Jump to content
Comet Forums

tcpip.sys limit aka XP SP-2 limit


Recommended Posts

Last Updated August 2nd, 2009

Ok, this is the start of a guide on the tcpip.sys limit of 10 half-open simultaneous/concurrent connection attempts added to XP in SP-2 and in SP-1 for Server 2003, Vista & Server 2008. How it works why it was put in place and of course why you don't need to mess with it.

Vista & Server/Work Station 2008 users: Just update to Service Pack 2 and the limit will be automatically removed. MS has written a new tcp/ip stack and no longer needs the limit.

Windows 7 users: If you are running Windows 7 you have no tcp/ip half-open connection limit. You need not bother with any of this.

From this point on the guide is in reference to Windows XP since the limit does not appear to have been removed in SP3. And most likely MS will not bother to remove it or back port the new tcp/ip stack to Windows XP because it's such an old OS now.

Before I begin a courtesy link to the LvlLord website.

Now how many times have you seen the following:

"My download speed is slow. How do I make it go faster? Have you patched your copy of XP yet?"

"BitTorrent is slow! What am I doing wrong? "Have you patched service pack 2 yet?"

"My downloads are taking forever! Patch your connection limit."

This is all to common across the web and it's all wrong.

This limit of 10 incomplete outbound TCP/IP connection attempts per second. It is not a limit on ports, complete connections, nor does it drop or block connections. The connections past 10 are put into a queue or put on hold. Meaning when one connection is either completed or timed out it moves onto the next waiting connection. This queue does not fill up either. So once again I will say no connection is dropped, blocked, or lost. This limit only affects connecting to other clients, not the actual downloading of data from them. If youre on a proper high speed connection you will not even notice this because it only slows you down by a matter of seconds when the .torret is started. Just leave BitComet's half-open connection limit of 8 alone (Note: double check this setting, some versions are set to 10 by default). With that setting you'll still be able to web surf while using BitComet, after all you want to leave your browser to slots to connect to web pages.

This was put in place to help prevent the spread of worms like Blaster and hinder a computer's use in performing DOS attacks.

This does not affect any type of DHT connection for any of the p2p programs that use DHT. Because DHT uses UDP for connecting, this is not limited in any way other than the speed of your connection. So just use DHT at start up and youll be fine.

In addition all the people who do not know what they're talking about in regards to the "patch" need to stop posting about it. It is very outdated so it screws up your internet connections. If you're using XP Pro Media Center Edition it will kill your connection all together and you'll need to do a system restore to fix the damage. I know this first hand from the last time I tried to do some tests using my new media center edition computer.

There are a couple of patches out there claiming to be "accelerator patches for BitComet" and that is the problem. The LvlLord patch is the only one I know of that doesn't contain spyware/adaware. The other patches don't even do anything to help.

This "patch" was made for use with older p2p networks designs, like Fast Track, & Gnutella where you search nodes, super nodes, and servers. Back then majorities of the users were still on dial-up, and bad dial-up at it. So all they understood was the word limit and this limit would slow them down so it had to go. So a few people with limited knowledge wrote various "patches" for this evil TCP/IP limit to either set it to a higher number or in one case remove it all together.

This patch is only capable of setting up more connections in the same amount of time as normal so it can appear to speed up downloads when its not actually helping the download its self. But its no longer needed with high speed connections and the new structure of p2p networks like and features such as using DHT for starters. Programs like BitComet, ĀµTorrent and many others have already adjusted their connection structure for it. Most importantly May 1st, 2005 was its last bug fix release for the LvlLord patch. Every few months Microsoft releases a new tcpip.sys for XP, since this patches last update, tons of stuff for Win2k3 and a different TCP/IP structure for XP Media Center Edition that the patch wont work with at all. Lets not even get started with Vista's security updates. Not to mention that Microsoft is well aware of the patch so windows update will remove it, this is a good thing. While MS continue to find ways to block these mods.

Limited number of simultaneous incomplete outbound TCP connection attempts The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue to be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting occurs. When it does occur, a new event, with ID 4226, appears in the systems event log. What works differently? This change may cause certain security tools, such as port scanners, to run more slowly. How do I resolve these issues? Stop the application that is responsible for the failing connection attempts.

From microsoft.com

10 half-open simultaneous/concurrent connection ATTEMPTS are more than enough, even for P2P. This limit is a rate limiter, not a connection limiter. You can have tons of half-open connections, just not have them initialized all at the exact same time. Please note the difference between 'half-open connection attempts' and 'half-open connections'.

More info from someone else:

Halfopen connections are connection requests that you have sent out, but have not received a reply. Setting this to 300 means that your Torrent client will target having 300 open requests to unknown clients at any time, targeting maintaining a total of 60 connections.

So, every time a client drops, you have 59 open connections, and your router pings out to 300 people looking for a new connection. That can add up FAST, especially if you connect to a dozen of them, then drop most of them because you only wanted one to reach your max of 60, then one dies a few seconds later and you do it all over again.

Experiment with this as well as the above: LOWER your Halfopen to something closer to 10-20. I have mine set to 10. This will mean slower startups for Torrents, since your Torrent client will only go after peers in small batches, but you won't have a NAT table full of useless connections so you are better off in the longer term. Then RAISE your max connections to about 200-300 so your Torrent client can find the peers it really wants and keep a relationship with them.

If you really want to find peers in large batches, then at least raise your max connections per Torrent and Global Max up so you can handle them. Your Torrent client is biting off more than it can chew, and expecting your router to absorb the results of its gluttony. ;)

From NateHoy, HyperWRT forum

And another user's experience:

I use to use this fix, and then last time I re-installed I didn't bother. No difference whatsoever.

The main point is that SP2 limits to 10 simultaneous connection attempts, the idea being to slow down/add to security log events where a virus has turned the machine into a spam-bot and is trying to open hundreds of connections a second.

There is no such limit on the number of established connections or total attempts, which is why P2P isn't really affected (most BT clients already have work-arounds in place to optimise behaviour with SP2 anyway).

From Daggoth, whirlpool.net.au forums

Using a patch to increase the tcpip.sys half-open connection limit is redundant for anyone not modifying BitComet's advanced settings anyway, as the default is set to 8! Which is a fine setting, as it leaves plenty of room for browsing and whatever else you're doing online. And heaven forbid, should you ever be infected with a trojan/virus, it'll only make it easier for it to connect outward in bulk, thereby comprising your system and slowing your traffic down (e.g. partaking in a DDoS attack).

In conclusion: don't believe the heaps of misinformation floating around out there and forget this unnecessary patch! Take a minute to be honest with yourself, until you read something about an ID 4226 you hadn't even noticed. The ID 4226 won't hurt you, its just to let you know about your traffic. If you're worried about this then don't run 2 or more different p2p programs at the same time while leaving 3 different Instant Messenger programs set to start up with Windows configured for auto log in going when you're playing that new MMORPG while on team speak.

If you want to undo the patch just run a windows update and MS will fix it for you. Then you just need to set BC back to 8 half-open connections. :)

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Create New...