
The "Event ID 4226 Patch" will take a few moments to change the limit on maximum concurrent half-open connections;
when prompted press any key to exit.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDCommandWindow2copy.png
After changing the limit on “Half-open connections”, a “Windows File Protection” Window will come up with the warning: "Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your Windows XP Service Pack 2 CD now".
Changing TCPIP.SYS is the objective, so click “Cancel”.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDNew1copy.png
After clicking “Cancel”, a “Windows File Protection” Window will come up with the warning: "You chose not to restore the original versions of the files. This may affect Windows stability. Are you sure you want to keep these unrecognized file versions?" Click “Yes”.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDNew2.png
You have Successfully Implement the EventID 4226 Patch
After a successful patch, the new TCPIP.SYS will be automatically installed. A system reboot is required for the setting to take effect.
Certain Microsoft updates may reset the limit, or replace the TCPIP.SYS file with a new locked version; LVLLord has been quick on updating the patch.
You must periodically check the patch to ensure it is still active. When you run the patch (Double Click or Start > Run > "EvID4226Patch.exe"),
it will tell you how many connections are currently allowed.
If you continue to see numerous daily “Event ID 4226” occurrences, the Patch can be run again and the limit on maximum concurrent half-open connections, raised incrementally (50 at a time) until no more are seen.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDAzureust.png
µTorrent
Open µTorrent and navigate to > Options > Preferences (Ctrl+P)
In the In the "Preferences Window" > Advanced > Click “net.max_halfopen” > Enter "50" in the "Value" Field > Click "Set" > Click "OK"
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDuTorrent.png
BitComet
Open Bitcomet and navigate to > Options > Prefenences (Ctrl+P)
In the Preferences Window > Advanced > Connection > Max half open TCP connections > Enter "50" in the field provided > Click "OK"
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDBitComet.png
BitLord
Open Bitlord and navigate to > Options > Preferences (Ctrl+P)
In the Preferences Window > Advanced > Connection > Max half open TCP connections > Enter "50" in the field provided > Click "OK"
Note: BitLord supports a maximum of 100 "Half-open" Connections.
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDBitlord.png
SHAREAZA
Once the “Windows XP SP2 and the Event ID 4226 Patch” has been applied, it is safe to modify some advanced settings in SHAREAZA’s.
If you make these changes, and have not modified the Windows XP SP2 limits on concurrent half-open connections, SHAREAZA is likely to run poorly.
Downloads.MaxConnectingSources can be set to 20. (This is the most important change)
Gnutella.ConnectFactor can be increased to 4 or 5 to improve connect speed. (Modem or low bandwidth users may want to keep it at 3)
Downloads.ConnectThrottle should be set to 250 - 500, depending on your connection.
(If your router regualarly gives you trouble, you might want to increase this.)
Downloads.MaxFileSearches should be set between 1 and 4. (1 for low bandwidth users, 3 for high.)
To implement these changes, open SHAREAZA and navigate to Tools > Shareaza Settings...
In the Shareaza Settings Window > Click "Advanced", then navigate to each setting.
To changes, Click the "Setting" enter the new "Value" in the "Value Field" and Click "Apply"
When all the desired changes have been made, Click "OK"
http://i133.photobucket.com/albums/q77/dvsdmn/Event%20ID/EventIDSHAREZA.png