Primus Posted February 15, 2006 Report Share Posted February 15, 2006 Just a warning, one of the Windows patches released today (MS06-007, fixing a DoS vulnerability) has a new TCPIP.SYS file included. Means you'll have to re-run the EvID patch to up the amount of half-open connections.The new version of the TCPIP.SYS file is 5.1.2600.2827. Link to comment Share on other sites More sharing options...
jroc Posted February 15, 2006 Report Share Posted February 15, 2006 whats this, like the 2nd-3rd time they updated the TCPIP.SYS? Thanks for the heads up on the update, Primus. Link to comment Share on other sites More sharing options...
Dark Shroud Posted February 15, 2006 Report Share Posted February 15, 2006 Actually Microsoft is aware of those patches and resets the limit after almost every update. So you should check that after every update.Edited for spelling. Link to comment Share on other sites More sharing options...
maioro Posted February 15, 2006 Report Share Posted February 15, 2006 yes you have to re-run the EvID patch 2.23dUpdate of TCPIP.SYSMicrosoft released a new TCPIP.SYS with build 5.1.2600.2827 on the yesterday's patch-day. The current Patcher 2.23d is still capable of changing the half-open tcp limit. But you need to reapply the patcher to set a higher limit to the new version.LvlLord Link to comment Share on other sites More sharing options...
Stone Posted February 15, 2006 Report Share Posted February 15, 2006 TY Primus, windows has downloaded that patch in the morning and i would have never thought that it can "repair" TCPIP.SYS Link to comment Share on other sites More sharing options...
winMX_67 Posted February 16, 2006 Report Share Posted February 16, 2006 I wish there was a feature to auto-repatch. Link to comment Share on other sites More sharing options...
anoxan Posted February 16, 2006 Report Share Posted February 16, 2006 lol, it reset my tcpip.sys when I installed beta 2 of ie..ty for the heads-up though Link to comment Share on other sites More sharing options...
da chicken Posted February 16, 2006 Report Share Posted February 16, 2006 No matter how hard I try, I can't possibly fathom any reason for needing more than 10 TCP connections per second. It's an entirely reasonable sanity check.Open up your System Event Log and look for events with a source of "Tcpip" and an ID of "4226". If you don't see any, then you've never hit the limit and this patch will do nothing for you. Link to comment Share on other sites More sharing options...
Ultima Posted February 16, 2006 Report Share Posted February 16, 2006 Yeah well enough people have had their problems solved by upping the limit to verify that 10 is too low. Unless you want to lower the number of simultaneous connections for µTorrent... Link to comment Share on other sites More sharing options...
jroc Posted February 16, 2006 Report Share Posted February 16, 2006 I first learned about the limit using Shareaza a few years ago after installing SP2. I had High ID until SP2. After SP2, Low ID. After patched tcpip, High ID again. But whats wild is I used to get rid of the 4226 event sometimes by completely disabling Windows Firewall/ICS. Link to comment Share on other sites More sharing options...
Lys Posted February 16, 2006 Report Share Posted February 16, 2006 No matter how hard I try, I can't possibly fathom any reason for needing more than 10 TCP connections per second. It's an entirely reasonable sanity check.Open up your System Event Log and look for events with a source of "Tcpip" and an ID of "4226". If you don't see any, then you've never hit the limit and this patch will do nothing for you.I use Opera with 12+ tabs opened. When I start it up, it connects to each website to check if there's a new version. There's a maximum of 4 connections to each, so that is easily 40 connections within a few seconds. I know it is just meant to delay, but for some reason if it goes above the limit I get the "cannot connect to server" thing.The reason for me! Link to comment Share on other sites More sharing options...
splintax Posted February 16, 2006 Report Share Posted February 16, 2006 Maybe this should gointo the Chat section, since it doesn't directly pertain to µT...But thanks for the heads-up. There should be a registry setting that tells updates NOT to repatch it - I really don't understand what MS has against this patching? I know why they cap the limit in the first place, but they shouldn't make it so hard for "power users" to uncap it... Link to comment Share on other sites More sharing options...
Primus Posted February 16, 2006 Author Report Share Posted February 16, 2006 Answering a couple of things people have brought up...Actually Microsoft is aware of those patches and resets the limit after almost every update. So you should check that after every update.The limit only gets reset to 10 when a new TCPIP.SYS comes out for whatever reason. Mind you, it seems that there's a security update specifically fixing TCP/IP stuff every other month. No matter how hard I try, I can't possibly fathom any reason for needing more than 10 TCP connections per second. It's an entirely reasonable sanity check.The patch doesn't make it so you can have more than 10 TCP connections per second. It makes it so you can have more than 10 half-open TCP connections at any given time. WARNING! TECHNICAL DESCRIPTION FOLLOWS!!!A normal TCP connection starts with the client sending a SYN message to the server. The server responds back with a SYN-ACK. Finally, the client responds with an ACK and the TCP connection is fully initiated. In a half-open connection, we get as far as the SYN-ACK and are waiting for the final ACK. It is quite common in torrents, due to the large number of connections opening and closing, for connections to end up half-open for some reason or other. Firewalls, NAT, high-latency connections, people connecting from international distances, there are a number of reasons.The 10 half-open TCP limit was imposed by MS in XP SP2 as a method of cutting down on worm/virus propagation. Frankly, it was a boneheaded maneuver and all the virus writers did was to switch methods to get around the problem. Without using the EvID patch, I'd regularly see 4226 errors on well-populated torrents. Using the patch to up my half-open connection limit to 100 has had no detrimental effect.But thanks for the heads-up. There should be a registry setting that tells updates NOT to repatch it - I really don't understand what MS has against this patching? I know why they cap the limit in the first place, but they shouldn't make it so hard for "power users" to uncap it...Prior to XP SP2 there actually was a registry key you fiddled with to change the setting. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxHalfOpen was the key. You can still set that key, but now that the limit is hard-coded into TCPIP.SYS it doesn't do anything. MS's stand on the change has been pretty much "Deal with it", so we're essentially stuck with occasionally having to re-patch/ Link to comment Share on other sites More sharing options...
Switeck Posted February 16, 2006 Report Share Posted February 16, 2006 The 10 half-open TCP limit was imposed by MS in XP SP2 as a method of cutting down on worm/virus propagation. Frankly, it was a boneheaded maneuver and all the virus writers did was to switch methods to get around the problem.I've heard the 10 half-open TCP limit applies on a per-application and/or per-thread basis. That gives virus writers even more means to bypass it than if it was a system-wide limit.I've seen numerous times where ip were tried and get stuck in a half-open state and the connection attempt never finishes and closes. As those pile up, they'd hit the 10 half-open TCP limit. And when that happens, µTorrent and likely alot of other programs act like they're hanged. Link to comment Share on other sites More sharing options...
Yinchie Posted February 16, 2006 Report Share Posted February 16, 2006 No matter how hard I try, I can't possibly fathom any reason for needing more than 10 TCP connections per second. It's an entirely reasonable sanity check.Open up your System Event Log and look for events with a source of "Tcpip" and an ID of "4226". If you don't see any, then you've never hit the limit and this patch will do nothing for you.I configured mine to 50, and all were in use 2 days ago.Now I patched it to 100 Link to comment Share on other sites More sharing options...
Demon-boy Posted February 16, 2006 Report Share Posted February 16, 2006 Wow, big thanks for this, I feel like such a noob. Just checked my Event Log (didn't know it existed before), what do I see? A ton of 4226 warnings. I'm just off to re-patch... Link to comment Share on other sites More sharing options...
evolution3 Posted February 17, 2006 Report Share Posted February 17, 2006 Wow, big thanks for this, I feel like such a noob. Just checked my Event Log (didn't know it existed before), what do I see? A ton of 4226 warnings. I'm just off to re-patch...same here, i thought my isp was f'ing with p2p again, phew. I had checked my event log, but the trackers were timing out. Link to comment Share on other sites More sharing options...
golfgl Posted February 17, 2006 Report Share Posted February 17, 2006 Where is this event log, Ive been looking for it and cant find it.TIA,Claudio Link to comment Share on other sites More sharing options...
Firon Posted February 17, 2006 Report Share Posted February 17, 2006 start -> run -> eventvwr.msc Link to comment Share on other sites More sharing options...
splintax Posted February 18, 2006 Report Share Posted February 18, 2006 I've got a fair few 4226s in my console, maybe about 30. Question: How long does that list last for? The earliest one I can see is from 8th December, so it looks like I'm only getting about 10 problems a month. I really can't be arsed to continually repatch TCPIP.sys if this is the case (especially since I rarely have "unacceptably" low download speeds).For those that use the patch, how many 4226s do you get over a day/week/month? How much of an improvement have you noticed?And also, something I'm not 100% sure on: what exactly happens when the limit is reached? I'd presume that for a half-open connection to last for long enough to stack up to 10 connections, you'd have to be contacting bad peers or people who are no longer online. How long until connections time out in µT (or is this a TCP/IP thing in Windows)? Link to comment Share on other sites More sharing options...
Primus Posted February 18, 2006 Author Report Share Posted February 18, 2006 I've got a fair few 4226s in my console, maybe about 30. Question: How long does that list last for? The earliest one I can see is from 8th December, so it looks like I'm only getting about 10 problems a month. I really can't be arsed to continually repatch TCPIP.sys if this is the case (especially since I rarely have "unacceptably" low download speeds).The Event Log can go on pretty much until it fills up your HD. I've seen computers with years of data in there. Can make it hard to do troubleshooting. For those that use the patch, how many 4226s do you get over a day/week/month? How much of an improvement have you noticed?I've always seemed to get more 4226s on torrents that were heavily populated and very diverse. Especially really popular ones from large trackers like Pirate Bay. Smaller torrents with not so much diversity? Not a lot of 4226s. It was annoying enough that I started patching out of habit, just so I wouldn't have to see 20 red alerts in a row when I opened up the Event Log to check on something else.And also, something I'm not 100% sure on: what exactly happens when the limit is reached?It varies from program to program. At the time I was using Shad0w's (and then BitTornado when it changed into that) client, and it would get very stuttery on me. I'd get good traffic for a period, then nothing, then good, then nothing. I switched to Azureus for other reasons (namely BitTornado's constant crashing), but by that time I was patching TCPIP.SYS so I didn't see any problems anymore.I've seen a lot of varied complaints from people, anywhere from just poor performance to serious crashing/BSODs. It all depends on how well the program can handle resource starvation of that nature.I'd presume that for a half-open connection to last for long enough to stack up to 10 connections, you'd have to be contacting bad peers or people who are no longer online. How long until connections time out in µT (or is this a TCP/IP thing in Windows)?I know µT has its own timer on connections (not sure what it is, but I bet Firon does), but connection timeouts are handled on at least the system level. If you've got a router between you and the Internet, that has a bearing on things too. And this leads into the whole WRT54G thing with connections being left open for days, starving the router and causing it to crash/degrade performance. Typically timeouts are anywhere from 30 seconds to 10 minutes, with a middle ground of 5 minutes or so. Link to comment Share on other sites More sharing options...
Stone Posted February 18, 2006 Report Share Posted February 18, 2006 I found an interesting thing in my log, I have my TCPIP.SYS patched to 100, but still i get some 4226 errors Link to comment Share on other sites More sharing options...
jroc Posted February 18, 2006 Report Share Posted February 18, 2006 ^^Read Primus 2nd quote from above or Dark Shrouds post (3rd from top) It may be one of those 2 things.EDIT: Damn. I see I got some 4226 events too (from Jan thru Feb only tho.) The 4226's started on the same day as my last Windows Update. I knew about 4226 since the early days of SP2 and didnt realize they keep setting it back on damn near all updates. Big thanks for that info Shroud. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.