XP SP2 tcpip.sys restrictions - Windows lost value

http://www.microsoft.com/technet/pr...n/sp2netwk.mspx

>Limited number of simultaneous incomplete outbound TCP
>connection attempts
>Restricted traffic over raw sockets
>
>How do I resolve these issues?
>Stop the application that is responsible for the
>failing connection attempts.

I'm a professional software developer and symin specialized in
TCP/IP and security.

I've used Windows 2.0. I've read Helen Custer's "NT Inside" before
Windows NT 3.1 was released. I've implemented an ISP using Windows NT
3.51 for everything but routing - and back in that days it was a VERY
risky bet.

You see, I'm a huge believer in NT's architecture. I LOVE the kernel.
I LOVE the *base* OS architecture. I even have a full frontal naked
poster of David Cutler in my office. ;]

As a developer, Windows is of HUGE value to me, market share aside.
Win32 (especially the base services, like the IO model, IOCP,
threading, etc), COM everywhere, and the many extras like COM+, IIS,
ADO, etc, makes Windows a winner platform for developers and ISVs.

THEN, XP SP2 happens...

(Real) Professional developers and symins KNOW what they are doing.
Many times we NEED to disable firewalls. Many times we NEED to
instantiate remote COM objects without authentication. And WE KNOW the
implications.

So far, so good, we can do this two things in SP2.

BUT, read the above quote on TCP and sockets! NO way to disable!

As a symin, I CANNOT RUN a simple, basic, daily thing like a
network scanner with XP SP2!!! A simple program to monitor a number of
TCP services on the network? NO WAY! Do a stress-testing/capacity
planning on a Web application using these XP clients? FORGET!

As a developer, as a matter o fact, right now I'm developing a network
application using TCP sockets with overlapped IO, and I NEED to do
unit tests simulating connections that die without sending FINs, RSTs,
etc. Yep, well, I can do that using raw sockets, right? NOT ANYMORE!!!

It's STUPID! I'm not the master/Administrator of my own machine
anymore! What's that? Is Windows XP being repositioned as a game
machine or a typewriter-only OS? Do I HAVE to use Windows Server 2003
as my desktop OS now? US$ 600?

Worst (wearing my security hat), this limitations are security
NONSENSE. The only logic in this limitations, as stated by MS, is that
a compromised computer can do less harm.

BULLSHIT! As Microsoft says in "10 Immutable Laws of Security", and in
many other places:

Law #1: If a bad guy can persuade you to run his program on your
computer, it's not your computer anymore

http://www.microsoft.com/technet/ar...w
s.mspx

You can COMPLETELY BYPASS this limitations installing a custom kernel
driver! There are many of these drivers out there, and ANY VisualBasic
"virus" writer can include one of these in it's virus installation
procedure. It's plug-n-play!

Look, right now a number of these peer-to-peer network kids are
binary-editing their tcpip.sys to overcome SP2 limitations!!!

http://www.lvllord.de/4226fix/4226fix-en-manual.htm
http://www.lvllord.de/

To do this (and disabling Windows File Protection) in VisualBasic is a
peace of cake!

Apart from also using FreeBSD for symin since 1998, I've been
choosing NT for servers and software development (as a target
platform) since its begining.

I'm really  to say that, but SP2 have decreased the NT platform
value to me, and SP2 has cast shadows on Windows future.

And now with Sun commitement to x86, and with the 2.6 version, both
Solaris and Linux are rapidly gaining value.

Please, Microsoft, clarify this. Is Windows Server 2003 the only OS
for the professional desktop?

Regards.

reg key to change the connections limit back to max

Windows Registry Editor Version 5.00

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro
lSet\Services\Tcpip\Parameters]
"TcpNumConnections"=dword:00fffffe

When the change in SP2 was first reported, several sites suggested that the
reg key below would "fix" it, but it doesn't actually work. Right now, it
appears that the change was hard-coded into tcpip.sys. There is a hacked
version of tcpip.sys which started making the rounds yesterday but it
requires installing from the Recovery Console (booting in safe mode) to
bypass Windows File Protection. It also violates your license agreement and
could make your hair fall out.


"Brian Henry" <brianiupmsdn@newsgroups.nospam> wrote in message
news:u%23s9RoUgEHA.3024@TK2MSFTNGP10.phx.gbl...
> reg key to change the connections limit back to max
>
> Windows Registry Editor Version 5.00
>
>  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro
lSet\Services\Tcpip\Parameters]
> "TcpNumConnections"=dword:00fffffe

I don't know about other people, but that reg change worked for me. I can
now have more then 10 simotanious connections on the same port since it was
changed


"Ronny Ong" <ronnyong@killspam-bigfoot.com> wrote in message
news:OMug07UgEHA.384@TK2MSFTNGP10.phx.gbl...
> When the change in SP2 was first reported, several sites suggested that
> the reg key below would "fix" it, but it doesn't actually work. Right now,
> it appears that the change was hard-coded into tcpip.sys. There is a
> hacked version of tcpip.sys which started making the rounds yesterday but
> it requires installing from the Recovery Console (booting in safe mode) to
> bypass Windows File Protection. It also violates your license agreement
> and could make your hair fall out.
>
>
> "Brian Henry" <brianiupmsdn@newsgroups.nospam> wrote in message
> news:u%23s9RoUgEHA.3024@TK2MSFTNGP10.phx.gbl... 
>
>

this has nothing to do with the issue.

the problem is that when a program has 10 pending tcp connections (not fully
connected) the subsequent connections attempts get put into some queue and
will likely timeout in the program because of that.  This "feature"
interferes with various security tools and P2P apps.  There is no
administrative way to turn it off, the value 10 is hardcoded in tcpip.sys,
so only patching (http://www.lvllord.de/) will do.  All MS has to do is
provide a way for an administrator to turn this off, or is Windows XP now a
network computer terminal?

"Brian Henry" <brianiupmsdn@newsgroups.nospam> wrote in message
news:uz512jVgEHA.1048@tk2msftngp13.phx.gbl...
>I don't know about other people, but that reg change worked for me. I can
>now have more then 10 simotanious connections on the same port since it was
>changed
>
>
> "Ronny Ong" <ronnyong@killspam-bigfoot.com> wrote in message
> news:OMug07UgEHA.384@TK2MSFTNGP10.phx.gbl... 
>
>

"Virgulino Ferreira" <virgulino_ferreira@yahoo.com.br> wrote in message
news:ad7faec5.0408122014.7e0d5aeb@posting.google.com...
> As a symin, I CANNOT RUN a simple, basic, daily thing like a
> network scanner with XP SP2!!! A simple program to monitor a number of
> TCP services on the network? NO WAY! Do a stress-testing/capacity
> planning on a Web application using these XP clients? FORGET!

There are other ways than using raw sockets in Winsock to accomplish this.
Just the same as there were before Windows XP first introduced the ability
to produce TCP output from raw sockets in Winsock.  Those tools existed back
then, and the same methods used to write them then will work now.  For
obvious reasons, I'm going to decline to discuss those methods here.

> As a developer, as a matter o fact, right now I'm developing a network
> application using TCP sockets with overlapped IO, and I NEED to do
> unit tests simulating connections that die without sending FINs, RSTs,
> etc. Yep, well, I can do that using raw sockets, right? NOT ANYMORE!!!

I simulate those currently by leaving my test app running, in a 'sleep',
with the socket(s) open.  Others unplug the network cable before the FIN, or
use third party traffic generators.  It's a lot easier than writing raw
sockets to start a TCP handshake.  Frankly, I'm  as to how you
managed to use raw sockets to achieve that goal in the first place - you'd
send the TCP SYN to establish the connection, you'd get back a SYN/ACK,
which the TCP stack would look at and go "what the...?", responding to it
with a RST.  Short of disabling TCP, I can't see how you would have achieved
what you claim is being denied you.  Maybe that's my problem, rather than
yours.  The point is that this is achievable now.

> It's STUPID! I'm not the master/Administrator of my own machine
> anymore! What's that? Is Windows XP being repositioned as a game
> machine or a typewriter-only OS? Do I HAVE to use Windows Server 2003
> as my desktop OS now? US$ 600?

I don't see anything in this that would suggest that Windows XP is being
repositioned.  It's the client OS, and it comes in two flavours - Home and
Professional.  Home is, as the name would imply, designed for home use.
Professional is designed as a desktop OS.  I can't really say what operating
system you ought to be using for your development system - that really
depends on your individual requirements.  It does look as though your
requirements, as stated, put you in need of a Windows Server 2003 system for
development.  As for the pricing, I would suggest you look into possible
alternatives.  For developers, it's often far cheaper to use the development
and test licences from MSDN than it is to buy individual copies of each of
the operating systems you have to have in order to adequately replicate your
users' environments.

> You can COMPLETELY BYPASS this limitations installing a custom kernel
> driver! There are many of these drivers out there, and ANY VisualBasic
> "virus" writer can include one of these in it's virus installation
> procedure. It's plug-n-play!

I must have missed a change of author here, because your argument has gone
from essentially implying "you can't do it" to "anyone can do it, it's
child's play".  Installing a custom kernel driver is, of course, something
that you can do as an administrator - as you said, you own the machine, your
its lord and master, you can do this to your own machine; and as long as you
don't stay logged on as Administrator for usual day-to-day activities,
whatever viruses you pick up will not be able to install a kernel driver.

And basically, there's the point.  Avoid running as Administrator, except
when you have to, and this change makes a whole lot of sense.  Now, if you
want to complain in similarly severe terms about application authors that
unnecessarily expect you to be an administrator, please be my guest.

> Please, Microsoft, clarify this. Is Windows Server 2003 the only OS
> for the professional desktop?

No.  Most professional desktops aren't tasked with the specific requirements
that you have.

A change in SP2 has made your life a little harder in one aspect.  On the
bright side, as you've mentioned, you have a number of solutions at hand.
SP2 has many changes in it that are designed to make your life easier.  I
think once you take the time to have a broad look at the whole package,
you'll feel happier.

Alun.
~~~~

Do u know how to use that custom driver TCPIP_Patcher used by P2P clients in
 vb.net.

quote:
Originally posted by Virgulino Ferreira 
http://www.microsoft.com/technet/pr...n/sp2netwk.mspx

>Limited number of simultaneous incomplete outbound TCP
>connection attempts
>Restricted traffic over raw sockets
>
>How do I resolve these issues?
>Stop the application that is responsible for the
>failing connection attempts.

I'm a professional software developer and symin specialized in
TCP/IP and security.

I've used Windows 2.0. I've read Helen Custer's "NT Inside" before
Windows NT 3.1 was released. I've implemented an ISP using Windows NT
3.51 for everything but routing - and back in that days it was a VERY
risky bet.

You see, I'm a huge believer in NT's architecture. I LOVE the kernel.
I LOVE the *base* OS architecture. I even have a full frontal naked
poster of David Cutler in my office. ;]

As a developer, Windows is of HUGE value to me, market share aside.
Win32 (especially the base services, like the IO model, IOCP,
threading, etc), COM everywhere, and the many extras like COM+, IIS,
ADO, etc, makes Windows a winner platform for developers and ISVs.

THEN, XP SP2 happens...

(Real) Professional developers and symins KNOW what they are doing.
Many times we NEED to disable firewalls. Many times we NEED to
instantiate remote COM objects without authentication. And WE KNOW the
implications.

So far, so good, we can do this two things in SP2.

BUT, read the above quote on TCP and sockets! NO way to disable!

As a symin, I CANNOT RUN a simple, basic, daily thing like a
network scanner with XP SP2!!! A simple program to monitor a number of
TCP services on the network? NO WAY! Do a stress-testing/capacity
planning on a Web application using these XP clients? FORGET!

As a developer, as a matter o fact, right now I'm developing a network
application using TCP sockets with overlapped IO, and I NEED to do
unit tests simulating connections that die without sending FINs, RSTs,
etc. Yep, well, I can do that using raw sockets, right? NOT ANYMORE!!!

It's STUPID! I'm not the master/Administrator of my own machine
anymore! What's that? Is Windows XP being repositioned as a game
machine or a typewriter-only OS? Do I HAVE to use Windows Server 2003
as my desktop OS now? US$ 600?

Worst (wearing my security hat), this limitations are security
NONSENSE. The only logic in this limitations, as stated by MS, is that
a compromised computer can do less harm.

BULLSHIT! As Microsoft says in "10 Immutable Laws of Security", and in
many other places:

Law #1: If a bad guy can persuade you to run his program on your
computer, it's not your computer anymore

http://www.microsoft.com/technet/ar...w
s.mspx

You can COMPLETELY BYPASS this limitations installing a custom kernel
driver! There are many of these drivers out there, and ANY VisualBasic
"virus" writer can include one of these in it's virus installation
procedure. It's plug-n-play!

Look, right now a number of these peer-to-peer network kids are
binary-editing their tcpip.sys to overcome SP2 limitations!!!

http://www.lvllord.de/4226fix/4226fix-en-manual.htm
http://www.lvllord.de/

To do this (and disabling Windows File Protection) in VisualBasic is a
peace of cake!

Apart from also using FreeBSD for symin since 1998, I've been
choosing NT for servers and software development (as a target
platform) since its begining.

I'm really  to say that, but SP2 have decreased the NT platform
value to me, and SP2 has cast shadows on Windows future.

And now with Sun commitement to x86, and with the 2.6 version, both
Solaris and Linux are rapidly gaining value.

Please, Microsoft, clarify this. Is Windows Server 2003 the only OS
for the professional desktop?

Regards.