Win XP Service Pack 2 poised to DESTROY most/all file-sharing networks!

...Because it includes a wee little 'security feature' which KILLS ALL outgoing connections made by a single program if too many connection attempts fail too quickly.

Guess what -- if your file-sharing program tries to download from 20+ people at once and not enough of them respond back QUICKLY enough... Win XP SP2 has decided your program is 'hostile' and blocks it.

Note: With saved ips for old download sources on unfinished downloads OFTEN being offline/gone-for-good, the LIKELYHOOD of tripping this 'security feature' is EXTREMELY LIKELY!

If you want to read some news articles about it, click one of these:
http://www.developerpipeline.com/tools/23904837
http://www.signonsandiego.com/news/computi...softupdate.html (http://www.signonsandiego.com/news/computing/20040805-1235-microsoftupdate.html)
http://www.informationweek.com/story/showA...icleID=23902063 (http://www.informationweek.com/story/showArticle.jhtml?articleID=23902063)

If you want some TECHNICAL information on if and how this may affect you (which may be the case even if you DON'T use Win XP!)... click one of these links:
http://www.neowin.net/forum/index.php?showtopic=192856
http://text.broadbandreports.com/forum/news,49306~mode=full

User says Win XP SP2's 'security feature' knocks out e-mule:
http://www.warp2search.net/modules.php?nam...ticle&sid=19021 (http://www.warp2search.net/modules.php?name=News&file=article&sid=19021)

User and BEARSHARE DEVELOPERS says Win XP SP2's 'security feature' knocks out BearShare:
http://www.bearshare.net/showthread.php?t=30219


Note: Microsoft offers neither a 'cure' for this problem, nor a temporary workaround at this time that I am aware of. One reported 'fix' by tweaking registry settings found here:
http://support.microsoft.com/default.aspx?kbid=314053

ABSOLUTELY DOES NOT WORK to solve this problem!

Oh yeah, the patch is probably 1-way too -- if you want to REMOVE it, format and reinstall!

even Windows Xp's Firewall Blocks P2p, once i enabled it i noticed that Klite Uploads is dropin and then hardly i could upload to one user, after disabling it everything came back to normal.
i think disabling the Firewall Option in SP2 may slove the p2p problems too.
well ill backup my Windows then install the fucking sp2.

I did image my os first just in case I had any issues.
Although on eMule at 75k dl and 25k ul right now...

Why did i install sp2???? :angry: Overnet,azureus,ABC,dontwork well and crash :angry:

There is a patch which should work at: http://www.lvllord.de/4226fix/4226fix-en.htm

However it is not for the latest version of SP2 yet....

It cannot be changed via the registery as that would cause security problems as viruses could just disable the service too easily.

I don't know why so many people worry about SP2 it is a great improvemnet over what we already have....?

Originally posted by bawa@Klite_user@7 August 2004 - 01:55
i think disabling the Firewall Option in SP2 may slove the p2p problems too.
Sorry, disabling the firewall option in SP2 will have no effect.

Your best hope if you install SP2...or rather your ONLY hope...is what sebastian_insua said:

"There is a patch which should work at: http://www.lvllord.de/4226fix/4226fix-en.htm

However it is not for the latest version of SP2 yet....

It cannot be changed via the registery as that would cause security problems as viruses could just disable the service too easily.

I don't know why so many people worry about SP2 it is a great improvemnet over what we already have....?"

The reason why we worry is Microsoft does NOT have our best interests in mind. Heck, at times I'm not even sure they have THEIR OWN best interests in mind!

SP2 is just a stepping stone to the rollout of 'trusted computing' -- where EVERYTHING requires Microsoft's permission (and paid-for license) to run. Play button replaced with a pay-per-view button...and Microsoft gets paid every time we click on it!

Check out:

http://support.microsoft.com/default.aspx?kbid=314053

Specifically:

TcpNumConnections
Key: Tcpip\Parameters
Value Type: REG_DWORD - Number
Valid Range: 0 - 0xfffffe
Default: 0xfffffe
Description: This parameter limits the maximum number of connections that TCP can have open simultaneously.

Be sure to open ports too.

Anyways am going to test SP2 as soon it is officially released. Am going to check this out.
Can someone tell me the default limit?

I think it is limited at 10 connections but the patch which I mentioned (which works for an old version of SP2) changes this to 50 connections.

Originally posted by Ariel_001@7 August 2004 - 10:05
Check out:

http://support.microsoft.com/default.aspx?kbid=314053

Specifically:

TcpNumConnections
Key: Tcpip\Parameters
Value Type: REG_DWORD - Number
Valid Range: 0 - 0xfffffe
Default: 0xfffffe
Description: This parameter limits the maximum number of connections that TCP can have open simultaneously.
The max number of TCP open at once will have to be lowered to a very low amount to avoid the 10 failed connections limit before automatic blocking kicks in.

Forget BitTorrent, forget E-mule, even forget Gnutella! They ALL open a lot of connections that are mostly guarenteed to fail the moment they are first run...seeking to retry old download sources.

Worse, the TCP limit may only be changing the underlying networking layer but not file-sharing program structure which seeks to call the networking layer. So it may attempt to open more connections than TCP limits allows. Do you know what happens when it continually exceeds that limit?

<< Irrelevant post was deleted by user as it embarassed him >>

I looked on the microsoft update site and it looks like SP2 hasn&#39;t been officially released yet, which means its probably not a good idea to put it on until it is.
Can anyone else confirm having problems with Kazaa (or its spinoffs) that are DEFINATELY related to SP2 once it is officially released?

I may have a comparison later today...

I was running a very populated torrent prior to the fix and noticed even though I was connected to alot users on the file I just couldnt get past 5k for any extended period, although I seem to remember having these issues ever since even sp1, Ive now opened the same torrent which has about the same users on it as just a few hours ago and I am getting a steady 20k - 50k and from what it looks like I am one of the fastest peer on this file.

I was wondering also how someone wouldve even know if tcpip.sys was even screwing down open connections other than the supposed message that has been know to appear in eMule which I never saw, most likely due to the fact I have very few files dling and their mostly rare ones with few sources. I also am wondering if sp1 had was affected in any similar way...

im feeling the effects 2

This has cropped up on Warp2Search:

Just found this in my event-log after starting emule: "EventID 4226 TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts"

This is what I get from a MS-Guy when i asked him why XPSP2 slows down programs like emule which open many connections to different destinations:

"Thanks very much for responding. This new feature is one of the stack&#39;s "springboards", security features designed to proactively reduce the future threat from attacks like blaster and Sasser that typically spread by opening connections to random addresses. In fact, if this feature had already been deployed, Sasser would have taken much longer to spread.

It&#39;s not likely to help stop the spread of spam unless spammers are trying to reach open email relays in the same way, by opening connections on smtp ports of random IP addresses. This is new with XP SP2 and we&#39;re trying to get it right so that it does not interfere with normal system operation or performance of normal, legitimate applications, but does slow the spread of viral code. New connection attempts over the limit for half-open connections get queued and worked off at a certain (limited rate)."

There appears to be a registry workaround to this, which can be found here (http://support.microsoft.com/default.aspx?kbid=314053)

News source: Warp2Search

Originally posted by neotheone@8 August 2004 - 01:36
This has cropped up on Warp2Search:

Just found this in my event-log after starting emule: "EventID 4226 TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts"

This is what I get from a MS-Guy when i asked him why XPSP2 slows down programs like emule which open many connections to different destinations:

"Thanks very much for responding. This new feature is one of the stack&#39;s "springboards", security features designed to proactively reduce the future threat from attacks like blaster and Sasser that typically spread by opening connections to random addresses. In fact, if this feature had already been deployed, Sasser would have taken much longer to spread.

It&#39;s not likely to help stop the spread of spam unless spammers are trying to reach open email relays in the same way, by opening connections on smtp ports of random IP addresses. This is new with XP SP2 and we&#39;re trying to get it right so that it does not interfere with normal system operation or performance of normal, legitimate applications, but does slow the spread of viral code. New connection attempts over the limit for half-open connections get queued and worked off at a certain (limited rate)."

There appears to be a registry workaround to this, which can be found here (http://support.microsoft.com/default.aspx?kbid=314053)

News source: Warp2Search
I already said ther is no register workaround:

There is a patch which should work at: http://www.lvllord.de/4226fix/4226fix-en.htm

However it is not for the latest version of SP2 yet....

It cannot be changed via the registery as that would cause security problems as viruses could just disable the service too easily.

I don&#39;t know why so many people worry about SP2 it is a great improvemnet over what we already have....?


If you want ot stop this from happening you shall have to use the patch I mentioned earlier in the post.

Originally posted by REALITY@7 August 2004 - 17:42
I was running a very populated torrent prior to the fix and noticed even though I was connected to alot users on the file I just couldnt get past 5k for any extended period, although I seem to remember having these issues ever since even sp1, Ive now opened the same torrent which has about the same users on it as just a few hours ago and I am getting a steady 20k - 50k and from what it looks like I am one of the fastest peer on this file.

I was wondering also how someone wouldve even know if tcpip.sys was even screwing down open connections other than the supposed message that has been know to appear in eMule which I never saw, most likely due to the fact I have very few files dling and their mostly rare ones with few sources. I also am wondering if sp1 had was affected in any similar way...
Ironically, you may have found a special case with BitTorrent which is less likely to set off Win XP SP2&#39;s draconian connection blocker.

It&#39;s only when your computer accumulates 10 FAILED connections in a short time that the blocker kicks in. But if you&#39;re on a very populated torrent and only attempting a few new connections every 5-10 seconds, then I think most of the new connections are slightly more likely to be LIVE connections -- thus the ratio of good to failed connections is rather high.

Mainly, it&#39;s when you FIRST connect to a torrent that tripping the blocker is most likely -- because that&#39;s when the torrent retries its STORED ip sourcelist...which are most likely to be dead for days/weeks/months&#33;

Also, with many file-sharing programs, you can probably reduce settings to the point where tripping the blocker becomes unlikely -- but by then you&#39;re running using settings little different than what 56k dial-up users use&#33;

Your example in e-mule is likewise probably unlikely to trip the blocker as well. You have few downloads with few sources and probably told emule to retry only a couple downloads at a time.

I&#39;ll say it again to ALL -- it&#39;s NOT the number of connections you HAVE that trips the blocker, but rather the number of FAILED connections gained in under a minute that causes the blocker to start KILLING many/all connections&#33;

Originally posted by Switeck@8 August 2004 - 17:41
Ironically, you may have found a special case with BitTorrent which is less likely to set off Win XP SP2&#39;s draconian connection blocker.

It&#39;s only when your computer accumulates 10 FAILED connections in a short time that the blocker kicks in.
Not sure if you noticed but I have applied the fix already which raises the value to 50 which should be enough for any user...

Cant find C:&#092;WINDOWS&#092;SERVICEPACKFILES&#092;I386

There is a patch on the Shareaza forums to make SP2 accept unlimmited connections. I think it is based on the one posted earlier, but I&#39;m not going to be using SP2 so it doesn&#39;t really affect me.

Cant find the specific post for the patch, but it&#39;s somewhere on these forums. (http://forums.shareaza.com)

I see no problem at all. No changes at all.. :huh: :blink:

What is the problem? Help me re-create what the problem is?

Oh ya my windows version. From the official release. Not that RTM (winbeta release).

Originally posted by Ariel_001@9 August 2004 - 21:40
I see no problem at all. No changes at all.. :huh: :blink:

What is the problem? Help me re-create what the problem is?
Seems my title of gloom and doom is fortunately not panning out.

You may never encounter the problem unless you use file-sharing programs, particularly E-mule or a Gnutella client aggressively.

The problem is the intial connection sequence when the program is first run is VERY LIKELY to trip this &#39;block all&#39; policy if the p2p program attempts too many failed sources too quickly. It only needs to get 10 half-open connections and attempt an 11th for this to happen. Thus, trying 11 &#39;dead&#39; download sources might be sufficient.

However, because this Win XP SP2 &#39;policy&#39; cannot be changed by the user without hacking windows files (or using someone&#39;s created hacked files)...this is still a very big issue.

Some (even Microsoft representatives) have called this &#39;feature&#39; a NEEDED security measure, but its not MS&#39;s &#39;job&#39; to protect me, its their job to put out software without bugs in it. Problems like the TCP/IP connections isnt a flaw, its MS trying to bully its way into how I want my pc to run.

Microsoft DOESN&#39;T know what&#39;s best.

Well, It the average user that has made MS’s &#39;job&#39; to protect.

Most users just treat their computer like a toaster. They buy it all built and pre-configured. They don’t use any anti-virus/firewall. They install anything from anywhere.

Anyways I have used E-mule, Gnutella (Shareaza), DL some torrents all at the same time. Failed to still make that error... Maybe am doing something wrong?

Originally posted by Ariel_001@10 August 2004 - 07:36
Anyways I have used&nbsp; E-mule, Gnutella (Shareaza), DL some torrents all at the same time. Failed to still make that error... Maybe am doing something wrong?
I am SHOCKED you cannot induce the error (or rather have it happen on its own) on Shareaza.

Just having it cycle through all the bad ips needed to connect to Gnutella 1 network should cause it in under 3 seconds.

Maybe they did clean up some of the problems by increasing the 10 half-connections limit in the betas to something like 50 or 100 in the final release?
(Question: Did you run the network administrator SP2 upgrade, or download SP2 as a &#39;home user&#39; using Windows automatic upgrade?)

Shareaza should still hit that occassionally, if running in HUB mode with 100 incomplete downloads with lots of sources each. :lol:

I mange to re-create this error... This "fix" for this appears to work :) .


(Question: Did you run the network administrator SP2 upgrade, or download SP2 as a &#39;home user&#39; using Windows automatic upgrade?)

I slipstream SP2. I am now also thinking of adding a "fix" tcpip.sys to winXP setup with max out connetions set. B)

Image Resized
Image Resized
http://img32.exs.cx/img32/9550/woot2.png' width='200' height='120' border='0' alt='click for full size view'> (http://img32.exs.cx/img32/9550/woot2.png)

If you patch both tcpip.sys in the "dllcache" and "drivers" folder, windows won&#39;t complain about it.


[i]Originally posted by Virtualbody1234@10 August 2004 - 21:48
There is a new version out of the Patcher.

Now 2.0b

Available here: http://www.lvllord.de/4226fix/4226fix.htm

Instructions for opening 50 connections:

Just execute the EvID4226Patch20b.exe file. It will automatically find the windows
directory and ask, if it should increase/decrease.

After a successful patch, the new TCPIP.SYS will be automatically installed.
Windows will give a warning that changes were made. Don&#39;t let Windows
reinstall its version. After that, the computer should be restarted.

And you&#39;re done.


----------------------------------
For more than 50 open connections, use parameters:

Usage: EvID4226Patch20b [/L=limit] ([/W=windir] || [/F=file])

/L = Set a limit (valid values from 10-16777214)
/W = Set the windows directory if detection fails.
&nbsp; &nbsp; (cannot be used in combination with /F-command)
/F = Set the file to be patched. Does not touch any other file.
&nbsp; &nbsp; (cannot be used in combination with /W-command)

Originally posted by Ariel_001@10 August 2004 - 20:13
I am now also thinking of adding a "fix" tcpip.sys to winXP setup with max out connetions set. B)

I too have been trying to do just that.

I have been trying to figure out the process of the makecab. I think I have figured most of it out.


I copied the TCPIP.SYS file to C:&#092; then From the prompt I typed:

C:&#092;>MAKECAB /L C:&#092; TCPIP.SYS

The TCPIP.SY_ file shows up in C:&#092;

Now my question is. If I insert that file into the i386 folder and create a CD, will it work properly?

I heard something about a CRC check. Won&#39;t the installation refuse the new TCPIP.SY_ during the installation?

Originally posted by Virtualbody1234+11 August 2004 - 01:15--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Virtualbody1234 @ 11 August 2004 - 01:15)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-Ariel_001@10 August 2004 - 20:13
I am now also thinking of adding a "fix" tcpip.sys to winXP setup with max out connetions set. B)

I too have been trying to do just that.

I have been trying to figure out the process of the makecab. I think I have figured most of it out.


I copied the TCPIP.SYS file to C:&#092; then From the prompt I typed:

C:&#092;>MAKECAB /L C:&#092; TCPIP.SYS

The TCPIP.SY_ file shows up in C:&#092;

Now my question is. If I insert that file into the i386 folder and create a CD, will it work properly?

I heard something about a CRC check. Won&#39;t the installation refuse the new TCPIP.SY_ during the installation? [/b][/quote]
Are you Virtual from LvlLord? B) :)

Anyways quoting from MSFN


Place both ModifyPE.exe and uxtheme.dll in the same directory. Open up Command Prompt and browse to the directory
containing the two files. Run:
modifyPE.exe uxtheme.dll -c
then...
makecab uxtheme.dll
Having done that, you should have a compressed uxtheme.dl_ file (which was the purpose of using makecab). All you have
to do now is copy uxtheme.dl_ to your i386 directory and overwrite when prompted.
Because we used modifyPE on the uxtheme.dll file, this edits the CRC header so Windows XP Setup will no longer attempt
to abort the file copy. Instead it will allow the file through without prompting anything.
However, it will be logged in setuperr.log when Windows has finished installing, which will mention that the file isn&#39;t
digitally signed. There&#39;s nothing to worry about as the original Microsoft uxtheme.dll file doesn&#39;t exist in either dllcache or
on the CD, so there&#39;s no way it can be replaced back to its original version :-)

According to LvlLord " the CRC is been corrected". But you can always try "modifyPE.exe TCPIP.SYS -c" to fix that.

ModPE: http://unattended.msfn.org/files/modpe081.zip

the fix is also on suprnova. couldn&#39;t i just not install sp2?

Originally posted by Ariel_001+11 August 2004 - 06:39--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Ariel_001 &#064; 11 August 2004 - 06:39)</td></tr><tr><td id='QUOTE'>
Originally posted by Virtualbody1234@11 August 2004 - 01:15
<!--QuoteBegin-Ariel_001@10 August 2004 - 20:13
I am now also thinking of adding a "fix" tcpip.sys to winXP setup with max out connetions set. B)

I too have been trying to do just that.

I have been trying to figure out the process of the makecab. I think I have figured most of it out.


I copied the TCPIP.SYS file to C:&#092; then From the prompt I typed:

C:&#092;>MAKECAB /L C:&#092; TCPIP.SYS

The TCPIP.SY_ file shows up in C:&#092;

Now my question is. If I insert that file into the i386 folder and create a CD, will it work properly?

I heard something about a CRC check. Won&#39;t the installation refuse the new TCPIP.SY_ during the installation?
Are you Virtual from LvlLord? B) :)

Anyways quoting from MSFN


Place both ModifyPE.exe and uxtheme.dll in the same directory. Open up Command Prompt and browse to the directory
containing the two files. Run:
modifyPE.exe uxtheme.dll -c
then...
makecab uxtheme.dll
Having done that, you should have a compressed uxtheme.dl_ file (which was the purpose of using makecab). All you have
to do now is copy uxtheme.dl_ to your i386 directory and overwrite when prompted.
Because we used modifyPE on the uxtheme.dll file, this edits the CRC header so Windows XP Setup will no longer attempt
to abort the file copy. Instead it will allow the file through without prompting anything.
However, it will be logged in setuperr.log when Windows has finished installing, which will mention that the file isn&#39;t
digitally signed. There&#39;s nothing to worry about as the original Microsoft uxtheme.dll file doesn&#39;t exist in either dllcache or
on the CD, so there&#39;s no way it can be replaced back to its original version :-)

According to LvlLord " the CRC is been corrected". But you can always try "modifyPE.exe TCPIP.SYS -c" to fix that.

ModPE: http://unattended.msfn.org/files/modpe081.zip [/b][/quote]
Thankyou for the helpful information but...

I had already figured it out.

I made a new TCPIP.SYS with 400 connections then used the modifyPE and makecab to create a compressed TCPIP.SY_. I replaced the TCPIP.SY_ in the CD files then I burnt a new slipstreamed CD.

I have just finished testing it. The new freshly installed system shows 400 open connections without having made any changes.

Yay&#33; It worked. :clap:

So now every time I install with that CD the 400 connections are open. :)

I also made my own copy using Virtual PC..

I did not use modifyPE.exe, but it still seems to work..

Works great. No problems.. Max out (half-open) connections. B) :P :D

Image Resized
[img]http://img26.exs.cx/img26/6742/TCP_TEST_PATCH.jpg' width='200' height='120' border='0' alt='click for full size view'> ('http://img26.exs.cx/img26/6742/TCP_TEST_PATCH.jpg')

what is slipstream?

Originally posted by executive@11 August 2004 - 22:22
what is slipstream?
integrated into

so whats the outcome on this?

is http://www.lvllord.de/index2.htm the best solution so far?

TCPIP.SYS.ORIGINAL is in C:&#092;WINDOWS&#092;system32&#092;drivers
should i delete it or -/?

Originally posted by krome@14 August 2004 - 12:02
TCPIP.SYS.ORIGINAL is in C:&#092;WINDOWS&#092;system32&#092;drivers
should i delete it or -/?
noreason to really its just an in case shit happens backup...