4226 errors and lockups! Help!

Discussion in 'Windows Vista Networking' started by Tassadaru, Dec 25, 2006.

  1. Tassadaru

    Tassadaru Guest

    I have made a similar thread on another board, but I want to ask here too,
    maybe someone can help me.

    I am continuously receiving an event id 4226 error and my whole internet
    sometimes locks up, leaving all established connections alive, but giving
    permission denied to new attempts. I don't know how to make this not happen
    again, it's starting to drive me nuts. I've set my torrent client to do max 4
    halfopen connections per second and max 2 new connections per second, but it
    keeps crashing my internet. I would love to see a fix for this thing, since
    every time this happens, my internet stops. All established connections work,
    while all new attempts get a permission denied. Please help me.

    I have not made any alterations to my windows box, since none was needed and
    there were none I could find. I didn't enable or disable anything. It's just
    that I hate it when my internet locks up and no new connections can be made.
    It's really annoying especially when you need to do something quick.
    tcpip.sys is the original, sometimes the error appears and does nothing,
    sometimes the whole **** net freezes. That's what I want to avoid. The
    internet freezing part. Everything that is connected remains connected
    without a problem, what is not, can't establish a new connection and gets
    Permission denied. Please tell me or advise me what to do about the
    permission denied part, since I'm really considering burning vista and
    kicking it to a trashcan. My tcpip.sys file is version 6.0.6000.16386 size
    784 KB (802,816 bytes). Please give some feedback on what CAN I do for the
    internet just not stop, even if it slows down. What can be causing theese
    lockups?

    y connection is cable modem based, using a Scientific Atlanta Webstar 2000
    Series cable modem through nVidia nForce Networking Controller (nForce4),
    since the modem doesn't have drivers for vista rtm so I can plug it in the
    USB and worry no more (maybe). So no routers are present in my configuration,
    just the vista default config of firewall, that ALLOWS utorrent (that may be
    causing the problems) to connect as he wishes. I narrowed down the uTorrent
    configuration options to net.max_halfopen to 4 and net.connect_speed to 5, so
    the max half-open connections that uTorrent will attempt is 4, and the
    maximum connections per second that uTorrent will do are 5. That will slow
    things down, I know, but may be a temporary fix until something good comes
    along and a patch to tcpip.sys is released. But I don't know how to disable
    the net lockup part. What's causing that? I see nothing in my logs, about
    some component of vista restricting one of my running apps, it just...
    freezes, and what's connected remains connected, what not, ... tough luck!

    If you want, I can generate a report for you and you could see what's on my
    system. Anyways, I'm running Windows Vista Professional 6.0 (Build #6000).

    My specs (short) are: OS: Windows Vista Professional 6.0 (Build #6000) CPU:
    AMD Athlon 64 3500+, 2.50 GHz, 512KB Video: NVIDIA GeForce 7600 GT
    (1024x768x32bpp 75Hz) Sound: Speakers (NVIDIA nForce Audio) Memory: Used:
    488/1023MB Uptime: 7m 32s HD: Free: 54.42 GB/298.10 GB Connection: NVIDIA
    nForce Networking Controller @ 100.0 Mbps (Rec: 14.56MB Sent: 8.09MB).

    The drivers I'm using are from Microsoft Update, since they installed at the
    first update. So they're WHQL signed, and Microsoft trusts them and tested
    them. And no apps in the background that could be making other connections.
    mIRC and Yahoo Messenger are connected, but they're in ESTABLISHED state. I
    don't know what to do...

    I have changed the adapters between them, as a little try of resolving my
    problems:

    I forgot to mention I have two adapters in my Computer:

    1. nVidia nForce networking controller (inet connection with ics enabled)
    2. Realtek RTL8319/810x Family Fast Ethernet NIC

    The net got to my computer through nVidia Network and then got to my mom's
    pc through Realtek.
    I changed the roles, now the net comes through Realtek and goes to my mom's
    through nVidia.

    Maybe this will help, I dunno. I also got a "patched" (or so he said)
    tcpip.sys from a friend who said that there limit in that .sys is patched. I
    don't know for that, but problems still arose after installing of the new
    ..sys file. We'll see how it will behave in this configuration.

    I don't know what to say, but I saw something in my logs today looking like
    this:

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 12/25/2006 4:00:05 PM
    Event ID: 5032
    Task Category: Other System Events
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: DarkMind
    Description:
    Windows Firewall was unable to notify the user that it blocked an
    application from accepting incoming connections on the network.

    Error Code: 2
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Security-Auditing"
    Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>5032</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12292</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2006-12-25T14:00:05.847Z" />
    <EventRecordID>898</EventRecordID>
    <Correlation />
    <Execution ProcessID="612" ThreadID="3380" />
    <Channel>Security</Channel>
    <Computer>DarkMind</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="ErrorCode">2</Data>
    </EventData>
    </Event>

    What to do? What is happening?

    I disabled UAC, but not defender. Anyways, I don't want UAC since I want to
    run all of my programs as administrator, I know it's risky but I hate always
    pressing the As administrator button and so on, anyways, is what's causing
    the internet lockups? If yes, what do I need to do? It doesn't just block ONE
    application, it blocks ALL applications from whatever connection they're
    wanting to attempt, and leaves the applications already connected alone. I
    just want to fix this. My patience is getting out of hand here, since I am
    really beginning to get annoyed by this stupid lockup. Please tell me if I
    can do something to avoid the lockups or not. Thank you.

    PS: It doesn't restrict the application to accept incoming connections. It
    restricts all aplications from accepting or making new connections.

    I tried disabling Windows Firewall... as duceyaj mentioned, now I'll see
    what's happening. And yes, I am sure it's the RTM version I'm using,
    activated and with all updates installed, I don't know what KMS is, but
    anyway, I'll see how it behaves without Windows Firewall turned on.

    Later edit. It did it again, without Windows Firewall active. And nothing
    shows in event log but this:

    A crash in Application log, that has been 3-4 hours before lockdown,
    Security (3-3:30 hours before the lockdown):

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 12/25/2006 8:54:22 PM
    Event ID: 4672
    Task Category: Special Logon
    Level: Information
    Keywords: Audit Success
    User: N/A
    Computer: DarkMind
    Description:
    Special privileges assigned to new logon.

    Subject:
    Security ID: SYSTEM
    Account Name: SYSTEM
    Account Domain: NT AUTHORITY
    Logon ID: 0x3e7

    Privileges: SeAssignPrimaryTokenPrivilege
    SeTcbPrivilege
    SeSecurityPrivilege
    SeTakeOwnershipPrivilege
    SeLoadDriverPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeDebugPrivilege
    SeAuditPrivilege
    SeSystemEnvironmentPrivilege
    SeImpersonatePrivilege
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Security-Auditing"
    Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4672</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12548</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2006-12-25T18:54:22.991Z" />
    <EventRecordID>904</EventRecordID>
    <Correlation />
    <Execution ProcessID="612" ThreadID="1464" />
    <Channel>Security</Channel>
    <Computer>DarkMind</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
    SeTcbPrivilege
    SeSecurityPrivilege
    SeTakeOwnershipPrivilege
    SeLoadDriverPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeDebugPrivilege
    SeAuditPrivilege
    SeSystemEnvironmentPrivilege
    SeImpersonatePrivilege</Data>
    </EventData>
    </Event>

    And in System logs, the following events (dunno the exact hour of the
    lockdown):

    Log Name: System
    Source: Tcpip
    Date: 12/26/2006 12:00:31 AM
    Event ID: 4226
    Task Category: None
    Level: Warning
    Keywords: Classic
    User: N/A
    Computer: DarkMind
    Description:
    TCP/IP has reached the security limit imposed on the number of concurrent
    TCP connect attempts.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Tcpip" />
    <EventID Qualifiers="32768">4226</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2006-12-25T22:00:31.201Z" />
    <EventRecordID>1971</EventRecordID>
    <Channel>System</Channel>
    <Computer>DarkMind</Computer>
    <Security />
    </System>
    <EventData>
    <Data>
    </Data>
    <Binary>00000000010000000000000082100080000000000000000000000000000000000000000000000000</Binary>
    </EventData>
    </Event>

    Log Name: System
    Source: Service Control Manager
    Date: 12/26/2006 12:13:18 AM
    Event ID: 7036
    Task Category: None
    Level: Information
    Keywords: Classic
    User: N/A
    Computer: DarkMind
    Description:
    The WinHTTP Web Proxy Auto-Discovery Service service entered the running
    state.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Service Control Manager"
    Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service
    Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2006-12-25T22:13:18.000Z" />
    <EventRecordID>1972</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>DarkMind</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="param1">WinHTTP Web Proxy Auto-Discovery Service</Data>
    <Data Name="param2">running</Data>
    </EventData>
    </Event>

    Log Name: System
    Source: Service Control Manager
    Date: 12/26/2006 12:29:48 AM
    Event ID: 7036
    Task Category: None
    Level: Information
    Keywords: Classic
    User: N/A
    Computer: DarkMind
    Description:
    The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped
    state.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Service Control Manager"
    Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service
    Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2006-12-25T22:29:48.000Z" />
    <EventRecordID>1973</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>DarkMind</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="param1">WinHTTP Web Proxy Auto-Discovery Service</Data>
    <Data Name="param2">stopped</Data>
    </EventData>
    </Event>

    Log Name: System
    Source: Microsoft-Windows-SharedAccess_NAT
    Date: 12/26/2006 12:59:35 AM
    Event ID: 31004
    Task Category: None
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: DarkMind
    Description:
    The DNS proxy agent was unable to allocate 0 bytes of memory. This may
    indicate that the system is low on virtual memory, or that the memory manager
    has encountered an internal error.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-SharedAccess_NAT"
    Guid="{A6F32731-9A38-4159-A220-3D9B7FC5FE5D}" EventSourceName="ipnathlp" />
    <EventID Qualifiers="0">31004</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2006-12-25T22:59:35.000Z" />
    <EventRecordID>1974</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>DarkMind</Computer>
    <Security />
    </System>
    <EventData Name="IP_DNS_PROXY_LOG_ALLOCATION_FAILED">
    <Data Name="param1">0</Data>
    </EventData>
    </Event>

    What's happening? For the lockdown to be removed, I closed my torrent
    program and started it again. But I had NO PROBLEMS WHATSOEVER in XP SP2 with
    Windows Firewall ON and Nod32 as an antivirus. I don't know what the heck is
    wrong here.

    Theese are my posts, if you have had patience reading them, please try and
    help me. Thank you so much in advance.
     
    Tassadaru, Dec 25, 2006
    #1
    1. Advertisements

  2. Tassadaru

    Flup Guest

    The only solution is to patch TCPIP.sys.
    There is no patch yet for vista.
    BUT, Vista corporate allows more connections.
    So try to install vista corp. on a virtual PC and copy its TCPIP.sys to your PC.

    If your smart enough , you can compare it with the original and find out what bytes you need to patch.

    hope this helps you ..
    I have the same problem , but i`m to damn lazy ;)

    EggHeadCafe.com - .NET Developer Portal of Choice
    http://www.eggheadcafe.com
     
    Flup, Jan 8, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.