Windows XP SP2 TCP/IP "Patch"

[Frank]

I have seen more and more users recommend installing this "Patch" to solve other users problems and it is getting very annoying. I would have to say 99% of the people who have installed this patch have no idea what it actually does and they are passing along false information to other users here on neowin potentially opening up major security flaws in something Microsoft changed to slow down the spread of viruses.

It is a misconception that installing this "Patch" will speed up any type of internet connection. This patch DID NOT change the amount of connections you can have open at once, only the amount of INCOMPLETE connections that can be attempted per second.

Unless you are receiving 4226 errors in your event log (to see what this looks like, go here) this "Patch" will do absolutely nothing for your connection. If you are seeing these errors you should find out what is causing them instead of patching the TCP/IP file and going on with your business.

Microsoft did this for a reason. It was not to hinder your user experience but to try and slow down the spread of viruses.

http://www.microsoft.com/technet/prodtechn...n/sp2netwk.mspx

Limited number of simultaneous incomplete outbound TCP connection attempts

Detailed description

The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system?s event log.[Why is this change important? What threats does it help mitigate?i>[/b]b>

This change helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in a failed connection, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.[What works differently?i>[/b]b>

This change may cause certain security tools, such as port scanners [Edit by Frank: NOT Bittorrent Clients], to run more slowly.

Edited January 7, 2005 by Frank

[Slimy]

it does work, eMule had speeds of no more than 20kb and when i patched i've been seeing 60-100kb

ares lite has been faster too

[Favvi]

i have 70 some, 4226 errors in my event viewer... :unsure:

[John Veteran]

I'm pinning this due to the massive ammounts of misinformation floating around about this so called "patch". Frank is certainly right about this, and anyone who has a decent understanding of the TCP/IP stack knows he's right. SP2 does not limit network connections for any applications without good reason. The only time it would limit such connections is when those attempted connections are targeted at invalid hosts.

Viruses/worms (including Blaster and others) attempted to create network connections to random IP addresses, without caring if there was a machine at the other end or not. This is why Microsoft's article says programs such as port scanners (which often flood the network with invalid packets) may work somewhat slower. Had this functionality been in effect when blaster was released, the spreading of the worm would be drastically slower than it was.

Note that the article says such packets are put in a queue. Any invalid packets are not simply discarded; they will be sent out onto the network, but only at a manageable rate. No packets will be dropped due to this new behavior in Windows.

Pinned

[vincent]

thx Fowen..uh i mean frank i thought i always smelled BS when i seen info about this "patch"

[Malisk]

Good idea.

Unless you are receiving 4226 errors in your event log (to see what this looks like, go here) this "Patch" will do absolutely nothing for your connection. If you are seeing these errors should find out what is causing them instead of patching the TCP/IP file and going on with your business.

Yes, if you constantly get these errors, chances are you actually have some software installed that try to do bad things. It only tries to limit extremely fast newly established connections, where the destination hasn't had time to answer yet. For legitimate software, under normal circumstances it shouldn't affect your connection speed noticeably.

It needs to be emphasised that the SP2 fix is for connection rate limits not connection limits, and no connections are dropped, even when this is triggered. They're simply put in a queue, which XP handles pretty darn quickly of getting emptied (by establishing the queued connections) anyway. This feature is just there so basically simultaneous connections won't happen.

What's the implications for, say, a BitTorrent user? Well, for one thing, it shouldn't be triggered as you're using it. Not even if you have, say, three prallell BT downloads going on. I know I had no trouble, and each of them was for popular files with a lot of sources. Sure, I did have these reports in the event log, but only as I started up the downloads, since then it tries to establish a lot of connections basically at once, and these are partial since the hosts haven't had chances to reply yet. So they're queued. I can imagine what you lose here is a few seconds. SP2 has not limited my BT upload or download transfer speeds, I can still get over 5 Megabits per second when I'm on a popular torrent. And this limit is still not triggered. So if your connection is struggling at lower rates, I can't imagine it being for this reason.

Edited January 7, 2005 by Jugalator

[John Veteran]

Yes, this is the key reason to install the "patch".

585247987[/snapback]

NO! Don't "patch" your system files, find out what's causing those events (Y) Such information is far more useful, because you can stop it from happening, possibly improving performance of the application, and alerting the author of such software to a bug in their code. Don't you see, allowing the connections to continue at full speed is only a cheap workaround that does nothing to solve the problem!

[Malisk]

Yeah, I modified the post already :)

I meant, it's the only reason to patch, but never said that this should only be a reason in very rare cases. (I'm not even sure what these reasons would be, in case it's not about a worm trying to spread)

[Bold_Fortune]

I had a hunch about this tweak being all wrong. I used it once because I do some downloading from Kazaa. It isn"t so much that tcip errors show up when "downloading" stuff, for me. They show up when I leave my Search function set to continually search out common keywords where a bazillion files show up.

I'll give you an example. If you download from Kazaa, don't download anything for awhile, just search for "DVD" with "video" selected. Then, come back a few hours later and check your Event Viewer for tcip errors.

I'm not saying to apply this tweak...I don't used it...I'm just telling you what happens to me, and telling you why and when it happens to me.

[Frank]

i have 70 some,  4226 errors in my event viewer... :unsure:

585245426[/snapback]

What anti virus are you running? Have you updated the dat files recently?

The first thing I would do even if you have a up to date virus scanning program is to go to http://housecall.antivirus.com and run a full scan on your PC.

[Tungsten T]

I have 20 of those errors

should i worry

the only p2p app i use is limewire but that doesent cause it because i ran it with the event manager open and no error was generated

[cork1958]

I have 20 of those errors

should i worry

the only p2p app i use is limewire but that doesent cause it because i ran it with the event manager open and no error was generated

585249624[/snapback]

Did you refresh the log?

This patch isn't even made by MS, should be your first clue that it's not what you "think" it was intended for. When it first came out, I looked it over. Wasn't hard to figure out I didn't want or need it. I have cured the errors I was getting, which wasn't many or very often.

[Weasel]

There are legit applications out there that need to initiate many TCP SYN connections which have an unknown probability of getting answered. So why are people arguing that no one should change this limitation? Obviously mom and pop aren't going to need this patch to check their email, and it will help limit the spread of viruses. However Microsoft could have avoided this problem by not creating a virus-prone operating system in the first place. If you run p2p applications then by all means a user should have the ability to change this setting. Unfortunately Microsoft decided to hardcode the limit of half-open connections so people have to rely on a shady third party executable (which I am sure has been decompiled and analyzed by now).

[Frank]

I have 20 of those errors

should i worry

the only p2p app i use is limewire but that doesent cause it because i ran it with the event manager open and no error was generated

585249624[/snapback]

Yes. If you don't know where you are coming from I would be worried. I would first run the free online virus scan at http://housecall.antivirus.com like I suggested to travis.cd.

[Frank]

There are legit applications out there that need to initiate many TCP SYN connections which have an unknown probability of getting answered.  So why are people arguing that no one should change this limitation?  Obviously mom and pop aren't going to need this patch to check their email, and it will help limit the spread of viruses.  However Microsoft could have avoided this problem by not creating a virus-prone operating system in the first place.  If you run p2p applications then by all means a user should have the ability to change this setting.  Unfortunately Microsoft decided to hardcode the limit of half-open connections so people have to rely on a shady third party executable (which I am sure has been decompiled and analyzed by now).

585249662[/snapback]

Would you please point out some of these third party applications? These applications have to send out 10 unanswered connections a second in order for this limitation to take affect.

I never said no one should patch there system, I am sure some people (a very small percentage of who has patched) needs this limit removed. I am not telling them to not patch, I am trying to get the point across that if you think it is going to speed up your KaZaa or Bittorrent connection your are wrong, and by spreading this information your are just reversing a security measure that Microsoft put into place to slow down the spread of Viruses.

My brother has run KaZaa, Ares, and Bittorrent and he is running a machine with Windows XP SP2 and he has never received a 4226 error. I run Bittorrents every once in a while and I have not received an 4226 error on that machine.

[vincent]

Ive never seen a slowdown without using this "patch" at all and i just have a regular 1.5mb cable connection.

but then again ive seen this patch discussion mostly related to file sharing apps,I'm just not a warez monkey i guess :/ .

[quanta]

I'm glad you guys created this thread. The "TCP/IP patch" almost tops the "LargeSystemCache" tweak for its uselessness and danger.

I think some P2P apps will trigger 4226s because the nodelist is always in flux (people log out, etc.), making it appear as if the P2P app is making many connections to invalid destinations. In any case, all SP2 does is throttle the invalid lookups.

[John Veteran]

It isn"t so much that tcip errors show up when "downloading" stuff, for me.  They show up when I leave my Search function set to continually search out common keywords where a bazillion files show up. 

I'll give you an example.  If you download from Kazaa, don't download anything for awhile, just search for "DVD" with "video" selected.  Then, come back a few hours later and check your Event Viewer for tcip errors.

585249192[/snapback]

It's probably because Kazaa just sends search requests to every server it's ever connected to, regardless of whether or not that server is available or even still in operation. If Kazaa sent the search request to one server or just the servers it knows exist and can respond in a timely fashion, this wouldn't be a problem. Bad program design on behalf of Sharman Networks, if you ask me...

There are legit applications out there that need to initiate many TCP SYN connections which have an unknown probability of getting answered.

585249662[/snapback]

Such as? :huh: Can you give me some examples of such applications? Keep in mind Microsoft isn't blocking these connections, and they all will be attempted eventually. But there's no reason an app has to attempt numerous connections like this.

[Favvi]

What anti virus are you running?  Have you updated the dat files recently?

The first thing I would do even if you have a up to date virus scanning program is to go to http://housecall.antivirus.com and run a full scan on your PC.

585249567[/snapback]

i have norton antivirus 2005

should be up to date...

im scanning using trend (Y)

[Nocstar]

ok so if you have installed this patch how do you uninstall?

[Daviesbad04]

it does work, eMule had speeds of no more than 20kb and when i patched i've been seeing 60-100kb

ares lite has been faster too

585245381[/snapback]

It doesnt work mate, It just opens more ports for more connections to come through at once. It works better for P2P applications, such as eMule. Doesnt make a big difference in IE or Firefox. Itll just allow you to connect to more users and download one file, from lets say, 40 people.......Rather than 10.

[Daviesbad04]

ok so if you have installed this patch how do you uninstall?

585254325[/snapback]

The version I have installed comes with an uninstaller. It backs up the original tcpip file and patches in a new one. If you wanna uninstall, it should be in the Add/Remove programs place. Itll be near the bottom........unless you have another version. Then I dont know.....Shouldve made a backup of the file before installing.

[John Veteran]

It doesnt work mate, It just opens more ports for more connections to come through at once. It works better for P2P applications, such as eMule. Doesnt make a big difference in IE or Firefox. Itll just allow you to connect to more users and download one file, from lets say, 40 people.......Rather than 10.

585255970[/snapback]

Wrong :no: You can connect to literally thousands of people, all at once. You're not understanding the point of this thread.

[Slimy]

I'm not really getting this.. if the patch doesn't work according to you guys, how come there are so many ppl stating that it does and I've even seen it work in front of my very own eyes, just for p2p tho? Sites with the patch say that it only improves p2p and I've seen it do exactly that.. how come it seems to work if it is supposedly just a fake?

[Mastertech]

The patch does work. Any web application that needs to query numerous IPs simultaneously will benefit, P2Ps have the most affect since they are affected the most by failed queries. Anyone that seriously uses P2P programs will notice search speed improvements after the patch. I've generally noticed improved web browsing speed as well. You can get the patch in my guide.