Limit of 10 connections to XP Pro

[playsafe]

Server: Windows 2003 server as Active Directory and domain controller.

All clients are using Windows XP Pro SP 2.

There are 6 printers attached to 6 different client systems for print sharing. All printer have "List in directory" checked in Sharing Tab of printer properties.

There is a limit of ten simultaneous connections for win XP as described by Microsoft.

When client computers are switched on in the morning, they start connecting themselves with the print shares, as the limit of ten connections for a system with printer reaches. Other clients get "Unable to connect" message when connecting to printer.

I read following related support articles at microsoft.com,

http://support.microsoft.com/kb/314882

http://support.microsoft.com/kb/328459

Is there a workaround so that a connection (session) be made when a system sends a print and not when it is switched on holding a NULL SESSION.

[N1K]

Event ID 4226 Patcher

What's this all about?

After almost everybody knows the <<EventID 4226: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts>>, I used a day to create for educational purpose a fix for this argumentative feature.

Unfortunately there exists no REG-key which could easily be set (would be so nice and easy, right? *smile*). The file TCPIP.SYS in the directory C:\WINDOWS\SYSTEM32\DRIVERS and C:\WINDOWS\SERVICEPACKFILES\I386 has to be changed (system depended eventually in C:\WINDOWS\SYSTEM32\DLLCACHE, too).

Needed things:

- Windows XP SP2 (from RC2 upwards) or Windows 2003 Server SP1 beta

- patcher

- a small amount of time

What's been done:

To say it easy: the before 10 half-open connections are being increased to 50 (can be changed during runtime and with the parameter /L) and the CRC is been corrected. And that's it!

Comment:

The method described here, should only be used by users, who know how to handle all the described. With the download of the here published program the user know, that changes are made on third party files. For damages in every kind I cannot be hold responsible for. Indeed, tests worked fine here. However, nothing is impossible.

Info: When error occurs, the patcher can change the TCPIP.SYS back to the original!

Instruction:

Just download the patcher and execute it. It will automatically find the windows directory and ask, if it should increase/decrease. For higher values, please check the help with parameter /?.

After a successful patch, the new TCPIP.SYS will be automatically installed. After that, the computer should be restarted.

Download LINK

Notice: You should be a Windows Server license holder or this action is considered as illegal!!

[Idontwantspam]

Is your fix legal? Because the EULA specifically says, limit of 10 connections. It seems kind of... fishy.

[cluberti]

In countries where the EULA is considered binding, this is technically a violation of the EULA as it modifies the product (XP) to work other than designed.

(partially extracted from the EULA)

GRANT OF LICENSE. Manufacturer grants you the following

rights, provided you comply with all of the terms and

conditions of this EULA:

* Installation and Use. Except as otherwise expressly

provided in this EULA, you may install, use, access, display

and run only one (1) copy of the SOFTWARE on the COMPUTER.

The SOFTWARE may not be used by more than two (2) processors

at any one time on the COMPUTER, unless a higher number is

indicated on the Certificate of Authenticity. You may permit

a maximum of ten (10) ("Connection Maximum") computers or

other electronic devices (each a "Device") to connect to the

COMPUTER to utilize one or more of the following services of

the SOFTWARE: File services, Print services, Internet

Information services, and remote access (including connection

sharing and telephony services). The ten (10) Connection

Maximum includes any indirect connections made through

"multiplexing" or other software or hardware which pools or

aggregates connections. Except as otherwise permitted herein,

you may not use the Device to use, access, display or run the

SOFTWARE, the SOFTWARE's User Interface or other executable

software residing on the COMPUTER. This ten connection

maximum does not apply to any other uses of the Product.

* Software as a Component of the Computer - Transfer. THIS

LICENSE MAY NOT BE SHARED, TRANSFERRED TO OR

USED CONCURRENTLY ON DIFFERENT COMPUTERS.

The SOFTWARE is licensed with the COMPUTER as a single

integrated product and may only be used with the COMPUTER. If

the SOFTWARE is not accompanied by HARDWARE, you may not use

the SOFTWARE. You may permanently transfer all of your rights

under this EULA only as part of a permanent sale or transfer

of the COMPUTER, provided you retain no copies, if you

transfer the SOFTWARE (including all component parts, the

media, any upgrades, this EULA and the Certificate of

Authenticity), and the recipient agrees to the terms of this

EULA. If the SOFTWARE is an upgrade, any transfer must also

include all prior versions of the SOFTWARE.)

[nmX.Memnoch]

The link N1K provided is the supposed fix for the 10 half-open connections limit that was added in SP2, not a fix for the 10 connection limit.

The legal answer is no. For true server duties you should use the server version of the OS (i.e. Server 2003 R2, Standard Edition). If printing is your only requirement, a cheaper option would be to purchase a dedicated print server device and configure the clients for direct-IP printing. If you already have a server then I would suggest purchasing a dedicated print server device for each printer (or if they have the capability of adding a network card, that's your best option). Then configure those printers on the server using IP printing and share them from there. It won't add that much load to your server...particularly since you're only talking about six printers.

Edited July 13, 2007 by nmX.Memnoch

[Idontwantspam]

Cluberti, So isn't that sort-of against MSFN rule 1, a little bit? Circumvention of whatchamacallit restrictions or whatever? I'm not trying to be mean or picky or anything, I just think this topic is a bit... on the fine line between OK and not OK.

[cluberti]

I try not to play in the grey area on things like this - it's not illegal everywhere, and it doesn't allow you to illegaly use XP itself (like circumventing WGA or activation), so it doesn't technically violate rule #1 in my book. It's such a broad area, and since we're a global site on the 'net, I can't assume that it's illegal for everyone just because it's a violation of the EULA in, say, the US.

[Idontwantspam]

You are a mod, so as long as you approve, it's alright with me.

[Tarun]

Patching tcpip.sys is unwise... most people don't understand what the limit even means. I've never been limited by it, ever. People patched tcpip.sys and spread it around as an enhancement when it does nothing but allow you to destroy Winsock that much faster.

How's that an enhancement? I don't know...

The thing is, it's pretty hard to hit ten at the same time. It's not as if the half-open connections stay open very long. They time out fast enough that it never happens. If you just hit ten invalid IP addresses at the same time and they're all half-open, maybe you should consider stopping whatever it is you're doing.

SP2 imposed a limit of ten on the amount of half-open stalled outbound connections. When the limit is reached, an event is logged. The reason they did it is to curb the payload of viruses/etc, so when you end up with port scanning trojans, etc. they would be stopped. The statistics that came back after they did this proved that it was a wise move.

People think it's going to affect their P2P somehow and it doesn't. All of the addresses are valid and ones that end up half-open close pretty quickly. Sadly, even Shareaza believes in this FUD. It warns you that your experience won't be as good because of the limit. So they released this "patched" tcpip.sys to remove the limit and say it's a "tweak".

So yeah, if you get infected, welcome to 65535 half-open connections. Enjoy your Winsock.

[cluberti]

Patching tcpip.sys is unwise... most people don't understand what the limit even means. I've never been limited by it, ever. People patched tcpip.sys and spread it around as an enhancement when it does nothing but allow you to destroy Winsock that much faster.

How's that an enhancement? I don't know...

Well, XP _does_ impose a limit on inbound connections to the server service at 10 (as does Vista and W2K and NT4 Workstation...). You've obviously never tried to use XP or Vista running the R2 print management console to try and admin hundreds of printers, I take it .

Regardless, I personally don't believe in violating the EULA by patching the tcpip.sys to allow more than 10 inbound connections - if you need more than that, you're running a SERVER and need a server-class OS such as Windows Server 2003 (or a Linux Samba server, if you so choose).

[playsafe]

The link N1K provided is the supposed fix for the 10 half-open connections limit that was added in SP2, not a fix for the 10 connection limit.

The legal answer is no. For true server duties you should use the server version of the OS (i.e. Server 2003 R2, Standard Edition). If printing is your only requirement, a cheaper option would be to purchase a dedicated print server device and configure the clients for direct-IP printing. If you already have a server then I would suggest purchasing a dedicated print server device for each printer (or if they have the capability of adding a network card, that's your best option). Then configure those printers on the server using IP printing and share them from there. It won't add that much load to your server...particularly since you're only talking about six printers.

First of all, I m really sorry for coming back to the post so late, I was installing my system and removing virus from it that is why I just could not get online.

Regarding problem I face, nmXMemnoch is absolutely right. I m talking about no. of inbound connection and NOT TCP/IP half open connections per second.

It is not so good to hear that it cant be improved, without going into the hot debate if it is legal or illegal. I will now try to have a combination of print server and printer directly connected and configured through ethernet cards.

Still i have one question, can we change something so that client computer makes a connection to the system when computer sends a print and not while it is powered on.

I read this page http://support.microsoft.com/kb/328459 again and again, but still unable to understand if it can help me or not.

[Zxian]

I'm just wondering why you need the 6 different printers in 6 different locations? Are they each for different purposes, and does everyone in the office need access to all of them?

[playsafe]

I'm just wondering why you need the 6 different printers in 6 different locations? Are they each for different purposes, and does everyone in the office need access to all of them?

I have these printers in two floors, on each floor there exists partitioning. In each partition there are about 10 people who use the printer of there own partition. But if for some reason printer gives problem or something else the adjacent partition printers are used, that is why I want to give them access to their own partition and adjacent one also if possible.

No they are not for different purposes.

[playsafe]

One thing more I want to mention. Previously, they were mostly automatically added by winXP like "Auto printer on system". And everything was going fine as about 50 systems had these auto-configured printers.

But As I installed Symantec Client Security, Firewall included I have to Add Printer manually or through script. i-e Auto printer addition stopped working. And though connections problem arose.

So I think that "Auto" did not create a connection until print is sent. Whereas adding printer manually does establish a permanent connections as system gets powered on or either at user Log In.

[Zxian]

From what I see, you have two options.

One - limit people to only being able to use their own section's printer. This isn't really ideal, but it'll cost you nothing more than a little configuration time.

Two - Buy a network print server for each printer. These devices will connect to your network, and you won't run into troubles of the limited number of connections. These devices are usually pretty cheap - $50-$100 each - and would cost much less than a server licence for each partition (which is what you'd otherwise need). Something like this is what you're looking for.

If it were my office, I'd go for the print servers. It's a bit more expensive, but it makes the printers independent of any systems in the office.