The Broadband Guide
SG
search advanced

Windows Vista tcpip.sys connection limit patch for Event ID 4226

2008-07-08 (updated: 2015-04-27) by
Tags: , , ,

Microsoft enforces a limit on half-open TCP/IP connections that is hard-coded in tcpip.sys. The maximum simultaneous half-open (incomplete) outbound TCP connection attempts per second that the system can make is intended to limit the spread of malicious viruses and worms, as well as limit the possibility of launching a DDoS attack. However, it has proven to also limit some applications using many TCP connections, such as P2P and P2PTV programs.

When the OS reaches the half-open connection limit, Event Viewer displays the following entry:

EventID 4226: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

The limit in Windows XP (SP2) is 10 incomplete concurrent connection attempts per second. In Windows Vista, the default limit differs, depending on the edition - ranging from 2 half-open connections in Vista Home Basic, to 25 in Vista Ultimate.

Under normal use, this limit is rarely reached (especially in Vista Ultimate), however it often hinders P2P and P2PTV applications that depend on a large number of TCP connections.

Due to the enhanced security in Vista, it is a bit more complicated to increase the TCP concurrent half-open connections limit. It requires downloading a patched tcpip.sys, changing a registry parameter and disabling driver signing in x64 editions (potentially after every reboot). Note that subsequent Windows updates and Service Packs may override tcpip.sys with a newer version as well.

The required steps are outlined below:

1. Note your current tcpip.sys version. To check your tcpip.sys version, navigate to C:\Windows\system32\drivers\ , right-click on tcpip.sys and choose "Properties" - the version information will be listed in the "Details" pane.

2. Download a patched tcpip.sys file for your particular tcpip.sys and Vista version.  You can download patched versions of tcpip.sys from -here-. Note that 32-bit and 64-bit versions of Vista use different tcpip.sys files. Files are listed as tcpipXX-YYYYYY.sys, where XX is the Vista variant (32 or 64-bit), and YYYYYY is the tcpip.sys version.

3. Open command prompt, and execute the following commands exactly (administrator account, and elevated command prompt recommended):

takeown /f %Systemroot%\system32\drivers\tcpip.sys
icacls %Systemroot%\system32\drivers\tcpip.sys /grant "%username%":f

4. Disable driver signing integrity checks for 64-bit Windows Vista versions only. You can do this using the ReadyDriver Plus v 1.1 software, or pressing F8 at boot time. More information on disabling driver signing integrity checks in Vista is available -here-.


5. Backup tcpip.sys by copying it to another location/file. You can do it in Windows Explorer, or running the following in command prompt:

copy %Systemroot%\system32\drivers\tcpip.sys %Systemroot%\system32\drivers\tcpip.original

6. Replace the original tcpip.sys in C:\Windows\system32\drivers\  with the patched tcpip.sys for your correct version of Windows, downloadable from our website -here-. You'd have to be logged in as administrator, if it fails you may want to try restarting in safe mode (F8 on system startup).

7. Set the desired new limit for TCP half-open connections in the Windows Registry. Open the registry editor by clicking the Windows button > Run > type: regedit . You'd need to add a new DWORD value under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpNumConnections=500
(DWORD value, not present by default. Recommended value is between 100 and 500).

Alternatively, you can download the sg_vista_tcpip_limit_patch to apply the registry change above automatically.


Update in Vista Service Pack 2

According to Microsoft, Vista SP2 completely removes the limit of 2-25 half-open TCP connections that existed in previous versions for application compatability reasons. If this works as intended, there should be no need to patch tcpip.sys, and users should no longer see Event ID 4226.

Reference: MS Technet http://social.technet.microsoft.com/Forums/en-US/itprovistasp/thread/2afc725f-44fd-4ae1-9eb8-f0c3a0f552bc/


EnableConnectionRateLimiting

This Registry parameter can set, or disable the half-open TCP connection limit in Windows 7, Vista (SP2), Server 2008, or later. Some Microsoft OSes, such as, Vista before SP2, and 2008 Server before SP2, limit the number of half-open TCP connections to 10. Just check the below key and make sure it is either not present, or set to zero. Windows 7, and Windows Server 2008 SP2 or later should not have to make any changes.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableConnectionRateLimiting=0
(DWORD, recommended: 0)


See Also

Windows 7, Vista, 2008 Tweaks - for P2P applications, you may want to set TCP Auto-tuning to highlyrestricted since the normal setting can consume too much system resources per connection.


References

http://www.yaronmaor.net/repair.htm
www.citadel.co.nr/readydriverplus


If you experience problems with any of the above, please note any errors, and the exact versions of Vista and tcpip.sys. You may also try the following in elevated command prompt (limits TCP Receive Window to 65535 per connection):  netsh int tcp set global autotuninglevel=disabled

  User Reviews/Comments:
    rate:
   avg:
by anonymous - 2008-12-29 07:07
Doesn't work for Vista home basic 32 bit tcp.sys version 18063.
In fact the network doesn't work at all.
by anonymous - 2009-01-06 02:53
I agree, it doesn't work for Vista home basic 32 bit tcpip.sys version 18063. On reboot, the file comes up as not digitally signed and you are forced to do a repair, which replaces the patched tcpip.sys file.
by Sancho - 2009-01-07 21:13
Great idea, but as the others say, Vista (Home [not so]Premium) detects the patched tcpip.sys upon reboot the overwrites it. And because VHP denies us the ability to mess around with Local Users and Groups like good ol' XP, we can't enable the built-in Administrator acct.

But the added TCPIP parameter remains in the registry... twiddling its thumbs? Oh well.
by Philip - 2009-01-08 07:27
I'd try step 4, disabling driver signing integrity checks
by anonymous - 2009-01-14 21:21
Did not work for me on Vista Ultimate x64,my modem would not connect until i put it back to its origanal state,but no messages from Vista its self,just would not connect to internet.
by anonymous - 2009-01-17 11:14
Vista Premium just keeps overwriting the new TCPIP.SYS with a new copy of the original. Perhaps you should have included instructions (or a link) on how to disable the file security protocols.
by anonymous - 2009-01-21 04:35
perhaps you should try step number 4 then ...
by anonymous - 2009-03-02 07:11
I tried this but when i restart my computer i can't get a network connect. when i check it, it says a service has failed to start.

any ideas.
by stoneyblue - 2009-03-27 04:40
Memory patcher (on the fly, no reboot) for tcpip.sys -
TCP Half Open Limited Patcher & Monitor
Supports: Windows XP SP2 SP3 /2003 /2008 /Vista SP1 SP2/Windows 7, All 32bit(x86)/64bit(x64)
http://deepxw.blogspot.com/
by Ray King - 2009-05-03 11:23
Well after the upgrade to Windows Vista SP2 There is no TCPIP.SYS file in the Windows System32 directory!

Windows Vista Home Premium.

Enjoy
by CK - 2009-05-04 23:59
Tcpip.sys still exists after you install Vista SP2.

It's under "Windows/System32/Drivers"..

Anyone knows where the registry key is to set half-open TCP connections? According to MS, they added a registry key in SP2 for it. I can't find it anywhere...
by Haniaman - 2009-05-12 09:30
Evreything is ok, but what about the "test mode" in four corners on the desktop? I am running Vista premium 32bit.
Thank you,
maybe its from my mistake, Sorry if it is.
by Ironmancwb - 2009-07-27 02:29
You have to add it to the parameters -EnableConnectionRateLimiting put in the value box o then exit .
by ibldtraffic - 2009-08-29 19:02
I implemented the majority of the netsh and reg. tweaks and watched my speed drop from almost 14k to just over 5k...almost half. Do I go back an undo everything, or is there 1 or 2 in particular that may be causing the loss of speed?

Thanks in advance,

Bill D
by muthu240 - 2010-01-25 21:10
can't find the patch for file version 6.06002.18091
by anonymous - 2011-02-02 08:34
Microsoft is masterpiece of faulty OS ! With limiting tcpip connections they intent to criplle the and harm p2p ! There is no security risk at all if zou have more half open ports as 10 with good and solid firewall ! Do not use MS or if you have a license for win sue the damn MS ! Its cosing BSOD and os is dying on you ! If you run windows in enterprise you should sue MS double !!! Its like a american gun industry selling a gun to you and in the same time forbides you to use it, or you buy a car but can not use it due to drive restriction ! They are selling licenses for OS and they should not care how many open ports users have, its not MS concern at all ! Every user should sue MS for every faulty piece of win modules for causing trouble and cost to user and it is only Microsot related problem ! They have plenty of money, they should do something about that !!!
by SC - 2011-09-24 22:49
Assumptions are the mother of all F*&*ups. Yes, windows xp service pack 2 introduced the static tcp emboidry or half-open connections of 100. You can thank the blast worm creator for this as those who didnt have firewalls were a standy ddos tool, set to strike on microsoft. i thought it was funny all the corporations, including cnet, who didnt have protection to keep this from coming in through the RPC exploit.

Anyway, history lesson over, this caused high-performance windows servers to have huge problems, other than the normal windoze problems; any web server, for example, can have more than 100 people connecting and disconnecting each second. So, in windows vista and servers 2003 and up (2008 & 2008 R2), Microsoftimplemented a dynamic limit, increasing automatically while being restrictive. The default is 10 half open per second and increases as needed in increments, through an algorithm unknown to me.

HOWEVER, they also made it where you can disable this automatically! Why are you going to trust modifying windows components, like the tcpip.sys service, when you can just add the following two Dwords in HKLM/System/CCS/Services/Tcpip/parameters:

EnableConnectionRateLimiting = 0 (default when value is created)
TcpCreateAndConnectTcbRateLimitDepth = 0 (default when newly created)

So basically, all you have to do is create them and their default value is 0, disabling the limit. You're now unrestricted but watch out you dont get anything such as the blast worm: any program you download when you dont have a firewall controlling OUTPUT chain but default policy to accept can use your limitless connection.

good luck and revert your old tcpip.sys, at least you made a backup like phillip at least said too, right?
by humpty - 2014-10-28 12:37
What most people forget is that the Microsoft setting for the half-open limit is
"PER SECOND"
This means 10 allowed after 1st second, 20 allowed after 2 secs... 1000 allowed after 100 seconds. This is a rate that would not make a lot of difference for normal torrents.

(in linux it is different).
by Smithg799 - 2015-08-02 00:58
cheers for the actual article i've recently been on the lookout with regard to this kind of advice on the net for sum time proper now so numerous thanks
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About