Jump to content

MS06-007 update has new TCPIP.SYS


Primus

Recommended Posts

yes you have to re-run the EvID patch 2.23d

Update of TCPIP.SYS

Microsoft released a new TCPIP.SYS with build 5.1.2600.2827 on the yesterday's patch-day. The current Patcher 2.23d is still capable of changing the half-open tcp limit. But you need to reapply the patcher to set a higher limit to the new version.

LvlLord

Link to comment
Share on other sites

No matter how hard I try, I can't possibly fathom any reason for needing more than 10 TCP connections per second. It's an entirely reasonable sanity check.

Open up your System Event Log and look for events with a source of "Tcpip" and an ID of "4226". If you don't see any, then you've never hit the limit and this patch will do nothing for you.

Link to comment
Share on other sites

I first learned about the limit using Shareaza a few years ago after installing SP2. I had High ID until SP2. After SP2, Low ID. After patched tcpip, High ID again. But whats wild is I used to get rid of the 4226 event sometimes by completely disabling Windows Firewall/ICS.

Link to comment
Share on other sites

No matter how hard I try, I can't possibly fathom any reason for needing more than 10 TCP connections per second. It's an entirely reasonable sanity check.

Open up your System Event Log and look for events with a source of "Tcpip" and an ID of "4226". If you don't see any, then you've never hit the limit and this patch will do nothing for you.

I use Opera with 12+ tabs opened. When I start it up, it connects to each website to check if there's a new version. There's a maximum of 4 connections to each, so that is easily 40 connections within a few seconds. I know it is just meant to delay, but for some reason if it goes above the limit I get the "cannot connect to server" thing.

The reason for me!

Link to comment
Share on other sites

Maybe this should gointo the Chat section, since it doesn't directly pertain to µT...

But thanks for the heads-up. There should be a registry setting that tells updates NOT to repatch it - I really don't understand what MS has against this patching? I know why they cap the limit in the first place, but they shouldn't make it so hard for "power users" to uncap it...

Link to comment
Share on other sites

Answering a couple of things people have brought up...

Actually Microsoft is aware of those patches and resets the limit after almost every update. So you should check that after every update.

The limit only gets reset to 10 when a new TCPIP.SYS comes out for whatever reason. Mind you, it seems that there's a security update specifically fixing TCP/IP stuff every other month. :)

No matter how hard I try, I can't possibly fathom any reason for needing more than 10 TCP connections per second. It's an entirely reasonable sanity check.

The patch doesn't make it so you can have more than 10 TCP connections per second. It makes it so you can have more than 10 half-open TCP connections at any given time.

WARNING! TECHNICAL DESCRIPTION FOLLOWS!!!

A normal TCP connection starts with the client sending a SYN message to the server. The server responds back with a SYN-ACK. Finally, the client responds with an ACK and the TCP connection is fully initiated. In a half-open connection, we get as far as the SYN-ACK and are waiting for the final ACK. It is quite common in torrents, due to the large number of connections opening and closing, for connections to end up half-open for some reason or other. Firewalls, NAT, high-latency connections, people connecting from international distances, there are a number of reasons.

The 10 half-open TCP limit was imposed by MS in XP SP2 as a method of cutting down on worm/virus propagation. Frankly, it was a boneheaded maneuver and all the virus writers did was to switch methods to get around the problem. Without using the EvID patch, I'd regularly see 4226 errors on well-populated torrents. Using the patch to up my half-open connection limit to 100 has had no detrimental effect.

But thanks for the heads-up. There should be a registry setting that tells updates NOT to repatch it - I really don't understand what MS has against this patching? I know why they cap the limit in the first place, but they shouldn't make it so hard for "power users" to uncap it...

Prior to XP SP2 there actually was a registry key you fiddled with to change the setting. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxHalfOpen was the key. You can still set that key, but now that the limit is hard-coded into TCPIP.SYS it doesn't do anything. MS's stand on the change has been pretty much "Deal with it", so we're essentially stuck with occasionally having to re-patch/

Link to comment
Share on other sites

The 10 half-open TCP limit was imposed by MS in XP SP2 as a method of cutting down on worm/virus propagation. Frankly, it was a boneheaded maneuver and all the virus writers did was to switch methods to get around the problem.

I've heard the 10 half-open TCP limit applies on a per-application and/or per-thread basis. That gives virus writers even more means to bypass it than if it was a system-wide limit.

I've seen numerous times where ip were tried and get stuck in a half-open state and the connection attempt never finishes and closes. As those pile up, they'd hit the 10 half-open TCP limit. And when that happens, µTorrent and likely alot of other programs act like they're hanged.

Link to comment
Share on other sites

No matter how hard I try, I can't possibly fathom any reason for needing more than 10 TCP connections per second. It's an entirely reasonable sanity check.

Open up your System Event Log and look for events with a source of "Tcpip" and an ID of "4226". If you don't see any, then you've never hit the limit and this patch will do nothing for you.

I configured mine to 50, and all were in use 2 days ago.

Now I patched it to 100 :)

Link to comment
Share on other sites

Wow, big thanks for this, I feel like such a noob. Just checked my Event Log (didn't know it existed before), what do I see? A ton of 4226 warnings. I'm just off to re-patch...

same here, i thought my isp was f'ing with p2p again, phew. I had checked my event log, but the trackers were timing out.

Link to comment
Share on other sites

I've got a fair few 4226s in my console, maybe about 30. Question: How long does that list last for? The earliest one I can see is from 8th December, so it looks like I'm only getting about 10 problems a month. I really can't be arsed to continually repatch TCPIP.sys if this is the case (especially since I rarely have "unacceptably" low download speeds).

For those that use the patch, how many 4226s do you get over a day/week/month? How much of an improvement have you noticed?

And also, something I'm not 100% sure on: what exactly happens when the limit is reached? I'd presume that for a half-open connection to last for long enough to stack up to 10 connections, you'd have to be contacting bad peers or people who are no longer online. How long until connections time out in µT (or is this a TCP/IP thing in Windows)?

Link to comment
Share on other sites

I've got a fair few 4226s in my console, maybe about 30. Question: How long does that list last for? The earliest one I can see is from 8th December, so it looks like I'm only getting about 10 problems a month. I really can't be arsed to continually repatch TCPIP.sys if this is the case (especially since I rarely have "unacceptably" low download speeds).

The Event Log can go on pretty much until it fills up your HD. I've seen computers with years of data in there. Can make it hard to do troubleshooting. :)

For those that use the patch, how many 4226s do you get over a day/week/month? How much of an improvement have you noticed?

I've always seemed to get more 4226s on torrents that were heavily populated and very diverse. Especially really popular ones from large trackers like Pirate Bay. Smaller torrents with not so much diversity? Not a lot of 4226s. It was annoying enough that I started patching out of habit, just so I wouldn't have to see 20 red alerts in a row when I opened up the Event Log to check on something else.

And also, something I'm not 100% sure on: what exactly happens when the limit is reached?

It varies from program to program. At the time I was using Shad0w's (and then BitTornado when it changed into that) client, and it would get very stuttery on me. I'd get good traffic for a period, then nothing, then good, then nothing. I switched to Azureus for other reasons (namely BitTornado's constant crashing), but by that time I was patching TCPIP.SYS so I didn't see any problems anymore.

I've seen a lot of varied complaints from people, anywhere from just poor performance to serious crashing/BSODs. It all depends on how well the program can handle resource starvation of that nature.

I'd presume that for a half-open connection to last for long enough to stack up to 10 connections, you'd have to be contacting bad peers or people who are no longer online. How long until connections time out in µT (or is this a TCP/IP thing in Windows)?

I know µT has its own timer on connections (not sure what it is, but I bet Firon does), but connection timeouts are handled on at least the system level. If you've got a router between you and the Internet, that has a bearing on things too. And this leads into the whole WRT54G thing with connections being left open for days, starving the router and causing it to crash/degrade performance. Typically timeouts are anywhere from 30 seconds to 10 minutes, with a middle ground of 5 minutes or so.

Link to comment
Share on other sites

^^Read Primus 2nd quote from above or Dark Shrouds post (3rd from top) It may be one of those 2 things.

EDIT: Damn. I see I got some 4226 events too (from Jan thru Feb only tho.) The 4226's started on the same day as my last Windows Update. I knew about 4226 since the early days of SP2 and didnt realize they keep setting it back on damn near all updates.

Big thanks for that info Shroud.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...