Windows Vista tcpip.sys connection limit patch for Event ID 4226

Windows Vista tcpip.sys connection limit patch for Event ID 4226

1:49 AM

Windows Vista tcpip.sys connection limit patch for Event ID 4226


Microsoft enforces a limit on half-open TCP/IP connections that is hard-coded in tcpip.sys. The maximum simultaneous half-open (incomplete) outbound TCP connection attempts per second that the system can make is intended to limit the spread of malicious viruses and worms, as well as limit the possibility of launching a DDoS attack. However, it has proven to also limit some applications using many TCP connections, such as P2P and P2PTV programs.
When the OS reaches the half-open connection limit, Event Viewer displays the following entry:
EventID 4226: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
The limit in Windows XP (SP2) is 10 incomplete concurrent connection attempts per second. In Windows Vista, the default limit differs, depending on the edition - ranging from 2 half-open connections in Vista Home Basic, to 25 in Vista Ultimate.
Under normal use, this limit is rarely reached (especially in Vista Ultimate), however it often hinders P2P and P2PTV applications that depend on a large number of TCP connections.
Due to the enhanced security in Vista, it is a bit more complicated to increase the TCP concurrent half-open connections limit. It requires downloading a patched tcpip.sys, changing a registry parameter and disabling driver signing in x64 editions (potentially after every reboot). Note that subsequent Windows updates and Service Packs may override tcpip.sys with a newer version as well.
The required steps are outlined below:
1. Note your current tcpip.sys version. To check your tcpip.sys version, navigate to C:\Windows\system32\drivers\ , right-click on tcpip.sys and choose "Properties" - the version information will be listed in the "Details" pane.
2. Download a patched tcpip.sys file for your particular tcpip.sys and Vista version.  You can download patched versions of tcpip.sys from -here-. Note that 32-bit and 64-bit versions of Vista use different tcpip.sys files. Files are listed as tcpipXX-YYYYYY.sys, where XX is the Vista variant (32 or 64-bit), and YYYYYY is the tcpip.sys version.
3. Open command prompt, and execute the following commands exactly (administrator account, and elevated command prompt recommended):
takeown /f %Systemroot%\system32\drivers\tcpip.sys
icacls %Systemroot%\system32\drivers\tcpip.sys /grant "%username%":f
4. Disable driver signing integrity checks for 64-bit Windows Vista versions only. You can do this using the ReadyDriver Plus v 1.1 software, or pressing F8 at boot time. More information on disabling driver signing integrity checks in Vista is available -here-.
5. Backup tcpip.sys by copying it to another location/file. You can do it in Windows Explorer, or running the following in command prompt:
copy %Systemroot%\system32\drivers\tcpip.sys %Systemroot%\system32\drivers\tcpip.original
 6. Replace the original tcpip.sys in C:\Windows\system32\drivers\  with the patched tcpip.sys for your correct version of Windows, downloadable from our website -here-. You'd have to be logged in as administrator, if it fails you may want to try restarting in safe mode (F8 on system startup).
7. Set the desired new limit for TCP half-open connections in the Windows Registry. Open the registry editor by clicking the Windows button > Run > type: regedit . You'd need to add a new DWORD value under the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpNumConnections=500 (DWORD value, not present by default. Recommended value is between 100 and 500).
Alternatively, you can download the sg_vista_tcpip_limit_patch to apply the registry change above automatically.
  
Update in Vista Service Pack 2
According to Microsoft, Vista SP2 completely removes the limit of 2-25 half-open TCP connections that existed in previous versions for application compatability reasons.
We're not aware of any documentation introducing new registry keys to change the TCP half-open connection limit. If this works as intended, there should be no need to patch tcpip.sys, and users should no longer see Event ID 4226.
Reference: MS Technet http://social.technet.microsoft.com/Forums/en-US/itprovistasp/thread/2afc725f-44fd-4ae1-9eb8-f0c3a0f552bc/

See Also
Windows Vista / 2008 Tweaks - for P2P applications, you may want to set TCP Auto-tuning to highlyrestricted since the normal setting can consume too much system resources per connection.

References
http://www.yaronmaor.net/repair.htm
www.citadel.co.nr/readydriverplus

If you experience problems with any of the above, please note any errors, and the exact versions of Vista and tcpip.sys. You may also try the following in elevated command prompt (limits TCP Receive Window to 65535 per connection):  netsh int tcp set global autotuninglevel=disabled
Next
« Prev Post
Previous
Next Post »
Subscribe to: Post Comments (Atom)