Windows 7 tcpip.sys Auto Patcher to Remove TCP/IP Connection Limit

After first running the patch and then choosing to 'restore original file', which apparently worked because the test mode watermark has disappeared from my desktop, I'm trying to verify that Build 7000 is not limited to 10 half open connections by locating the registry key you mentioned. But my registry has no such key in that location. Is there any other way to discover the limit number on my system without installing any software? I have tried running my torrent client (Bitcomet) to see if it will report the number somewhere, but didn't have any luck. Please advise. Thanks a lot.

From the author of TCP-Z :

Say Bye To Half-open TCP Connections Limit In Vista/2008 SP2
Thursday, May 7, 2009

Good news from Microsoft!

At May 6, 2009, In this article, Microsoft confirm that:
By default, the half-open TCP connections limit is disabled in Windows Server 2008 with Service Pack 2 (SP2) and in Windows Vista with Service Pack 2 (SP2).

Thank for this, my doubts about RateLimit long time ago has been solved by Microsoft's answer.

Last year, I found a case. In Vista, I can simply modify the value "TcpCreateAndConnectTcbRateLimitDepth" from 1 to 0 in the kernel memory, and then the Half-open TCP connections limit has been removed immediately!
But I am not sure whether this is a safe method. so, in tcp-z, this function never be active. TCP-Z only show this value.

After Vista 16670 and Windows 7 6956, Microsoft strangely set TcpCreateAndConnectTcbRateLimitDepth to 0 in default.
In latterly version of TCP-Z, it will show a lock icon to distinguish these difference.

Now, Microsoft answer: It's safe! and provide a simple modification method by registry.
When you add a registry entry "EnableConnectionRateLimiting", and set to 1 or 0, it will switch TcpCreateAndConnectTcbRateLimitDepth between 1/0 synchronously.
You can see the changes in the graph of TCP-Z.
After TcpCreateAndConnectTcbRateLimitDepth change to 1, Windows will calculate the create rate and do the limitation. In testing you can see the value is limited to 11.


This registry entry only works in Windows Server 2008 with SP2 / Windows Vista with SP2 / Window 7.

It is time to retire for me!


Full article in Microsoft.com

so this is disable by default in Windows 7.

so does that means it will just build up as many connections it requires?

EDIT: sorry for the epic bump, just need some answers

JoHn87 said:

so this is disable by default in Windows 7.

so does that means it will just build up as many connections it requires?

EDIT: sorry for the epic bump, just need some answers

Short version: yes.


====================================
Real answer: It was never about limiting the number of connections. This mechanism used to limit the number of "half-open" TCP sessions in an effort to slow the propagation of malware from infected machines.

A TCP session between any two machines starts off with what's known as a "3-way handshake", even though there's only two machines . The name stems from the 3 packets required to "establish" the session:

1) Initiator sends a SYN packet informing the target of its intention to communicate and its own "synchronisation" sequence number offset.

2) Target responds with a SYN-ACK letting the initiator know that the first packet has been received ("acknowledged"), and informing the initiator of its own starting sync offset.

3) Initiator responds with an ACK, thereby completing the handshake sequence.

After all that, the session is established and the two sides can send information to each other until they decide to tear the session down.

A "half-open" session is one where the initial SYN (step 1) has been sent, but no response has yet been received. In other words, there's nothing yet to indicate that the target is willing to talk to us, or that it even exists on the IP/port that the SYN was sent to.

The "half-open" throttling mechanism used to limit the number of those not-yet-fully established sessions to a maximum of 10 at any time, because MS (rightly) felt that anything more constituted burst-type activity which was likely associated with malware trying to spread itself as fast as possible.

Given a latency of say 100ms, malware which is throttled in this way will spread much, much slower than if it's completely unbridled and able to initiate thousands of concurrent half-open sessions in an opportunistic fashion (fire off a crapload of SYNs all at once and just work with the targets which respond).

While the vast majority of legit applications don't behave in this manner, the two notable exceptions were torrent clients (stretching the definition of "legit" of course) and server-style apps which some companies ran on Windows clients to decrease their licensing costs. Torrent clients would sometimes bump up against the 10 half-open limit, and that would cause a scary-looking event to be logged. Many torrenters ended up "patching" the TCPIP.SYS driver in an attempt to knock out the throttling mechanism, and that brought problems of its own in the form of BSODs and similar issues.

In the end, I guess MS decided the level of additional security didn't warrant the additional chaos caused by driver patchers and the flak they were getting in the press, and hence decided to remove the mechanism as of Vista SP2.

thanks H2SO4

that clears up alot now.

JoHn87 said:

thanks H2SO4

that clears up alot now.

No problem mate :)

hmm EnableConnectionRateLimiting isnt in my registry.

swarfega said:

hmm EnableConnectionRateLimiting isnt in my registry.

3: kd> x tcpip!TcpCreateAndConnectTcbRateLimitDepth
fffff880`01b81d3c tcpip!TcpCreateAndConnectTcbRateLimitDepth = <no type information>
3: kd> dd fffff880`01b81d3c l1
fffff880`01b81d3c 00000000

That throttling mechanism is disabled in Win7 and perhaps entirely vestigal in terms of code. Do you actually want to enable it for some purpose?

nah i wanted to make sure it was disabled.