The Broadband Guide
SG
search advanced

Windows XP SP2 tcpip.sys connection limit patch

Additional XP SP2 tweaks - Remove the Windows XP SP2 TCP Connection limit (Event ID 4226)
2004-09-18 (updated: 2009-12-08) by
Tags: , , , ,

In addition to the tweaks already covered in Win 2k/XP Registry Tweaks and More Win 2k/XP Tweaks, the Windows XP Service Pack 2 introduces a few new issues covered in the article below. Please make sure you understand what you are doing before making any changes to your Operating System. Note the information below only applies to Windows XP Service Pack 2.

 

Remove the limit on TCP connection attempts

Windws XP SP2 introduces a few new twists to TCP/IP in order to babysit users and "reduce the threat" of worms spreading fast without control. In one such attempt, the devs seem to have limited the number of possible TCP connection attempts per second to 10 (from unlimited in SP1). This argumentative feature can possibly affect server and P2P programs that need to open many outbound connections at the same time.

Rant: The forward thinking of Microsoft developers here is that you can only infect 10 new systems per second via TCP/IP ?!?... If you also consider that each of those infected computers will infect 10 others at the same rate:
second 1:  1+10 computers
second 2: 10+10*10 computers (110 new ones)
second 3: 10+100*10 computers ( 1110 new ones)
second 4: 10+1000*10 computers (11110 new ones)
....
all the way to 10*60 + 10^60 computers in a single minute (that's a number with 60 digits, or it would far exceed Earth's population). Even if we consider that 90% of those computers are unreachable/protected, one would still reach ALL of them within a minute.

In other words, even though it is not going to stop worm spreading, it's going to delay it a few seconds, limit possible network congestion a bit, and limit the use of your PC to 10 connection attempts per second in the process ! I have no problem with the new default setting limiting outbound connection attempts. Still, users should have the option to easily disable or change this setting. I might be going out on a limb here, but ever since the introduction of Windows XP I can't help thinking that I dislike all the bult-in Windows "wisardry" in a sense that the system also limits user access. That irritating trend to ease the mental load on end users is somewhat insulting, considering that Windows is to make the more "intelligent" choice instead of the end user, as well as limit their access to tuning such settings...
End of rant.

With the new implementation, if a P2P or some other network program attempts to connect to 100 sites at once, it would only be able to connect to 10 per second, so it would take it 10 seconds to reach all 100. In addition, even though the setting was registry editable in XP SP1, it is now only possible to edit by changing it directly in the system file tcpip.sys. To make matters worse, that file is in use, so you also need to be in Safe mode in order to edit it.

You only need to worry about the number of connection attempts per second if you have noticed a slowdown in network programs requiring a number of connections opened at once. You can check if you're hitting this limit from the Event Viewer, under System - look for TCP/IP Warnings saying: "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts". Keep in mind this is a cap only on incomplete outbound connect attempts per second, not total connections. Still, running servers and P2P programs can definitely be affected by this new limitation. Use the fix as you see fit.

To change or remove the limit, you can use the following program:

Event ID 4226 Patcher - A patching program for removing or changing the limit imposed on connection attempts in SP2. The patcher has the ability to restore tcpip.sys back to the original... Still, you might want to back up tcpip.sys, use it at your own risk. The author of this patch can be reached @ http://www.lvllord.de/

 

Edit tcpip.sys manually to remove the TCP/IP socket creation limit

Another option, for the more adventurous is to modify your tcpip.sys file manually, using a hex editor. The following instructions refer to the final release of XP SP2, with a tcpip.sys file of exactly 359,040 bytes, CRC-32 is 8042A9FB, and MD5 is 9F4B36614A0FC234525BA224957DE55C. Even thouh there might be multiple tcpip.sys files in your system, make sure to work with the one in c:\windows\system32\drives\ directory.

To remove the tcpip.sys socket creation limit:
- Backup your original tcpip.sys file before editing please, this is somewhat important !
- In your hex editor, go to  offset 4F322 hex (or 324386 decimal).
- Change 0a 00 00 00  to  00 00 0a 00

All done !  The above change does not require editing of the CRC in offset 130 hex (thanks for the clever solution Thomas Wolf Tompkins).

Notes:
If any of the data above does not match exactly (crc, file size, md5, or the data at offset 4F322) please double-check what you are doing, or abort completely.

The above information increases the RATE of opening outgoing connections. It has nothing to do with the limit of 10 connections to network shares on a Windows workstation PC for sharing files (a MS imposed limit to force you to upgrade to a server version of the OS). This 10 connections to network shares limit was introduced with NT4 workstation (SP3), and exists in Windows 2k workstation, and Windows XP home/pro/mc. It only applies to authenticated windows services, such as file and print sharing.

 

For a Vista version of the above tweak, see our Windows Vista tcpip.sys connection limit patck for Event ID 4226 article.

  User Reviews/Comments:
    rate:
   avg:
by boone_dave - 2005-12-11 14:23
!! Caution: The offset described in manually setting the value is not the same as the offset detected by the latest version of lvllord's "Event ID 4226 Patcher". I believe this is due to security patches released from Microsoft since the original version of SP2 was released.

BTW, thanks for the useful article. Normally, I like knowing what tools like these are doing under the covers, especially when they don't come from the manufacturer, themselves.
by Philip - 2005-12-14 11:04
Thanks for the constructive feedback and the good words. I've updated the link to the patcher.
by AkA_TaNk - 2006-01-02 15:57
When I run the patch it states that patching is complete,and system must be rebooted for patch to take effect. After the system reboots the connection is still set to 10 instead 50, is it possible that the system resets the tcpip.sys to the original settings, if so how do i prevent it???
by CoolPix10 - 2006-01-05 17:00
When i run the patch, it says that I386/Sys.ini cannot be changed? Any ideas..
by Karthik - 2006-02-01 22:54
Hi,
Whenever I run the patch my system hangs and shuts down. I have windows xp media center sp2.
Sny help will be most appreciated.
by Cooper - 2006-02-06 00:02
I attempted to download the (ENGLISH version) of the Event ID 4226 Patcher and NOD32 antivirus found it to be the (Win32/Tool.EvID4226) virus. I also tried downloading the (GERMAN version) and no virus was found. Anyone know why?

Could it have something to do with the fact my system is english operated which, would mean that NOD32 antivirus reads in english?

Also, for those using Norton Antivirus, try running NOD32 on your system, for it found viruses on mine that Norton couldn't/didn't.
by chrisperry - 2006-02-21 21:31
No, the patch is *NOT* a virus, check the author's website for more info.
by etoh25 - 2006-02-22 07:11
I noticed a gradual slowing of my connection in recent weeks, checked the event and saw the "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts" message. Downloaded the patch and everything is working like a champ again.
by triniwasp - 2006-02-26 00:33
Painless and Flawless. Immediately increased Utorrent DL/UP.
by Itch - 2006-03-02 22:45
This Patch Seems to set the setting to 50, but doesn't solve the problem. I have about 20 Computers on the network in a workgroup enviroment. I want all 20 computer to be able to access one computer for Files. Once ten computers are accessing files on this main computer the 11th one gets a error saying the limit of connections has been reached?? After putting the patch on and it not working for me, I thought I would run the patch again to unistall it. The things when I did that it asked if I was shur I wanted to change my limit from 50 back to 10. So I don't get why it didn't work for me when it is saying the Limit is 50??

Anyway any Help would be Great Thanks.
by anonymous - 2006-03-03 22:20
Because you are discussing two different things. Your problem is to do with the numbers of simulatneous network connections that a 2K or XP PC can make. This inlcudes any networked items you are connected to such as networked printers. The limit is to prevent 2K and XP being used as servers. Once one of the connections is finished with then you can connect to another as long as the total is ten or less.

This patch on the other hand is to do with the number of connection attempts allowed in any unit time, i.e. 10 per second. Once one of these attempts succeeds and the connection is opened both ways then the next attempt can start, i.e. the attempts are queued and freed from the queue at 10 a second.

So that in total you could have as many connections as you want, within the limit of your PCs capacity (RAM, CPU speed etc.) the only things is that you can only make 10 attempts a second. If you wanted to make a 100 connection attempts then it would take a total of 10 seconds to make the connections all things being equal. Thus unlike your problem which limits the number of network connections you can make on a LAN to 10, irresepctive of how long you wait, the TCP/IP concurrent limit only limits the speed at which you connect to 10 a second but will allow any number as long as the connections are made at 10 a second. When your system tries to make more than 10 a second then you will see the aforementioned entry in your System Event Viewer.
by jaccyj - 2006-03-17 01:19
This worked perfectly for me, both on my laptop and my desktop which has two different versions of SP2,
HELP FOR THOSE LESS FORTUNATE

Virus Warning!!
first make sure you download it from the author's site, with that said if you get a virus waring just "temperarily" disable you antivirus and run it again that should work.

I386/Sys.ini cannot be changed!!
try running the patch in Safe Mode

Original Setting returns after Reboot!!
Make sure you don't have a WinXP Setup CD in the drive after reboot
or an installing folder linked in the registry and do it in safe mode

For Itch!!

if all 20 computer is to access one computer for files
the main computer should be set to about 100 to 150 to do this just run the patch and press "c" for change limit type in the amount you need and press enter and just continue from there. you should restart when your done changing the settings.

any question just e-mail me if your e-mail is not filtered I'll try to reply
by jaccyj - 2006-03-17 20:31
I used my laptop wireless on a DSL connection and I kept losing my connection after using tcp optimzer, it work fine on a direct connection to Cable, so I lower the amout of half open port and then it kept the connection on DSL, so I guess it either work better with cable or it doesn't work as well with wireless connections on DSL.
by dj_eriksonyahoo.com - 2006-03-30 05:08
i still have problems. i have a computer with win xp sp2 proffesional on it and i need that a number of 20 clients acces my share in the same time.
but the problem is that only 10 users can acces share in the same time.
if you have any ideea pls write me on dj_erikson@yahoo.com
by josey - 2006-04-04 11:38
i have same problem as itch, and it cant be solve with 50 or 500 connections per sec, 20 users cant connect at one shared folder at same time.
what can i do ?
by Gefrin - 2006-04-05 07:11
I was told to install IIS and then use the Metaedit tool from Microsoft to up the connection limit from 10 up to 40. 40 is supposedly the hard wired maximum. Still no joy. It looks like it has worked but still only 10 connections. I will keep looking for the answer to this one.
by Revenant - 2006-04-06 08:18
The solution is simple: run a REAL server product, not a crippled MS desktop. They're protecting the bottom line of their server products, what did you expect?
by Arcuna - 2006-04-14 13:06
Well, my upload rate on uTorrent shot through the roof after setting the connection cap to 100, but it doesn't change the fact that there are very few people seeding what I want... :P
by martin555 - 2006-04-17 02:39
Workaround to install the patch:
stop the anti-virus
download
reboot
F8 - safe mode + command prompt
apply patch
HAPPY !

cheers: Martin, from Hungary.
by iced823 - 2006-04-26 04:04
went from 2350 to 4975 kb/s great, thanks
by ALongdale - 2006-04-27 19:35
Josey,

WinXP Pro has a limit of 10 connections per host and XP Home only has a 5 connection limit.

Purchase a Client-Server solution.


Regards,


Dr- Drew
by plowboyjrhotmail.com - 2006-05-12 14:26
Actually windows xp is limited to i believe either 5 or 10 concurrent connections at once to a SHARED folder.... if u want more users at once being able to connect to it u have to go with a server product.... and to be real honest use something else like NASlite or FreeNAS for fileshareing if u dont need security for it like a home network or something.... everything else is just a little more than the users need.
by Al Phi - 2006-06-17 15:35
Josey,

Or you could use Samba. Not sure if you can run it in Windows though, but it's trivial to set up a server box running Linux, FreeBSD, or Unix. There isn't a "hardwired" value of simultaneous connections, but it may be very difficult to get native Windows to accept more. I suggest either paying for a new Windows Server system or taking an old computer and setting up Samba.

Regards,
Al Phi [the Green Dragon],
http://alphithedragon.blogspot.com
by asdf - 2006-06-19 15:13
This patch doesn't work for me! I also tried another product called xp-AntiSpy to patch the connection limit. It said my computer was patched, but I still can't scan for proxies and my download speed is horrible! When I restart my computer, it hangs, and then shuts down. I think it's replacing my patched tcpip.sys with the hard wired copy. I had to reinstall my os becuase of a different problem, but before I can at least find tcpip.sys.original, But now I CAN'T! Microsoft must really want to sour our internet experience. I have even gone as far as to edit the registry, but it still didn't work! PLEASE HELP ME!
by MrAnon - 2006-06-25 17:53
For those having problems with the number of people connecting to one share/folder:

Check the number of connections allowed by the individual share by opening the sharing and security option on the context menu. Make sure that the "user limit" is set high enough for your anticipated usage.

BTW: IF you're going to have 20 systems connected to your shared folder in XP (or any other non-server MS OS) be aware that it's going to be S_L_O_W! You're trying to use the system for something it was never intended to be able to support.

Remember that the TCP/IP tweak just affects the # of half-open connections THAT MACHINE can have - it has no effect on on other machines.
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About