Windows XP SP2 and Event ID 4226

Update 10 April 2007
It looks as if Windows Vista comes with similar half-open outbound connections limit as Windows XP SP2 did. In fact Vista Home Basic is even more limited with only 2 connections allowed!
Torrentfreak has a great write up on how to patch Windows Vista (32/64-bit) to increase the TCP connections and improve your BitTorrent (p2p) experience.
If you are using Windows XP, you must have noticed all the fuss about Service Pack 2. It introduced an array of security “enhancements”: dual direction firewall, several long overdue IE improvements, memory protection and the crippling of the TCP/IP stack.
Hang on, how is crippling of the TCP/IP stack a security enhancement?
Windows XP SP2 limits half-open connections (SYN) to a maximum of 10 (the previous limit was over 65,000). This is supposed to slow down certain viruses because their spreading strategy is to try to connect to a high amount of random IP numbers.
The drawback with this connection limit is that other legitimate network intensive applications can be slowed down as well. Applications like security network scanners, peer-to-peer (P2P) applications or a combination of network applications that a power user may be using (VPN, FTP, p2p, RDP, SSH, “Firefox on steroids” and more).
To me it sounds awfully lot like treating the symptoms instead of the cause which would have been to tighten up Windows security to prevent virus infections in the first place.
#PAGEBREAK#
There is a way to tell whether your daily networking activities are being affected by the patch. Each time your computer tries to establish more than 10 half-open connection, a system event will be logged in Windows. It looks something like this:

EventID 4226: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts



Access the event viewer by Start / Control Panel / Administrative Tools / Event Viewer / System. Sort by Event and scroll down to 4226. If you only have a few occurrences, I would not worry about it but if you see many daily occurrences it’s time to look into why they are appearing.
There are two scenarios:
1. You computer may be infected with a virus/worm that is trying to spread
2. You are a networking power users and your applications are being stalled by the XP SP2
If you have anti virus software running and you scan your computer regularl ywith anti-spyware software like AdAware then case 1 is not likely.
#PAGEBREAK#
You can find out which process is responsible for the many half-open connections with the command ‘netstat -no | find "SYN"’. Half-open connections will have a state of other than ESTABLISHED. Note the PID (process id), open Task Manager and locate the process and application responsible for the half-open connections.
The second case means that SP2 is stalling your work. An unofficial patch will modify the locked tcpip.sys and let you set the limit to whatever you wish. 50 half-open connections is a reasonable limit or you can set the limit back to 65,535 which it was before the SP2. The patch is called EventID 4226 Patcher and can be found on LVL Lord’s web site: LVLlord downloads.
Certain Microsoft updates may replace the TCPIP.SYS with a new locked version but LVLLord has been quick on updating the patch. When you run the patch, it will tell you how many connections are currently allowed.