Windows XP SP2 and Event ID 4226

Update 10 April 2007
It looks as if Windows Vista comes with similar half-open outbound connections limit as Windows XP SP2 did. In fact Vista Home Basic is even more limited with only 2 connections allowed!
Torrentfreak has a great write up on how to patch Windows Vista (32/64-bit) to increase the TCP connections and improve your BitTorrent (p2p) experience.
If you are using Windows XP, you must have noticed all the fuss about Service Pack 2. It introduced an array of security “enhancements”: dual direction firewall, several long overdue IE improvements, memory protection and the crippling of the TCP/IP stack.
Hang on, how is crippling of the TCP/IP stack a security enhancement?
Windows XP SP2 limits half-open connections (SYN) to a maximum of 10 (the previous limit was over 65,000). This is supposed to slow down certain viruses because their spreading strategy is to try to connect to a high amount of random IP numbers.
The drawback with this connection limit is that other legitimate network intensive applications can be slowed down as well. Applications like security network scanners, peer-to-peer (P2P) applications or a combination of network applications that a power user may be using (VPN, FTP, p2p, RDP, SSH, “Firefox on steroids” and more).
To me it sounds awfully lot like treating the symptoms instead of the cause which would have been to tighten up Windows security to prevent virus infections in the first place.
#PAGEBREAK#
There is a way to tell whether your daily networking activities are being affected by the patch. Each time your computer tries to establish more than 10 half-open connection, a system event will be logged in Windows. It looks something like this:

EventID 4226: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts



Access the event viewer by Start / Control Panel / Administrative Tools / Event Viewer / System. Sort by Event and scroll down to 4226. If you only have a few occurrences, I would not worry about it but if you see many daily occurrences it’s time to look into why they are appearing.
There are two scenarios:
1. You computer may be infected with a virus/worm that is trying to spread
2. You are a networking power users and your applications are being stalled by the XP SP2
If you have anti virus software running and you scan your computer regularl ywith anti-spyware software like AdAware then case 1 is not likely.
#PAGEBREAK#
You can find out which process is responsible for the many half-open connections with the command ‘netstat -no | find "SYN"’. Half-open connections will have a state of other than ESTABLISHED. Note the PID (process id), open Task Manager and locate the process and application responsible for the half-open connections.
The second case means that SP2 is stalling your work. An unofficial patch will modify the locked tcpip.sys and let you set the limit to whatever you wish. 50 half-open connections is a reasonable limit or you can set the limit back to 65,535 which it was before the SP2. The patch is called EventID 4226 Patcher and can be found on LVL Lord’s web site: LVLlord downloads.
Certain Microsoft updates may replace the TCPIP.SYS with a new locked version but LVLLord has been quick on updating the patch. When you run the patch, it will tell you how many connections are currently allowed.

104 thoughts on “Windows XP SP2 and Event ID 4226”

  1. Nice. I’ve used the tcpip.sys patch for my global IP scanner website. Without the fix, it would take millenia to scan the entire IP address space.
    I wish M$ didn’t dumb down their products…also, the idea of slowing a worm is crazy… win2k/2k3 don’t have any restrictions, so a worm targeting a server can still be hyper-virulent.
    Thanks!

  2. Juz wanted to ask whteher I can use the patch without downloading SP2??? Can I???

    David sayz:
    Windows XP BEFORE SP2 has no limit on half-open TCP connections.
    There is therefore no need to patch a non SP2 Windows XP system (the patch will most likely fail).

  3. I started to install the fix. The dos window indicated that the maximum concurrent half-open connections are 200.
    the bottom line asked if I wanted to change the limit to 10…
    I thought the fix was to increase the number of connections…. Am I missing something?

    David says:
    If you have a system with more than 10 allowed connections, the patch assumes that you want to restore the TCPIP.SYS to the default 10 open connections.
    (You can always hit ‘c’ and manually enter the new amount of connections you would like)
    Make sure to run the patcher after each windows update to ensure that the half-open connections were not restored to 10 with a new version of the TCPIP.SYS.

  4. I installed this fix but “SFC /scannow” (which I run periodically as an additional security measure) copied the original MS version back. Is there any way to prevent this?

    David says:
    Try this. Search for all versions of TCPIP.SYS in your Windows dir, possibly on all of your computer.
    Replace all version with the patched version. (You should still have a backed up version in Windows/system32/drivers).
    Read up on the WFP at support.Microsoft.com
    Windows update can over write your patched TCPIP.SYS so check it after each update.

  5. Works awesome! Took me 10 seconds to install, and boosted me from 10 – 50 connections.

    David says:
    Sweet!
    Make sure to run the patch after each Windows update to make sure tcpip.sys does not get replaced by Microsoft.

  6. With the SP2 limit of 10, could this be causing a wireless networking to be dropping out multiple times per day? We are getting the 4226 warning each day. We’ve checking and there appears to be NO radio interference or lack of signal strength that could causing the drop out.

    David says:
    The 4226 is not related to WiFi outages.
    Try a ‘netstat -no | find "SYN"’ to see if any specific process id is responsible. The time of the 4226 events may give you some hint.
    It is hard to tell regarding interference since there can be nearby access points that are not broadcasting their SSID. Check with your neighbours or go through all channels. Are you from US and using a wireless home phone?

  7. I’m having a problem trying to figure out whether or not the tcp cap in sp2 is my problem. i NEVER had issues using p2p applications before, but then a couple days ago i set up my internet on a router with my roommate and neither of us can use them anymore. I’ve opened ports on the router and firewall for them, but they still won’t work. i can log into these programs, search, begin to download, but it won’t go further than a couple minutes of downloading. everything I’ve looked up seems to point to this sp2 cap, except for the fact that I’ve NEVER had this problem before. any ideas?

    David says:
    What router is it? “Going for a couple of minutes” does not sound like a SP2 issue, more like a router problem. What exactly happens after couple of minutes?

  8. it’s a linksys NR041 (but on the portforward website it’s listed under network everywhere NR041). the problem is with soulseek and azureus. soulseek will download one song when i start it and then every other attempt will say “initializing” forever and then fail. unless i close it and restart it. in which case it’ll download one song again and then rinse wash repeat and so forth. azureus downloaded 5% of one album, and then quit on me, and nothing else has downloaded since. i HAVE been getting those 4226 error messages. i ran the patch this afternoon for my roommate (cause she’s obviously been having the same problems, and asked me to go ahead and try). it worked just fine, everything’s peachy now. when i got home from work tonight and ran it on mine, i’m still having the exact same problems.

  9. I too am having the same problems as Jennifer.
    Ran the patch and changed limit to 65336 connections. I also use P2P program Soulseek and have the exact same errors. There will be a couple of songs that download at great D/L speed (say, 76 KbpS) and then to the next song. it stalls, says initializing, starts downloading at say 0.2 kbps, then fails. Moves on to the next song and so on. The only way to fix it is to reboot the pc, and the downloads start flying again only to repeat what happened before. I have a NetGear ADSL Firewall DG834.

  10. Windows XP with or without SP2 does not allow concurrent connections to exceed 10. I just tried it with the LVLLORD patch with SP2 and that didn’t work as well. Does anyone have something that allows more than 10 PCs connecting to a single XP machine for the intent of file sharing?
    Thanks

    David says:
    Lvllord DOES work (over 10 million happy customers and counting :-). Seriously, try disabling system restore before using lvllord. Make sure to restart your system.
    Also, there is no limit on concurrent connections, only on HALF-OPEN concurrent connections.
    The limit was introduced together with sp2, before sp2 it was unlimited.

  11. I was having conection problem prior to SP2, it stoped conecting to anything for an hour or two, restart helps, also i got this in SP2 now, i dont get the EventID 4226 or any otehr errors, my internet just stops, ANy modificiation of the tcpip.sys file (raise/lower the limit) fixes my conection for some time but then it stops again and i got to repatch the file, any idea what could be wrong?;)
    This problems been buging me for a very long time id apreciate any help
    Thanks alot

  12. Hello, patched with lvllord 2.23 and still have 4226 in my event viewer.
    is it possible that by each restart XP overwrites the patched file? how to prevent this?
    Greetz
    Unshaven

    David says:
    How many connections did you up it to?
    When you run the patcher, it tells you the current limit. If you run it a second time and it still reports 10 connections then Windows is probably restoring the tcpip.sys file.

  13. Hey there, i ran the patch and set the number to 70. Will this be ok?

    David says:
    With BitComet I once noticed that a single torrent was maxing out on 65 half-open connections. Of course this depends on a lot of factors (especially size of torrent swarm) but I would set the limit to 100 * n where n is number of concurrent torrents you plan to download!

  14. Will this have any negative side effects?

    David says:
    It may void your warranty 🙂 Seriously, if your computer is not secure, patching the tcip.sys will allow worms to spread faster.

  15. hello! I have the patch on my desktop but i didn’t used it because panda say that this is an Hacking Tool. Do you know anything about it?

    David says:
    Some malicious worms make similar changes to the tcpip.sys in order to spread faster on SP2 systems. This is why certain anti-vir software will warn about this.
    The LvlLord patcher however let’s the user decide exactly what limit should be applied and as such the user is in full control. Btw, my Symantec does not report the patcher as virus.

  16. Hi, David!
    I originally found out about Event ID 4226 on Utorrent’s faq. Once clicking and downloading it, I unfortunately didn’t read Lvllord’s faq first.
    I did two destructive recoveries and two manufacturer wipes, and Warning 4226 keeps coming back into my Administration’s service files!
    I remember when downloading it, I left the number of concurrent connections at 50. However, it has caused some problems already, slowing downloads from Utorrent and such.
    Is there anyway of fixing this problem?
    I’d appreciate your help.
    Thanks.

    David says:
    When you run the patch it always tells you how many connections are possible with the current version of TCPIP.SYS so make sure to run the patcher after each update/restore.
    When I run the patcher I have system restore temporarily OFF. When Windows tells me to insert original Windows CD I always click CANCEL to avoid a system restore of TCPIP.SYS.
    good luck

    Thanks, David.
    I’ve downloaded the patch, but haven’t made any changes. I called the company of my comp (HP) or Hewlett Packard. They said third party programs don’t usually take to well their computers. I noticed when I downloaded the patch, it says I’m still at 10 concurrent connections. I aborted the patch after reading. I still get a number of these !Warning 4226 and see a DCHP 1003 Warnings in there as well.
    If I want to rid myself of these warnings, should I maybe delete the patch, do a full system restore or Manufacturer’s wipe, then download the patch again? Surprisingly, two full destruct restores and two Manufacturer wipes didn’t stop these files from coming back. I thought for sure the manufacture wipe would since it wipes out your whole hard drive.

    David says:
    You get the 4226 warnings because:
    1. You have Windows XP Service Pack 2 installed
    and
    2. You are a heavy network user (BitTorrent, servers, Firefox poweruser or similar)
    There are various ways to get rid of the 4226 warnings. You can either roll back to SP1 but I would not recommend this due to risk associated with SP1 or you can use the LVllord patcher.
    The patcher will replace the original TCPIP.SYS with a patched version so Windows will complain because TCPIP.SYS is a core Windows component and thus protected by System Restore and other means.
    The patcher has decent instructions on how to install it: 1. disable system restore temporarily 2. hit OK on various Windows warning dialog boxes when patching 3. restart PC
    (The other way to avoid the warning would be to use less networking resources which I think is a silly solution and which is why I say that Microsoft has “crippled” your TCP/IP stack)
    good luck

    I appreciate your info, David. Thanks!
    If the warnings are coming up, but won’t affect my computer usage or cause any problems then the warnings aren’t that important. If this isn’t fixed, is this something that could cause more problems for my computer in the future?

    David says:
    The 4226 warnings will not cause too much problems.
    In some rare cases when browsing the Internet, using a mail client, using an FTP client or similar you will get a time out during heavy network usage.
    A refresh/retry will solve the problem.
    good luck

  17. Ad-Aware is reporting this patch as a Win32.Hacktool!
    What’s up with that?

    David says:
    This has been noted before, see jonas’ comment above.

  18. Hi,
    i’m working with 3COM Router.Wireless 11g.
    each time i receive the 4226 warning, the router disconnect from the internet.
    i updated the router software and the 4226 continue to appear and to disconnect the connection.
    do you think that patch will solve the problem.
    thanks
    Gil

  19. Hi David.
    I’ve used the LVL Lord Patch and everything was fine. I downloaded System Mechanic and it changed some security settings on my computer and now when I try to run the patch, I get a message saying the patch has been aborted and Kernelfunction could not be loaded. it says tcp/ip.sys could not be accessed and I should try using 64-bit system file unlock. (it says all these things + a lil more.) Can you help? For example, how do I do a system unlock, and where do I find the tool to do it Or, is there a way of undoing the changes that System Mechanic made?
    Thanks.

    David says:
    Sorry to hear that but this seems to be an issue with System Mechanic. I am not familiar with System Mechanic and can only recommend to contact their support since the application is commercial.

  20. Hey David,
    Thanks for the great guide. I found out about the event 1d 4226 through using soulseek’s faq. Awesome guide with great clarity.
    Thanks heaps!

  21. Is there a simple way to prevent Windows XP Pro SP2 from recreating original TCPIP.SYS?
    BTW, using LVllord patcher, changing to 50 fails (TCPIP.SYS recopied by Windows), but changing to # > 100, i.e., 62000 succeeds.

  22. Hi David. I installed the patch on my Windows XP SP2 and set the limit to 100 as you recommended above, I ran the patch a while later after I had rebooted and everything, and it verified that the settings were at 100 connections. However, event viewer still has those long lists of warnings for 4226 Tcpip. Should I think much of it? Also, as a fellow Symantec user, I wanted to ask you if Norton Internet Security 2006 slows down your internet speed. Thank you.

    David says:
    I have my limit set to 1000. You can still max out 100 connections if you are using BitTorrent so I can only suggest to raise your limit.
    I have only Norton AV and have disabled worm protection (firewall takes care of that) and I have not noticed any slowdowns.

  23. Thanks for that. I have changed my limit to 1000. I still have a fairly long list of warnings in event viewer regarding Tcpip 4226, is it ok to ignore those? Also, regarding my torrent client, what would be an optimal “Maximum Connections per task” and “Connections to keep per task” setting for a 512Kbps/128Kbps connection?
    Sorry for all the questions, but I have tried vigorously to get them answered elsewhere and couldn’t get a straight answer!
    Thank you.

    David says:
    Now it might be time to run a thorough virus, trojan and adware check to make sure your PC is not being part of a DOS attack or spreading a worm.
    This is exactly why Microsoft introduced the 10 half-open connections limit, to slow down any such activity.
    If you are not noticing any time outs while using the net (browser, ftp, email and similar), you can most likely ignore the warnings.

  24. Hello David,
    At the outset, thank you so much for your attention and caring to answer our good queries. Now, I would like to mention that I applied the speed optimisation patch and altered my torrent client’s (Bitlord) half limits from the default 10 to 80. The only problem is, my upload speed is maintained at a range between 3-7 kb/s!!!
    My question is, why the patch did not do the trick as expected and is there a missing procedure for me to take in order to improve upon my torrent client’s upload speed? PN: I am using a (Fast Bridge) DSL connection.
    Many thanks in advance and keep up the excellent work 🙂

    David says:
    If after the patch you have observed improved download speeds but not upload speeds then there might be some issues with your networking equipment or connection.
    There is no reason why more half-open connections would enable faster download but not improve the upload!
    (What is your DSL upload speed, what new limit did you patch your Windows to and the limit in Bitlord is that per torrent or a global limit?)

  25. Hi David,
    Can you explain how Can I change the number of connections? I’ve tried everything that you post and the program keep saying that TCPip is unable to be rename. I’ve turned off the system restore and tried in safe mode also uninstalled system mechanic 6. I got a Dell precision with SP2 Pro, maybe is something with the system that they installed ?
    Thanks for your attention.

  26. Hi David.
    Ad-Aware Registers EventID as an Trojan/Hack Tool, and also NOD32 Registers this. I know that is not, but i can’t use it without closing anti-virus. And it is not 100% stable, Keep the good work up.

    David says:
    What is not 100% stable? The llvlord patcher is a bit basic but very efficient.
    Once you have patched your tcpip.sys, surely you can turn on anti-virus again?

  27. After applying the patch and rebooted my machine, I noticed that my download rate for torrents has slowed down to a crawl. I was lucky enough to get maybe 10kb before the patch and now I’m lucky if I get 2kb. My upload is fine though! Btw, I’m running the latest ZA and the latest Azureus
    Any help would be greatly appreciated!

  28. Hi. I need some help. Every time i try to install the 4226 patch, i get a warning “NO DISK IN DRIVE”. When i click continue, the patch closes-no adjustments are possible. Any ideas? Thanks.

  29. Hi, i ran the lvl Patch and now my car doesn’t start anymore…….do you think i should buy a new car?
    HAHAHAHAHAH

  30. Is there any other good anti-virus free software that i oculd download to see if i have a virus?

    David says:
    Search for AVG, Avast Home edition, Housecall online scan from Trend Micro.

  31. Hi. I used the patch and set the limit to 100. When I run the patch again after restart it shows that the limit is 100. But the event viewer still gives me the warnings (14 of them). Isn’t the patch working?

    David says:
    You may have to raise the limit even higher, try 1000. Also scan your system for viruses and adware as they can sometimes be a cause of many half open connections.

  32. I have the same problem as has: “RYoga Says:
    November 18, 2005 04:45 AM” in this blog.
    When downloading anything of the net, when download rate starts to be fast, my internet connection just stops working totally. I don’t get any error messages or such. It always happens when the download rate starts to rise. If I just browse the web there is no problem.
    I am using XP SP2 and 5 connection hub. The proble is not on the internet SP because the same connection works fine with my other laptop.
    Anybody have any ideas what causes this prob and how I could get on fixing it.
    PLEASE E-mail me at jungler82 at hotmail tod com

  33. Hello Mr infinte wisdom,
    I’m currently having some problems with my UTorrent downloads.
    I have a band width of 8 mb, and thios has been tested to show 7.91. When i downlaods i can reach download speeds of 400 kb/s per download but then at other times it slows to a mere 10 kb/s. I ran a port mapping program to try to fix this but i don’t think it had any effect, i have just downloaded your ipsys thingy but havent run it yet, will this allow me to maintain the 400 kb/s or will i just have to live with it going down to 10 kb/s.

  34. This information if FALSE. MICROSOFT already came out and explained that the limit is “10 half-open connections per second”, not “full connections” =these are something entirely different=. PER SECOND. In 10 seconds you get 100 connections, and so on. Get it? It won’t cripple any P2P. Even eMule says it clearly in it’s FAQ:
    http://www.emule-project.net/home/perl/help.cgi?l=1&rm=show_topic&topic_id=120
    Bottomline, this so-called miraculous patch, will only allow you to “contact” (not connect) sources a bit faster than it’s normal with SP2. But if you don’t apply the patch, you end up contacting all the sources, only it takes a little more time (couple of minutes, nobody will die because of this). The patch DOES NOT let you download faster. Proof of this is that I never applied the “patch” (because I was intelligent enough to understand it wasn’t really limiting anything), and eMule’s running as fine as always, top speed of my broadband connection.

  35. Does the TCPIP.SYS patch work on windows XP home or is the some other patch to use for it. I have tried the patch with out success. I have scanned for other files and replaced them as well. I also tried the manual install. If you could help it would be wonderful I am a small business with limited resources. I do have a free upgrade to the new window that is about to come out. Do you know if the new windows will have the same problem. I wish M$ would of not used a band-aid at my expense. Especially one that will not work I hope Bill over there can learn simple math cause this will not slow a worm down but for a few minutes.

  36. wow this program just dropped my download speeds to 3kbps from 1mbps thanks works a treat ,,,, don’t download it waste of time , my uttorents were downloading at 1mbps and now its a measly 3bps , now i have to wait like 1 week for a 700mb file to be finished , usually take me a couple of hours thanks guys/

    David says:
    Sorry to hear that kevnzilla, you are the only one so far reporting this out of over 5 million visitors to LvlLord and many, many reporting how much it has helped them.
    Have another look at speed optimization methods for torrents. Are you capping your uploads to 50% of your available (up) bandwidth?

  37. Hi, will it hurt the system or anything bad if i set back 65535 which is the SP1 version? This is because i set it 50 it is still so slow compared to my previous download. I am downloading at 1-10kbs compared to 30 – 60 kbs previously. I am using bit comet by the way.

    David says:
    It will not hurt your system in any way but it’s unlikely that your system will be using such a high number of half open connections.
    Some bittorrent applications show currently used half open connections. Then you can monitor whether your system is being stalled by a low number of half open connections or whether it is something else.

  38. Greetings, David.
    I tried using that “EventID 4226 Patcher” but it didn’t seem to resolve the problem I’m having.
    I’ll attempt to keep it as brief as possible. 🙂
    So, I’ve been having a bit of a problem with my connection. Every hour or so, it would just die. I have two machines that are connected to a hub which is then connected to a cable modem.
    For the past few days, my main machine has just been losing it’s connection. The machine doesn’t freeze or crash but webpages won’t load, IMer programs disconnect, etc. Thing is, my other machine’s internet access is fine so I know it’s not the cable modem or my outside connection. As soon as I reboot the machine, the connection works just fine up until an hour or so when it repeats the same process.
    After some trial and error, I found out that it might be an issue with P2P software. I didn’t load Bitcomet and the connection seems just normal after 3 hours. I tried reducing my max upload speed to 20k (my cap is 40k) but the same problem happens. I tried to reduce it to 5k with the same results. I stopped Bitcomet from loading on startup and the connection stays up.
    So, I figured it was with Bitcomet so I downloaded another torrent program, uTorrent. I started uploading my seeds with that program rather than Bitcomet thinking that the issue would be resolved but no, it has the same random disconnects.
    I thing I have to mention is that I think this problem started happening when I uninstalled ZoneAlarm and downloaded Windows Defender (Malware detector) and turned on XP’s own firewall. I can’t confirm this problem started happening at this point but it was close to it.
    I downloaded the “EventID 4226 Patcher” and increased it from 10 to 1000 just like you suggested. Same problem. Increased it to 3000. Same problem. Increased it to max at 65585. Same problem. I noticed in the event log that I get some “WinDefend” 3004 errors but I don’t seem to get the 4226 errors anymore.
    Disabling the Windows Defender program still doesn’t resolve the issue. The next step is to try to uninstall Windows Defender but wanted to see if you had any insight. Thanks again!

    David says:
    Pretty good job at narrowing it down. It doesn’t seem to be the cable modem nor an 4226 issue 🙁

  39. I downloaded it and all. But everything remains the same

    David says:
    But did you install the patch properly? Restart your system and run the patcher again. It will report how many concurrent half-open connections are available.

  40. We encountered problems setting up a network with file sharing from Windows XP and used the patch, but still we had problems with users connecting.
    We thought it was a Mac thing as we have PCs and Macs on our network.
    There is also a limit in XP Pro for the maximum number of users who can log into a computer. This limit is 10, I think it’s 5 for XP Home?
    Each Mac user connecting to a separate network share counts as another user, so with 5 people we still managed to go over the 10 user limit.
    I guess this is a licensing / $$ issue because otherwise we would all be using XP rather than Windows Server.
    Hope this helps people who still may have issues after applying the patch.
    Glen

    David says:
    The connection limit of 10 to shared resources is different than what is discussed in this article.
    You will have to look into a Small Business Server (SBS) or a different operating system (Linux?).

  41. Hello David, I ran the patch and set it to 100, rebooted and ran it again and told me it was set to 100. Seems like it worked, but when downloading from bitcomet, I connect to 10 or less peers. What should I do?

  42. Can you set it lower than 50 or just reset to original settings?

    David says:
    You can set the limit to whatever you wish, for example the original 10.

  43. Hello, I think I’m having a similar problem but not quite the same. I’m also having a lot of problems occasionally with connections. Already established connections work fine, indicated by IRC and MSN staying up. However, new connections to remote networks become impossible. The weird part is that local network connections are still possible. (For example, SSHing to a server on the local network)
    It’s the weirdest thing I’ve seen in ages. Sometimes it happens suddenly and later on it stops just as fast, usually lasting 30 minutes or so. If it helps, I’m currently using XP Pro 64 bit edition and to my best knowledge I’m not infected with any viruses or spyware, nor running any network-intensive programs such as a p2p program.

    David says:
    Could it be a DNS problem? When remote networks start failing, have you tried connecting to numerical IPs directly?
    Doesn’t sound like an Event ID 4226 and half open connections limitation issue.

  44. this is absolutly retarded.
    do not download and install this patch.
    do not put your computer at risk.

    David says:
    Thank you for your input even though a bit more constructive criticisms would have been better.
    One has to always be very careful when installing software downloaded from the Internet; be it commercial or private.
    If the software is open source and you can review the source code there is less risk of installing malware but even then how often would you comb all of the code?
    In this case I made a judgement to install the Lvllord TCPIP.sys patch based on a) my frustration with the poor performance of my crippled Windows SP2 system, b) based on numerous reports from other users about the patch being safe and c) no (valid) reports about any malicious intent of the patch.
    Hope that you change your mind about the patch in case you are experiencing connection time-outs.

  45. Whenever i start the program it just says mcafee has found a suspect file on my computer and that windows cant access the files because i don’t have permission even tho I’m the administrator. can you tell me what I’m doing wrong?

  46. Hi ALL.
    I have a strange problem I am using VPN and Symantec Firewall with symantec 10. with the latest update. OS Windows XP with SP2.
    I have patched the TCPIP and tryed with it but it did not worked.
    It shows me the syn_sent and the process ID. I kill the process from taskmanger with PID normally the process is DLLHOST.EXE and it starts working.
    I have tryed several lavsoft Adware, windows update etc.
    Could any one help me
    Thanks
    Shailesh
    shailesh_sawant@….com

  47. David, I have this strange problem: After installing utorrent, and using it, I discovered that in the time interval of 3 or 4 hours my computer is crashing(rebooting). After each reboot I looked in Event Viewer, and saw 2 little red X signs. These 2 errors are:
    1. The IPSEC Services service terminated with the following error: The authentication service is unknown. ( I’ve decided to set the IPSec service to manual start, because I really do not use any kind of IP security policy)
    2. The infamous Event ID 4226. Downloaded the patcher you indicated, used it but not to patch tcpip.sys, just to show me the max half-open connections, wich is 10. I don’t want to patch tcpip.sys because the infamous Event ID 4226 is not that frequent, only 2 or 3 times a day.
    My problem is that rebooting thing. It’s annoying,
    So trying to fix it i did these 2 things:
    1. in services.msc i’ve set the RPC service REcovery options no to restart the computer, but to restart the service. ( is that ok? – your advice would be appreciated)
    2. right clicked MyComputer icon on desktop, then Properties>Advanced>Start-up and Recovery and there I’ve unchecked the Automatically Restart option(is that ok?)
    utorrent (or µTorrent to be more exact) says that it can handle these restriction on tcpip.sys, my setting a bittorrent protocol variable to 8, wich is less than 10, wich is default in tcpip.sys, so i wanna know why my computer was rebooting? now it seem ok, no reboots for 6 hours. :d

  48. >>db
    It’s because some viruses use this patch so they can scan IPs faster, this is why some AV software detects it.

  49. hey David!! i was wondering if there was anyway to revert the changes..i.e. to bring back the max connections to 10….plz respond. i haven’t used the patch yet.

    David says:
    Yes, you just restore the original TCPIP.SYS which is automatically backed up during the patch. Or you can run the patch again and select 10.

  50. Cheers Dave been trying to sort out my p2p downloading for a while, gonna give this patch a try tonight! keep ya fingers crossed for me guys!

    David says:
    Fingers crossed for your dls. Don’t forget to limit your upload to no more than 80% of your upload capacity, enable encryption with plain text fall back and change port away from the default 6881 which is often throttled by ISPs.

  51. I have a question, Azureus downloads fine but when I’m downloading something and uploading (max up is 90) and I begin to play WoW, every once in a while the connection seems to reset. I exit out and check azureus and sure enough download is dropping quick and upload is going to 0. In about 10/20 seconds it will start to down/up load again.
    It gets annoying because it will keep doing it every 10-15 minutes as long as i stay on WoW i set my upload to 40 when i play online so i was wondering if installing this patch will help my situation. I know it’s by going on and playing WoW because if i just surf the problem won’t happen at all but if i go log into WoW 20 minutes later the same problem happens.

    David says:
    It sounds like it go be a router issue. Does it get hot? I don’t think the patch will help in your case but it cannot hurt either if you have the spare minutes to install it!

  52. Is it better than I shut down windows xp firewall and buy zone alarm to protect my windows.

    David says:
    It depends a bit on your circumstances. ZoneAlarm is a bit more complex in setting up but in my opinion offers superior protection compared to the Windows Firewall. Sygate Personal is a great free firewall if you can find it.

  53. Once again me. if zone alarm is not good software for that purposle is there any other which you would recommend me or I should stay with windows firewall
    Thanks

  54. There is a software utility that changes the connection limit in memory without changing the windows system files.
    http://research.eeye.com/html/tools/RT20060808-1.html
    I have not tried it yet but am about to. I have not tried the patch that changes the system file either. Microsoft seems to keep changing the file with update and the patch has to be updated, I would assume the utility will not have that problem.

  55. I was about to change the setting to 300 when it warned against going higher than 100. What is your opinion of this knowing that you are set at 1000? I’m using AVG and ZA as well as Spybot and AD Aware, so should I feel confident against worms or still be cautious and leave it at 100?
    Thanks a lot!

    David says:
    300 is fine and so is 10,000. Remember that before SP2 the outbound connections were unlimited.

  56. ok ive download this patch how the hell do you install the bloody thing how does it work i read that every ones that has worked you can change the limits i haven’t seen any thing when i double click the exe file it comes in a RAR file do you double click on it or what as i get nothing and yes AVG says it a virus but ill take the risk as i down load lots of porn ..lol ..:)can you please tell me what im doing wrong ..lol

    David says:
    The original patch comes in a zip archive and NOT in a rar archive. Make sure to download only from the original source.
    Yes, certain anti-virus software flag it as a virus. This is a false positive.

  57. Hi not sure what your name is but it appears you are really smart, my problem is this im using bitcomet but down load is slow , (winxp serv p 2 im using) I used the eventid patch to increase the limit , it worked , then I changed it back , it worked , then I tried changing it again it didnt, so I used the patch And clicked the uninstall option and it restored the original settings. The Problem now is it won’t change anymore , what can I do to fix this?

  58. Hi,
    I m having an application which is network based.
    When XP SP2 machine is used as a server, performance becomes very slow, when more than 10 clients try to tranfer data at the same time with it. But it works fine in XP SP1 and 2000.
    Is it because of the security update in SP2 and EvID4226 🙁 ?????….
    If it is so,
    What is the easiest way to handle the problem?
    The above conversations talk abt a path in lvllord’s site. Is it microsoft certified?
    will Using this cause any problem?
    Does Microsoft provide any option to switch off this security feature??? 🙂
    Pls lemme know if there is any other option to solve this problem apart from the patch…..
    Any help would be appreciated… 🙂
    Thanks a lot in advance………….

  59. Hi there,
    I just tried installing the patch but get a message saying the tcpip.sys has restricted access rights and to check if the windows directory is right (it is) or alternatively use the /W parameter. Do you know what this means or how can I get past this problem?
    Thanks a lot!

  60. Apparently this is all totally unnecessary. See:
    http://forum.utorrent.com/viewtopic.php?id=10872#p188404

    David says:
    I have to disagree with you.
    10 half open connections is not enough for a power user even when not using P2P. Add p2p to the mix and your connections will start timing out.
    100 is a much more sensible limit both in regards to a power user and also limiting the spread of a virus.

  61. I tried the file but my original maximum half open was 1000 in stead of 10 or 50, what should I do ?

  62. Please advise:
    We run a network where we have a computer that acts as a server (whereas it runs Windows XP not a server operating system).
    We have 11 computers in total (one of those actually being a printer – but it counts as being a connection based on the configuration) which means we exceed the 10 connection limit. Will this patch work so as all 11 computers can simultaneously connect to the network drives that are stored on the server computer? We want to try and avoid the cost of a server, and was hoping that this would solve the problem. Also, we would only need to run the patch on the server based computer, not on all 11 computers, right?
    Your advice would be much appreciated. Thanks.

  63. Hello David,
    My computer runs perfectly except recently I downloaded the music downloading program Soulseek and since then I have seen the blue screen and experienced stops with my tcp every time that I run soulseek (or attempt to) and one time when I didn’t. The event 4226 and others that are similar or lead up to it are my problem (4201, 1003, etc.). By the way, I have Windows XP SP2. So now my question is this – is it easy enough to fix or if I do try and change the tcp JUST to run Soulseek am I opening up a can of problems and unforeseeable things that just aren’t worth the hassle? Will this patch cure my problem? Thank you for your time.

    David says:
    I haven’t seen 4226 issue causing BSOD. Not sure about the other event ids, have you tried researching Microsoft website?
    Have you tried updating your network adapter drivers? Maybe Soulseek is using some advanced network features.

  64. Hi, my pc rebooted suddently when i was using bitcomet to download. I looked in the System event log and that it also was the 4226 error.
    BUT! It REBOOTED my pc??????
    Has anyone else had that b4?
    With kind regards
    Jan
    David says:
    Not me personally but Josh seems to have some issues with soulseek!

  65. I’ve tried looking it up and it seems to me that the limit of 10 tcp connections is what causes it to freeze when I run Soulseek. I found this explanation on the FAQ Section of the soulseek website as well when referring to XP SP2. I don’t know how to update network adapter drivers, so what do you think I should do sir? Thanks!
    Yours,
    Josh

  66. thank you – MS is really tickin us techs off – all these hot fixes for spk2 issues makes so much work and now this sneaky one. My clients are none too happy. One of my clients has started referring to MS as the “Microsoft Gnomes” and us “Computer Knights”.

  67. Well, this has been a very interesting read, and though I have exactly the same symptoms I don’t have a 4226 ID error.
    I tried the hack but it still did not help me any. I can browse local resources fine on the LAN but cant browse any sites. Wierd!
    Anyway, thanks for the interesting read and Kudos to you David for putting up with all the whining.
    Brian

    David says:
    That sounds like an issue with your router… unless you are connecting directly to the Internet.
    Have you checked your DNS settings, tried tracert and ping to google and other basic networking tests?

  68. Hi David,
    Yes I am beginning to think it is my router, but somehow I am still not convinced though. Why I say that is because I have a laptop that sits right next to my desktop and it never has this issue of suddenly being unable to browse internet sites.
    Also, I have a colleague that has the exact same issue as me, (desktop wont browse but his laptop will) and magically by itself it starts to work again.
    Anyway, I need to tinker around some more.
    Cheers,
    Brian
    P.S. Thanks for visiting my blog, I just started it and no the header photo is not mine, it came with the WordPress template. 🙂

  69. Hi David,
    I’d first like to thank you for the guide.
    I seem to have the same problem as ‘con’ was above. I run the .exe (downloaded from the original source), but nothing happens. Am I supposed to get a window of some sort, or does it automatically patch, without popping anything up?
    Thanks.
    P.S. ‘Con’ might have had the original zip file, but thought it was a rar because winrar (and perhaps other rar extractors) opens zip files as well.

  70. Hi David!
    I’m currently having a problem with my Utorrent. It continually disconnects my internet at the most random moments, usually when it’s running. Someone told me this sounds a lot like the even id 4226 but the thing is, I’ve never gotten a warning about it from my computer. Nothing to signify whats happened. I was hoping maybe you could help me out?
    Thank you!
    Nina

  71. Hello there, i have used this patch however i wonder are there any settings i need to alter in bit torrent, i use the original bittorrent. I have sorted out the port forwarding and as i said used this patch, the peer list is now quite long however i only ever seem to connect to about 2 of them at a time the rest are greyed out, this is extremely irritating. Can you help?

    David says:
    It is up to the peer to decide whether to connect to you or not.
    By applying the TCP/IP patch you are ready for as many connections as possible but you cannot force other peers and seeds to connect to you.
    I have seen that in uTorrent there is a setting for maximum global half open connections and by default it is 10 (same as Windows XP SP2). Obviously you would want to increase this to a higher number after applying the patch.

  72. Hey all,
    Has anyone found a fix for Windows XP x64? The patch from lvllord is really old and I just get an ‘Error detecting position to patch’. My TCPIP.SYS build is 5.2.3790.3959 (AA64). I run uTorrent and get 4226’s all the time.
    Thanks,
    TC

  73. Will this increase the amount of viruses i get? Windows started screaming at me half way through the patch, saying i needed the cd to re-instate the thing i just changed. I’ve got norton 2007 so not that scared about viruses and I don’t go on porn so probably wont get any viruses. Any way just wanted to know if i was still safe, just thought I would say it in a long way.

    David says:
    The Event ID 4226 patch can NOT increase the risk of getting a virus. The prompt about restoring Windows files is a common issue when replacing system files and is described in the installation help of the patch.
    Fear not, dear brother, you are safe.

  74. Hi David, The TCP limit makes me crazy.. I’ve been try EventID 4226 Patcher and orbit to remove this limit. still not work. So can you help me to remove it or Can i remove sp2 with condition sp2 already installed from the first time.How? coz here i have 24 computer p2p to 1 computer as the data centre…the 11th connection had been rejected by windows. i’m stuck here..help me please david

    David says:
    This doesn’t sound like an EventID 4226 issue. Are you getting the EventID 4226 errors in event viewer?
    What operating system are you using on your “data centre”. Windows XP has a limit on how many computers can connect to it.

  75. Hi David, can I ask u 1 question?
    In the Event Viewers there, I found that 4226 Event ID have Warning issue there. The other Event ID seem ok. It is the problem there? Thanks a lot!

  76. Hello! I use “uTorrent”. In its FAQ I found a quote (and also a good advise of a friend) that stopped me from using the patch (I simply can’t ignore notes like this):

    “Does µTorrent work well on Windows XP SP2 systems with an unpatched TCPIP.SYS?
    Yes, as of version 1.2, µTorrent will do 8 connection attempts by default to work with the 10 connection attempt limit on these systems.
    Patching tcpip.sys to a higher value may help if you are having problems (such as trackers timing out when they’re actually online), though setting it higher than the default may cause some routers to have freezing problems”

    I think I’ve had a similar problem with my previous modem (even after restoring the original tcpip.sys, it just stopped downloading at all). I have now a different router (DSL). And I’m affraid to apply any patches. That aforementioned friend of mine (he deals with routers like one I’m using) told me that indeed the modem/router can freeze so I’d better not risk and just ignore those notifications.
    What do you think about all that? (sorry for mistakes I probably made, I’m not an English speaker)

    David says:
    Yes, lower quality modems/routers may freeze or overheat due to the high amount of traffic but a decent router/modem should not have a problem with a high amount of traffic… that’s what they are built for!
    There should still be a safe limit, say 100, which is much better than the crippled 10.

  77. Hi David,
    I am using XP home SP2 as webhosting server (www, email servel, ftp server, mysql..). Have aprx. 60 domains on it. I guess I should open my pc to more connections too ….

  78. I tried installing the patch but it aborted. I have windows x64 and an AMD64 processor. Is there anything I can do? In the changelog it says it should work on 64 bit machines…

  79. Hey David,
    Great blog entry. But I have some questions. I have patched my system and I started to roam Soulseek. I get knocked off still but at least now I can download things. When I get knocked off the connection of my whole DSL gets knocked off for a few seconds. I noticed my ip address & subnet mask go from numbers to 0.0.0.0 when soulseek disconnects. Is there a way to stop that?

  80. hey david
    i tried it, but it didnt do anything for me. I checked already and i dont see a problem. I have a number of questions:
    Does it only work on one: LAN/Wifi
    Does it work on XP
    any other tips?

  81. hello, I have got adsl: download 2.5 Mega, upload 256 kb. i have download the patch. Who shell i config the patch when he asks me to change the limit? i got the latest XP with sp2. 10x for the help. u’rs J.R. from Israel – Tel Aviv

    David says:
    Try with 100. That should be sufficient.

  82. i’m having this weird problem with soulseek. i’m not so sure that is caused by the connection limit since i’ve been changed my pc, so SP2 wasd already installed, and for the last year soulseek was working fine. But for the last month, i’m having the same problems reported by Jennifer and David, posted in 2005 in this same post -just scroll upwards. I’ve already installed the patch, and increased my connections, but it doesn’t seem to work. I been looking for a solution, but so far nothing. Jennifer and David are the only two people I been able to find with the same problem.
    i’ve been reading soulseek forums, and there are people with similar problems, and every time pops up that it might be a problem with the isp provider, which in my case is the same, but upgraded to 1 mb. that’s all, if anyone can help, thanx a lot

  83. hey great info guys. Im doing a system scan before I install the patch and Ive had it with my bitlord d/l and such being so crappy…Ill install and hope to give some feed back

  84. Hey, I’ve used this patch before no problem. Recently did a reinstall, and for some reason, I can’t run the patch. It just won’t open. I’ve checked my processes and such, nothing there. Any help?

  85. I got the 4226 warning a few days before i installed the patch, do you know why? I’m afraid i may get infected, how can i be sure this wont break my computer? I have XoftSpySE, AVG Free, and Windows Defender

  86. This isn’t a “Microsoft should fix the problem and not the symptom issue”
    This is a a failure by design of TCPIP. Unlimited syns (syn, syn-ack, ack) are legitmate DOS’es and have been known about long before Windows.
    Unpatch your stack. But don’t cry when your system is crawling due to tens of thousands of half open connections.

  87. hey i downloaded the patch and it seems that its slowing down my torrent download…so plz can you help me and tell me how to remove the patch….thx

    David says:
    The patch will not be slowing down your downloads. It is likely your router that struggles with the high load of connections.
    How many connections did you enable? You should not need more than 100-200.
    Have you capped your upload to 80% of your available upload bandwidth?
    The patch back-ups your original TCPIP.SYS to the following location: C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL.
    It should be a matter of deleting TCPIP.SYS and renaming TCPIP.SYS.ORIGINAL to TCPIP.SYS.

  88. The patch still works today? because of the new Microsoft updates… Thanks in advance.

    David says:
    How recent Microsoft updates are you talking about? Can you give KB (knowledge base) numbers?

  89. I am asking in general… an actual windows xp installation with all updates until today.. this patch works with zero problems? I had an Intranet and i need the most reliable tcpip connection. Thanks in advance.

    David says:
    Yes it will work on an up to date Windows XP system.
    There have been a few updates to the TCPIP.SYS over the last few years that have restored the the half-open tcp/ip connections back to 10 but running the patch again has always helped increasing the half open connections to what ever value you decide your system needs to run efficiently.

  90. Hello David!
    I installed the patch and set it to 100. Unfortunately, download speed remained constant before and after installing the patch (at around the measly rate of 41 kbps). What can I do to speed it up?

  91. Ive downloaded this fix (im using azure as my torrent) however for some reason when i run the .exe nothing happens?? ive tried it in the systems32/drivers folder and still nothing happens.
    I have gotten the 4226 errors and am wondering what can i do…

  92. I had to patch the tcpip.sys file, I’ve changed from 10 to 256, and the 4226 event is now no longer appear. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.