Custom Search
Join the PC homebuilding revolution! Read the all-new, FREE 200-page online guide: How to Build Your Own PC!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
Results 1 to 9 of 9

Thread: TCP/IP Warning.

  1. #1

    TCP/IP Warning.

    Since a clean install of XP Home Edition and the application of SP2 about 1 month ago, I have on 7 occasions found the following Event Viewer entry:


    Event Type: Warning
    Event Source: Tcpip
    Event Category: None
    Event ID: 4226
    Date: 7/02/2005
    Time: 1:50:53 PM
    User: N/A
    Computer: WDGR

    Description:

    TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

    Data:
    0000: 00 00 00 00 01 00 54 00 ......T.
    0008: 00 00 00 00 82 10 00 80 ....?..?
    0010: 01 00 00 00 00 00 00 00 ........
    0018: 00 00 00 00 00 00 00 00 ........
    0020: 00 00 00 00 00 00 00 00 ........



    During the previous 3 years of the original installation I did not once find this entry logged. All programs and applications on the new installation are the same as on the old. Is it somehow related to SP2?

    The only information I can find about Event ID 4226 suggest this is a warning that a malicious program or a virus might be running on the system, or that it is related to file sharing or P2P programs.
    I don't use P2P programs or file sharing and haven't had the slightest indication of a malicious program or virus running on the system. A-V and spyware, malware, etc. scans and checks are clear.

    Any knowledge or experiences regarding this matter would be appreciated.

  2. #2
    Join Date
    Jul 2004
    Location
    Fulda, Germany
    Posts
    996
    yes, this is an XP SP 2 thing. Please read the following article and run the fix tool to get rid of this warning:

    http://www.speedguide.net/read_articles.php?id=1497

  3. #3
    I am aware of the fix your link refers to, but as the warning message in my case cannot be caused by P2P software, file sharing, or bit torrent use [don't use] and I can't find any evidence of virus or spyware infestation, rather than merely stopping the creation of awarning entry, I wish to determine the cause.

  4. #4
    Join Date
    Jul 2004
    Location
    Fulda, Germany
    Posts
    996
    At any given time, my computer is using around 7 or 8 outgoing TCP connections. Granted, they are not all connection attempts (which are the only ones counted in the 10-connection rule).

    It really depends on what you're doing with your computer to determine the cause. For example, I always have firefox open with about 3 tabs to open automatically at startup (that's at least 3 connect attempts when I first run Firefox, but if all of the graphics are linked to other pages, it could be as much as 15-20 connect attempts in one second). If you'd like to see the details on the actual connections, you would have to use a tool like netstat /a from your command prompt--but unfortunately that doesn't tell you anything about connection attempts unless you can run it at the exact second it is making the connection (not really practical). Look for a group of connections in a high port range that are in listening mode, which is something that could indicate a real problem. I suspect that this has been happening to you all along, but you only know about it now because you have SP2.

    I would not rule out spyware or Trojans causing this sort of thing, however. Your best bet for now is to run the usual scans (Adaware, Spybot, Trojan Hunter trial version, and enable Spyware Blaster). Lastly you really could/should run an online virus scan (House Call or Bit Defender to name a couple). And are you running any sort of Firewall (besides the XP Firewall, that is)? This is exactly the sort of thing that a software firewall will help you prevent. If so, the activity logs in there may provide you with the answer you're looking for.

  5. #5
    Off the top of my head, excluding spyware, viruses etc, the other thing could be a ping attack (often created by other users on the network who are infected with viruses) which exploits tcp/ip sync. Basically a syn attack occurs when a host sends a ping to another host, the second host replies, but the 1st host doesn't complete the tcp/ip sync with a further reply - therefore the port is left open for a period of time.

    a firewall which is set to not respond to ICMP will solve this if it is the problem.

    Another thing is that if you are using a software firewall, extra connections will be made because the system creates a loopback in order to check the traffic.
    Whether the new IPV6 virtual addressing implemented with SP2 has an impact, I don't know.

  6. #6
    Join Date
    Nov 2001
    Location
    ^~^In my mind^~^
    Posts
    992
    You should not be able to reach this limit by only surfing some Web sites and send / receive emails manually. The limit you are hitting only applies to connections in which the destinations are unreachable. You absolutely should not hit it if you are opening TCP connections to addresses that are live with an active listener on the destination port.

    I quote from MS
    This change helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in a failed connection, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.
    There may be something else in your computer that creates a lot of TCP connections. The following approach might help:

    Download, install, update and scan your system with TDS3 from http://tds.diamondcs.com.au/ and Trojanhunter from here http://www.trojanhunter.com/. They both offer fully funtional trial versions and they don't miss much.

    Then run a scan with HijackThis and post the log here. Download 'Hijack This!'. http://www.subratam.org/?page=removal Unzip to a convenient folder, doubleclick HijackThis.exe, and hit "Scan".
    When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

    You can also download a port enumerator which allows you to do real time port to process mapping. The best one IMO is Port Explorer from http://www.diamondcs.com.au/portexpl...?page=download. It's not free but offers a fully functional trial version....and keep us informed how it goes
    ......_=_
    ....q(-_-)p
    .....'_) (_`
    ../__/ \ __\
    .._ (<_ / )_..
    (__\_\_|_/__)
    "Our life is shaped by our mind; we become what we think. One who conquers himself is greater than another who conquers a thousand times a thousand on the battlefield". Buddha, Siddhartha Gautama

  7. #7
    Join Date
    Jul 2004
    Location
    Fulda, Germany
    Posts
    996
    Between 2:38:33 and 2:38:55 this morning my computer (ieexplore.exe) initiated around 40 outgoing TCP connections- Ports 1106 through 1155). This is right around the time I got home from work and was working on schoolwork with Outlook Express. How do I know this? I use the traffic log in my Sygate firewall. My point is that using a software firewall is a great idea because it keeps track of stuff like this. My other point is that it's not impossible (although it may be a little uncommon) to make more than 10 connection attempts at any given time. I would not assume that you are infected, but I would not rule it out either. Shanmuga has offered a great alternative that might be able to tell you a little more info than using a simple TCP traffic log.

    You will most likely have to do a little more detective work than you're willing to do to find the root of your "problem," but it is possible. I also don't think it's a bad idea to follow up with a HijackThis log anyway--just to be sure.

  8. #8
    Quote Originally Posted by FastLearner
    ... How do I know this? I use the traffic log in my Sygate firewall. My point is that using a software firewall is a great idea because it keeps track of stuff like this. ...
    I too use Sygate, but hadn't thought to check the logs - thanks for the reminder.

    The most recent 4226 warning was earlier today, 5:53:56 AM. On checking the Sygate traffic log I see 19 'occurences' to www.ati.com between 02/11/2005 05:53:56 and 02/11/2005 05:54:07
    This is a legitimate connection as I went to the ATI site to download the latest Catalyst 5.2 driver.

    I also noted 49 instances over the past 3 days of more than 10 'occurences' [10-69] over various times [5 seconds - almost 2 1/2 minutes] to websites.
    Apparently the 10 incomplete connection attempts per minute rule was not breached, as an Event Viewer 4226 warning was not generated by any of these instances.

    All the sites are regularly used by me, and undoubtedly the connections were initiated by me.

    To me this is close enough to proof the occasional, random, 4226 warnings I receive are due to SP2 changes, rather than virus or spyware infestation.

    However, I'm still interested in other views of this matter.

    Thanks for all advice and information offered - very handy for future reference.

  9. #9
    Quote Originally Posted by WDGC
    ... the 10 incomplete connection attempts per minute rule ...

    Should read ... the 10 incomplete connection attempts per SECOND rule ...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •