Problem propably related to Windows XP SP2

infini

Member
Apr 9, 2002
186
0
0
Opening eventvwr and looking at the system tab i get some warnings with this message "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts, EventID 4226". Is there a way to solve this? Another strange thing is that sometimes when i type a url i get the "page cannot be displayed" message. When i retype the url everything is ok. Also my connection freezes when i try to open 3 or 4 web pages simultaneously (none of the pages is diplayed. The blue progress bar of the internet explorer stops after a few seconds or the page appears aftes about 1 minute)
 

infini

Member
Apr 9, 2002
186
0
0
After checking again the event viewer i saw this error at the system tab "Source: Service Control Manager, Event: 7023, Description: The Computer Browser service terminated with the following error: This operation returned because the timeout period expired."
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
before you do anything else do some serious scans to ensure your pc isnt infected with spyware/worms/viruses/etc.; even P2P traffic *shouldnt* be filling up the half-open connection queue
http://www.lvllord.de/?lang=en&url=tools
I do not reccomend performing the actions described in this site. If you're hitting the half-open connection limit odds are something is wrong.
 

mikecel79

Platinum Member
Jan 15, 2002
2,858
1
81
I agree with spyordie007. Chances are you are infected with some kind of virus and it's attempting to make 100s of connections a second to infect other machines. This change was made to TCP/IP in SP2 to help slow these types of things from happening.
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
Originally posted by: spherrod
I've known heavy p2p users hit the limit easily but they should check for other causes too
I've known heavy p2p users who think they are hitting the limit...

If you (or those p2p users) knew the way TCP connections were established they wouldnt be worrying about it.
 

spherrod

Diamond Member
Mar 21, 2003
3,897
0
0
www.steveherrod.com
Originally posted by: spyordie007
Originally posted by: spherrod
I've known heavy p2p users hit the limit easily but they should check for other causes too
I've known heavy p2p users who think they are hitting the limit...

If you (or those p2p users) knew the way TCP connections were established they wouldnt be worrying about it.

I'm intrigued now :D I've seen a couple of systems full of the 4226 error in Event Manager after installing SP2. Done the obvious and scanned for spyware/viruses using a combination of Spybot, Microsoft Anti-Spyware and Kaspersky (in safe mode as well) but nothing found. Changing the limit in the registry removed the errors - were these people just using p2p excessively - i.e. queuing loads of things in p2p software?
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
were these people just using p2p excessively - i.e. queuing loads of things in p2p software?
Seeing this in the event log doesnt neccisarily mean there is a problem.

Trying to not confuse things further I'll elaborate, but if you're not already familier with how TCP connections you'll probably have to do some reading.

Under XP SP2 there is a 10 half-open connection queue; this queue does not restrict the total connections you have but rather just the connections that are not fully established. Lets say you are running a P2P application and you have an average response time of 100ms to each host your machine connects to. Using this example you would be able to establish a connection with 100 remote hosts per second (not that it matters because even on a very fast pipe you would probably saturate your bandwidth with less than 100 connections). It's possible that when you first launch your application it requests more than 10 connections which would fill the 10 half-open connection queue and would give you an error in your event log; however that queue would flush quickly as the connections became established. About the only legitimate traffic the queue would slow down at this rate would be when the application initially attempts to establish a lot of connections at once; and the amount that it would be slowed down would be very minimal (a couple-hundred miliseconds at most).

So if you can still connect to a lot of hosts with this queue why is it a good thing?
The way most worms work is they attempt to connect to random addresses. Since the majority of the randomly generated addresses are going to be either empty or firewalled the worm would have to first wait for the connection to time-out before it can attempt to connect to another address. This process doesnt stop the spread of worms; what it effectivly does is slow the rate at which a machine can attempt to connect to non-existant hosts.