Event id 4226

I’ve been seeing this in the windows logs for a while now. It only happens at boot up. I’ve run Malwarebytes and a boot time scan with Avast, both clean. Also ran SuperAntiSpyware and just have some tracking cookies. What I’ve noticed is that if I reboot in a timeframe of less than 2 hours this event does not happen. Any ideas?

You dont say what version system your running but there are lots of hit’s when running a google search, might pay to look through some of these http://www.google.com.au/#sclient=psy-ab&hl=en&source=hp&q=Event+id+4226+&pbx=1&oq=Event+id+4226+&aq=f&aqi=g-s1g3&aql=&gs_sm=s&gs_upl=0l0l1l7539l0l0l0l0l0l0l0l0ll0l0&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=8b4d6bc0e1cf18b&biw=1920&bih=985

What is the rest of the information contained in the windows log/s entries (and which logs do you mean) ?

If you aren’t seeing anything untoward/unusual symptoms on your system, e.g. errors displayed to the screen, things in the windows event viewer are generally minor issue as nothing has been displayed to the screen.

These event viewer entries are also classified, Error, Warning, Information, etc. what are these ?

The event ID can change and that is why it is important to gather the information from the event viewer properties at the time. The event ID would refer to what is in the Task Manager Processes tab at the time of creation.

Personally I keep my nose out of the logs unless I’m experiencing a problem that warrants further investigation.

Most probably you have seen this http://www.eventid.net/display-eventid-4226-source-Tcpip-eventno-4252-phase-1.htm as you mentioned that you scanned your system for viruses. Are you running many applications at startup that maybe check for updates, etc (all sorts of messengers, “update” checkers)? I would try to disable them, at least temporarily, to see if it makes any difference. Find one of those “Startup cleaners” and remove the unnecessary stuff.

Before contemplating any action, it is best to find out what, when, why. That is why we and Bluemeanie need more information before taking any action.

The system is Xp-sp3. The logs in question are the system logs as seen thru the event viewer. I only started looking around about a week ago when everything seems slow after a bsod. No more bsod’s since then and about 2 days later the slowness is gone. The entry in the log is a warning. Hopefully I’ve attached a screen shot.

The 4226 event is not related to boot times only (or, at all). It means the number of connections attempts in a certain small period of time (as in “per second”) are “too high” for the limit already set in Windows.

MS originally limited this number in Windows to reduce the chances that some malware would spread (communicate) using your system (this is a simplified explanation, but it’s enough in this context).

You could change the limit, so the 4226 event won’t be displayed in event viewer, but the number of connections will still be the same. Being more an information than a real problem, I wouldn’t care much about it, specially if this only happens once in a while (“low” frequency).

If this event really happens only at boot times, then “too many” tools are trying to connect at the same time when you boot. You could check which auto start up items you have, which ones are really necessary, which ones are trying to connect…

Particularly, in avast, you can configure it to reduce the number of connections, according to the type of network connection you have. Try setting avast to connect with “dial up only” (even if it is not really dial up). Other settings in avast may play a factor too. And you can also manually configure avast to delay the first connection (by editing the ini file).

If the event happens in additional situations (not only at boot time), then you would need to identify which specific software is trying to connect “too much”. Typically, P2P applications are the most common ones generating this 4226 event. By changing it’s settings you reduce this 4226 event (and you may gain in P2P speed too).

HTH.

Well you would have to check your security settings and see what the TCP/IP security limit is (probably the default limit of 10). But as this is a Warning rather than an Error, it isn’t as crucial, but you definitely want to ensure only authorised TCP/IP connections are allowed.

I would also suggest that you check all of your startup items and only allow those essential applications are allowed to run on boot.

You should also check applications that you allow to auto-update as many want you to allow that so they too should be restricted to essential applications, primarily security based applications.

Check out this Microsoft Support Article on TCP/IP .

A means to increase the limit http://www.megaleecher.net/Tcpip.sys_Patch_To_Increase_Windows_XP_Connection_Limit. Though this I would say is one way I wouldn’t go as far as upping it to 256 as suggested but slowly bump it up (after of course restricting applications auto-updates and programs running on boot) to say 50 and see if the limit errors go away.

By default Windows XP allows a maximum of 10 half open connections at a time, this limit is implemented as a security feature to slow-down spreading of internet-worms in-case the user machine gets infected, if your network use is crossing this limit your computers event-log will show the following Event:

What I’ve found is that this does not happen if I disable Avast. So, next step is to look into the settings there. Never thought about changing it to dial up, thanks for that idea.
Oh and yes, this is only happening at boot time.

Try using notepad to change the configuration file, avast5.ini.

In avast5.ini, edit it so it will contain:


[InetWD]
AssumeAlwaysConnected=1
AlwaysConnectedWaitSeconds=300

(search the file for the appropriate section)

Save it (avast and/or Windows may ask you for confirmation) and reboot.

The effect is that the first update attempt should be delayed 5 minutes (300 seconds).

If this is not enough, there might be other additional possible settings to help you. Please report back.

Sorry for the delay. I added those and it didn’t happen for a day or 2, then started seeing them again. Looked at everything else I can think of and can’t see a reason for this. Then this morning, within a minute of the boot I got the Avast alert telling me that my definitions had been updated. This was with AlwaysConnectedWaitSeconds=300 in the ini file.