Applications Team

Nikolaos Katsampekis
How to Remove Windows XP SP2 and SP3 TCP IP
Limits connections
Contents
! Reason
2 ! Windows XP SP 2
3" Windows XP SP 3
# !Windows $
First draft document-Nikolaos Katsampekis
" Reason
In a C&M system we are running Roll Proxy with many connections and
multiple clients at the same time e.g. RollCall Control Panel, RollMechanic,
RollSNMP, LogSerer, RollPod !esigner and MCM together with any other
applications they ta"e a large num#er o$ %CP IP connections & 'indows
hae introduced a limit in order to #a#y sit users and (reduce the threat( o$
worms spreading $ast without control. In one such attempt, the des seem to
hae limited the num#er o$ possi#le %CP connection attempts per second to
)* +$rom unlimited in SP),.
%his argumentatie $eature can possi#ly a$$ect serer and P-P programs that
need to open many out#ound connections at the same time.
%he $orward thin"ing o$ Microso$t deelopers here is that you can only in$ect
)* new systems per second ia %CP.IP /0/... I$ you also consider that each o$
those in$ected computers will in$ect )* others at the same rate1
second )1 )2)* computers
second -1 )*2)*3)* computers +))* new ones,
second 41 )*2)**3)* computers + )))* new ones,
second 51 )*2)***3)* computers +))))* new ones,
....
all the way to %&'% ( %)'% comp*te+s in a sin,le min*te +that6s a num#er
with 7* digits, or it would $ar exceed 8arth6s population,. 8en i$ we consider
that 9*: o$ those computers are unreacha#le.protected, one would still
reach ;LL o$ them within a minute.
In other words, een though it is not going to stop worm spreading, it6s going
to delay it a $ew seconds, limit possi#le networ" congestion a #it, and limit the
use o$ your PC to )* connection attempts per second in the process.
'ith the new implementation, i$ a P-P or some other networ" program
attempts to connect to )** sites at once, it would only #e a#le to connect to
)* per second, so it would ta"e it )* seconds to reach all )**.
In addition, een though the setting was registry edita#le in <P SP), it is now
only possi#le to edit #y changing it directly in the system $ile tcpip.sys.
%o ma"e matters worse, that $ile is in use, so you also need to #e in Sa$e
mode in order to edit it.
=ou only need to worry a#out the num#er o$ connection attempts per second
i$ you hae noticed a slowdown in networ" programs re>uiring a num#er o$
connections opened at once.
=ou can chec" i$ you6re hitting this limit $rom the 8ent ?iewer, under System @
loo" $or %CP.IP 'arnings saying1 (%CP.IP has reached the security limit
imposed on the num#er o$ concurrent %CP connect attempts(. Aeep in mind
this is a cap only on incomplete out#ound connect attempts per second, not
total connections.
First draft document-Nikolaos Katsampekis
Still, running serers and P-P programs can de$initely #e a$$ected #y this new
limitation.
Bor our applications to wor" we need to remoe those limits #ellow are $ew
guidelines on how to do it.
Remove t-e limit on TCP connection attempts .o+ Windows XP
SP2
%o change or remoe the limit, you can use the $ollowing program1
'indws <P SP-
8ent I! 5--7 Patcher @ ; patching program $or remoing or changing the
limit imposed on connection attempts in SP-. %he patcher has the a#ility to
restore tcpip.sys #ac" to the original... Still, you might want to #ac" up
tcpip.sys, use it at your own ris". %he author o$ this patch can #e reached C
http1..www.lllord.de.

8dit tcpip.sys manually to remoe the %CP.IP socket c+eation limit
;nother option, $or the more adenturous is to modi$y your tcpip.sys $ile
manually, using a hex editor. %he $ollowing instructions re$er to the $inal
release o$ <P SP-, with a tcpip.sys $ile o$ exactly 4D9,*5* #ytes, CRC@4- is
E*5-;9BF, and M!D is 9B5F477)5;*BC-45D-DF;--59DG!8DDC. 8en
thouh there might #e multiple tcpip.sys $iles in your system, ma"e sure to wor"
with the one in c1HwindowsHsystem4-HdriesH directory.
%o remoe the tcpip.sys soc"et creation limit1
@ Fac"up your original tcpip.sys $ile #e$ore editing please, this is somewhat
important 0
@ In your hex editor, go to o$$set 5B4-- hex +or 4-54E7 decimal,.
@ Change *a ** ** ** to ** ** *a **
;ll done 0 %he a#oe change does not re>uire editing o$ the CRC in o$$set
)4* hex +than"s $or the cleer solution %homas 'ol$ %omp"ins,.
Notes1
I$ any o$ the data a#oe does not match exactly +crc, $ile siIe, md5, or the
data at offset 4F322) please double-check what you are doing, or abort
completely.
%he a#oe in$ormation increases the R;%8 o$ opening outgoing
connections. It has nothing to do with the limit o$ )* connections to
networ" shares on a 'indows wor"station PC $or sharing $iles +a MS imposed
limit to $orce you to upgrade to a serer ersion o$ the JS,. %his )*
connections to networ" shares limit was introduced with N%5 wor"station
+SP4,, and exists in 'indows -" wor"station, and 'indows <P home.pro.mc.
It only applies to authenticated windows serices, such as $ile and print
sharing.
First draft document-Nikolaos Katsampekis
Remove t-e limit on TCP connection attempts .o+ Windows XP
SP3
Fy increasing the num#er o$ %CP.IP connections allowed at one time.
!ownload Patch Brom Kere
Remove t-e limit on TCP connection attempts .o+ Windows
/ISTA
!ue to the enhanced security in ?ista, it is a #it more complicated to increase
the %CP concurrent hal$@open connections limit. It re>uires downloading a
patched tcpip.sys, changing a registry parameter and disa#ling drier signing
in x75 editions +potentially a$ter eery re#oot,. Note that su#se>uent 'indows
updates and Serice Pac"s may oerride tcpip.sys with a newer ersion as
well.
%he re>uired steps are outlined #elow1
0 Note 1o*+ c*++ent tcpip0s1s ve+sion. %o chec" your tcpip.sys ersion,
naigate to C1H'indowsHsystem4-HdriersH , right@clic" on tcpip.sys and
choose (Properties( @ the ersion in$ormation will #e listed in the (!etails(
pane.
20 2ownload a patc-ed tcpip0s1s .ile $or your particular tcpip.sys and ?ista
ersion. =ou can download patched ersions o$ tcpip.sys $rom @here@. Note
that 4-@#it and 75@#it ersions o$ ?ista use di$$erent tcpip.sys $iles. Biles are
listed as tcpip<<@======.sys, where << is the ?ista ariant +4- or 75@#it,,
and ====== is the tcpip.sys ersion.
30 3pen command p+ompt, and execute the $ollowing commands exactly
+administrator account, and eleated command prompt recommended,1
takeown 4. 5S1stem+oot56s1stem326d+ive+s6tcpip0s1s
icacls 5S1stem+oot56s1stem326d+ive+s6tcpip0s1s 4,+ant 75*se+name
578.
#0 2isa9le d+ive+ si,nin, inte,+it1 c-ecks $or 75@#it 'indows ?ista ersions
only. =ou can do this using the Ready!rier Plus ).) so$tware, or pressing
BE at #oot time. More in$ormation on disa#ling drier signing integrity chec"s
in ?ista is aaila#le @here@.
:0 ;ack*p tcpip0s1s #y copying it to another location.$ile. =ou can do it in
'indows 8xplorer, or running the $ollowing in command prompt1
cop1 5S1stem+oot56s1stem326d+ive+s6tcpip0s1s 5S1stem+oot
56s1stem326d+ive+s6tcpip0o+i,inal
'0 Replace t-e o+i,inal tcpip0s1s in C1H'indowsHsystem4-HdriersH with the
patched tcpip.sys $or your correct ersion o$ 'indows, downloada#le $rom our
we#site @here@. =ou6d hae to #e logged in as administrator, i$ it $ails you may
want to try restarting in sa$e mode +BE on system startup,.
First draft document-Nikolaos Katsampekis
$0 Set t-e desi+ed new limit .o+ TCP -al."open connections in the
'indows Registry. Jpen the registry editor #y clic"ing the 'indows #utton L
Run L type1 regedit . =ou6d need to add a new !'JR! alue under the
$ollowing "ey1
KA8=MLJC;LMM;CKIN8HS=S%8MHCurrentControlSetHSericesH%cpipHParam
eters
TcpN*mConnections<:%% +!'JR! alue, not present #y de$ault.
Recommended alue is #etween )** and D**,.
;lternatiely, you can download the sgMistaMtcpipMlimitMpatch to apply the
registry change a#oe automatically.

=pdate in /ista Se+vice Pack 2
;ccording to Microso$t, ?ista SP- completely remoes the limit o$ -@-D hal$@
open %CP connections that existed in preious ersions $or application
compata#ility reasons.
'e6re not aware o$ any documentation introducing new registry "eys
to change the %CP hal$@open connection limit. I$ this wor"s as intended, there
should #e no need to patch tcpip.sys, and users should no longer see 8ent
I! 5--7.
Re$erence1 MS %echnet http1..social.technet.microso$t.com.Borums.en@
NS.itproistasp.thread.-a$cG-D$@55$d@5ae)@9e#E@$*c4a*$DD-#c.
In$o Fellow
'indows ?ista introduces a num#er o$ new $eatures to the %CP.IP stac", including C%CP,
and %CP 'indow ;uto@%uning. %his new implementation wor"s much #etter #y de$ault than
preious 'indows ersions with #road#and internet connections, and is a#le to adOust the
R'IN alue on the $ly, depending on the F!P +#andwidth@delay product,. %his, howeer,
introduces some pro#lems with older routers and restricts the user $rom twea"ing some o$ the
%CP.IP parameters. Still, there is always some room $or improement, and this
article explains the "nown twea"a#le %CP.IP parameters.
%o enter some o$ the commands #elow, you will need to run (eleated( command prompt. %o
do so, clic" the Start icon L Run L type1 cmd , then clic" C%RL2SKIB%28N%8R. ;lternatiely,
you can naigate to Start L ;ll Programs L ;ccessories L right@clic" Command Prompt and
choose (Run as ;dministrator(.

C-eck t-e TCP4IP state
%o chec" the current status o$ the ?ista %CP.IP twea"a#le parameters, in eleated command
prompt type the $ollowing command1
nets- int tcp s-ow ,lo9al
=ou will #e presented with something li"e the $ollowing1
First draft document-Nikolaos Katsampekis
%he settings, as well as their de$ault and recommended state are explained #elow. %he two
most important twea"a#le parameters are (;uto@%uning Leel( and (Congestion Control
Proider(.
'hen chec"ing the %CP state with the (netsh int tcp show glo#al( command, it is also
possi#le to see the $ollowing message #elow all those parameters1
33 %he a#oe autotuningleel setting is the result o$ 'indows Scaling heuristics oerriding any
local.policy con$iguration on at least one pro$ile.
It is displayed when the (Receie 'indow ;uto@%uning Leel( is not explicitly set, or i$ the
system deemed it necessary to ma"e a change #ecause o$ user prompted (repairing( o$ your
networ" connection, $or example.

2isa9le Windows Scalin, -e*+istics
'indows ?ista.G has the a#ility to automatically change its own %CP 'indow auto@tuning
#ehaior to a more conseratie state regardless o$ any user settings. It is possi#le $or
'indows to oerride the autotuninleel een a$ter an user sets their custom %CP auto@tuning
leel. 'hen that #ehaior occurs, the (netsh int tcp show glo#al( command displays the
$ollowing message1
33 %he a#oe autotuningleel setting is the result o$ 'indows Scaling heuristics
oerriding any local.policy con$iguration on at least one pro$ile.
%o preent that #ehaior and en$orce any user@set %CP 'indow auto@tunning leel, you
should execute the $ollowing command1
nets- int tcp set -e*+istics disa9led
possi#le settings are1 disa#led,ena#led,de$ault +sets to the 'indows de$ault state,
recommended1 disa#led +to retain user@set auto@tuning leel,
Note this should #e executed in eleated command prompt +with admin priiledges, #e$ore
setting the autotuninleel in next section. I$ the command is accepted #y the JS you will see
an (J".( on a new line.
%he corresponding Registry alue +not necessary to edit i$ setting ia netsh, is located in1
KA8=MLJC;LMM;CKIN8HS=S%8MHCurrentControlSetHsericesH%cpipHParameters
>na9leWsd<% +de$ault1 ), recommended1 *,

TCP A*to"T*nin,
%o turn o$$ the de$ault R'IN auto tuning #ehaior, +in eleated command prompt, type1
nets- int tcp set ,lo9al a*tot*nin,level<disa9led
%he de$ault auto@tuning leel is (normal(, and the possi#le settings $or the a#oe command
are1
disa9led1 uses a $ixed alue $or the tcp receie window. Limits it to 75AF +limited at 7DD4D,.
-i,-l1+est+icted1 allows the receie window to grow #eyond its de$ault alue, ery
conseratiely
+est+icted1 somewhat restricted growth o$ the tcp receie window #eyond its de$ault alue
no+mal1 de$ault alue, allows the receie window to grow to accommodate most conditions
e?pe+imental1 allows the receie window to grow to accommodate extreme scenarios +not
recommended, it can degrade per$ormance in common scenarios, only intended $or research
purposes. It ena#les R'IN alues o$ oer )7 MF,
Jur recommendation1 normal +unless you6re experiencing pro#lems,.
I$ you6re experiencing pro#lems with your N;% router or SPI $irewall, try the (restricted(,
(highlyrestricted(, or een (disa#led( state.
otes!
- "eportedly, some older residential #$ routers with a %&' firewall may ha(e problems with
enabled tcp auto-tuning in it)s *normal* state, resulting in slow speeds, packet loss, reduced
network performance in general.
- auto-tuning also causes problems with really old routers that do not support $+&
,indows scaling. %ee -%./ 035411
- netsh set commands take effect immediately after e2ecuting, there is no need to reboot.
- sometimes when using *normal* mode and long lasting connections 3p2p software 4
torrents), tcp windows can get (ery large and consume too much resources, if you)re
e2periencing problems try a more conser(ati(e 3restricted) setting.
I$ you6re experiencing pro#lems with ;uto@%uning, see also1
MS AF E4D5** @ email issues
First draft document-Nikolaos Katsampekis
MS AF 94554* @ networ" connectiity #ehind $irewall pro#lems
MS AF 95*757 @ 4P '';N throughput issues
MS AF 9-9E7E @ we# #rowsing issues
MS AF 94-)G* @ slow networ" $ile trans$er

Compo*nd TCP " Imp+ove t-+o*,-p*t
;dd@Jn Congestion Control Proider
%he traditional slow@start and congestion aoidance algorithms in %CP help aoid networ"
congestion #y gradually increasing the %CP window at the #eginning o$ trans$ers until the
%CP Receie 'indow #oundary is reached, or pac"et loss occurs. Bor #road#and internet
connections that com#ine high %CP 'indow with higher latency +high F!P,, these algorithms
do not increase the %CP windows $ast enough to $ully utiliIe the #andwidth o$ the connection.
Compound %CP +C%CP, is a newer method, aaila#le in ?ista and Serer -**E +there is also
a hot$ix aaila#le $or <P.-**4,. C%CP increases the %CP send window more aggressiely $or
#road#and connections +with large R'IN and F!P,. C%CP attempts to maximiIe throughput
#y monitoring delay ariations and pac"et loss. It also ensures that its #ehaior does not
impact other %CP connections negatiely.
Fy de$ault, ?ista and 'indows G hae C%CP turned o$$, it is only on #y de$ault under Serer
-**E. %urning this option on can signi$icantly increase throughput.
%o ena#le C%CP, in eleated command prompt type1
nets- int tcp set ,lo9al con,estionp+ovide+<ctcp
%o disa#le C%CP1
nets- int tcp set ,lo9al con,estionp+ovide+<none
Possi#le options are1 ctcp, none, de$ault +restores the system de$ault alue,.
Recommended setting1 ctcp
It is 9ette+ to *se t-is newe+ ,ene+ation CTCP con,estion cont+ol al,o+it-m .o+ most
9+oad9and connections@ we -i,-l1 +ecommend it 9ein, t*+ned on0
TcpTimedWait2ela1 Apo+t allocationB
Short lied +ephemeral, %CP.IP ports a#oe )*-5 are allocated as needed #y
the JS. %he de$ault ?ista alues hae improed $rom preious 'indows
ersions, and are usually su$$icient under normal load. Koweer, in some
instances under heay load it it may #e necessary to adOust the settings #elow
to twea" the aaila#ility o$ user ports re>uested #y an application.
I$ the de$ault limits are exceeded under heay loads, the $ollowing error may
#e o#sered1 (address in use1 connect exception(. Fy de$ault under ?ista
+when the alues are not presend in the registry,, the JS can allocate up to
)74E5 ephemeral ports a#oe port )*-5, and the JS waits $or )-* seconds
#e$ore reclaiming ports a$ter an application closes the %CP connection. %his is
a considera#le improement oer older 'indows ersions. Koweer, i$
necessary, the $ollowing registry alues can #e added.edited1
KA8=MLJC;LMM;CKIN8HS=S%8MHCurrentControlSetHSericesH%cpipHParam
eters
MaxNserPortQ7DD4D +!'JR!, not in the registry #y de$ault.
Recommended1 leae at de$ault, or use a num#er a#oe )74E5 up to 7DD4D
decimal as necessary, @ maximum num#er o$ ports to use. )*-5 is
automatically su#tracted $rom entered alue to allow $or resered ports under
)*-5.
%cp%imed'ait!elayQ4* +!'JR!, not present or *x$$$$$$$$ in registry #y
de$ault. Recommended1 4* decimal, denoting 4* seconds, @ time to wait
#e$ore reclaiming ports, in seconds. !e$ault time #e$ore reclaiming ports,
i$ alue is at *x$$$$$$$$ or not present in the registry is )-* seconds. Rust
First draft document-Nikolaos Katsampekis
reducing the delay is o$ten su$$icient without changing MaxNserPort, as it
allows $or reusing ports more e$$iciently.
8phemeral ports can #e chec"ed and changed using netsh as well.
%o >uery the current alues, in command prompt, type1
netsh int ip5 s-ow d1namicpo+t+an,e tcp +$or N!P, use the same
command, replacing only (tcp( with (udp( at the end,
%o set #oth the starting, and max user port using netsh, in eleated command
prompt run1
netsh int ip5 set d1namicpo+t+an,e p+otocol<tcp sta+t<%2: n*m<'#:
+startQNNN denoting the starting port, and numQNNN denoting the num#er o$
ports,
Notes1
Fy de$ault, dynamic ports are allocated #etween ports 59)D- and 7DD4D +$or a
total o$ )74E5 ephemeral ports,.
Nsing netsh allows to set #oth the starting port and port range. 8diting the
Registry allows $or setting the port range, and the starting port is $ixed at
)*-D. !eleting the MaxNserPort registry entry +or setting it to a alue outside
the allowed range, causes the JS to reert to using the de$ault alues.
Some system processes can install port $ilters to #loc" certain port ranges. I$
ephemeral ports run into these $iltered port ranges, %CP.IP applications will
be unable to bind to any ports.
First draft document-Nikolaos Katsampekis