[转载]Windows XP SP2中的ID:4226日志
信息来源:MVP CN事件类型: 警告
事件来源: Tcpip
事件种类: 无
事件 ID: 4226
日期: 2004-11-1
事件: 19:03:04
用户: N/A
计算机: MSWINXPHOME
描述:
TCP/IP 已经达到并发 TCP 连接尝试次数的安全限制。
有关更多信息,请参阅在 [url]http://go.microsoft.com/fwlink/events.asp[/url] 的帮助和支持中心。
数据:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ....?..?
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
产生这个日志的时候,我常常会想到的是XP家族的那个并发连接数限制PRO版本的10个,HOME版本的5个,今天在组里偶然看到询问这个日志的帖子,才查阅了一下资料,结果让我大吃一惊。
其实这个日志不是因为我上面提到的并发连接,那个并发连接往往是为了限制用XP家族的操作系统作file and Print Server,而这个日志中提到的“并发 TCP 连接尝试”则是Windows XP SP2中的新功能,叫做“Limited number of simultaneous incomplete outbound TCP connection attempts”,这个功能的解释如下:
The TCP/IP stack in Windows XP with Service Pack 2 (SP2) installed limits the number of concurrent, incomplete outbound TCP connection attempts. When the limit is reached, subsequent connection attempts are put in a queue and resolved at a fixed rate so that there are only a limited number of connections in the incomplete state. During normal operation, when programs are connecting to available hosts at valid IP addresses, no limit is imposed on the number of connections in the incomplete state. When the number of incomplete connections exceeds the limit, for example, as a result of programs connecting to IP addresses that are not valid, connection-rate limitations are invoked, and this event is logged.
Establishing connection–rate limitations helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in failed connections, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.
更详细的内容大家可以看看《Changes to Functionality in Microsoft Windows XP Service Pack 2》要英文版才可以,Technet(中国)上面的中文版本将SP2中的TCP/IP改进部分省略了,(很郁闷,不然当初就应该了解这个功能了。)
当然,这就可以解释一些现象了,上次在新闻组中看到了一些帖子,问到BT在SP2版本下面的XP中下载速度会变慢,即使禁用了Windows Firewall也不行,看来是这个SP2中的TCP/IP新限制影响了(初步猜测,未经证实)。另外一些端口扫描工具也会变慢(已证实),自然类似冲击波的蠕虫攻击速度也会变慢了!
如果您不能判断是什么程序引起的,
可以这样操作。
1.在命令提示下面,输入“Netstat -no”回车,
2.会得到类似的反馈:
[code]C:\Documents and Settings\youyang>netstat -no
Active Connections
Proto Local Address Foreign Address State PID
TCP 61.176.17.128:1348 207.46.248.16:119 ESTABLISHED 304
TCP 61.176.17.128:2325 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2327 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2349 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2358 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2370 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2374 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2391 218.25.251.34:10587 ESTABLISHED 3800
TCP 61.176.17.128:2503 218.25.251.34:11681 ESTABLISHED 3800
TCP 61.176.17.128:2504 218.25.251.34:12222 ESTABLISHED 3800
TCP 61.176.17.128:2517 218.25.251.34:10762 ESTABLISHED 3800
TCP 61.176.17.128:2518 218.25.251.34:12782 ESTABLISHED 3800
TCP 61.176.17.128:2678 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2680 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2693 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2695 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2702 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2704 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2711 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2713 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2714 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2716 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2744 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2746 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2747 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2749 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2750 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2752 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2753 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2755 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2756 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2758 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2759 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2761 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2762 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2764 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2765 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2767 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2768 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2770 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2771 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2773 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2774 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2776 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2777 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2779 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2780 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2782 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2783 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2784 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2786 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2788 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2789 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2791 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2792 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2794 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2795 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2797 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2798 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2800 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2801 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2803 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2804 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2806 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2807 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2809 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2810 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2812 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2813 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2815 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2816 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2818 218.25.251.34:21 ESTABLISHED 1492
TCP 61.176.17.128:2819 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2821 218.25.251.34:21 SYN_SENT 1492
TCP 61.176.17.128:2822 218.25.251.34:21 ESTABLISHED 3800
TCP 61.176.17.128:2824 218.25.251.34:21 SYN_SENT 1492
TCP 127.0.0.1:1025 61.176.17.128:2325 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2678 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2693 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2702 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2711 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2714 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2744 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2747 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2750 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2753 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2756 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2759 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2762 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2765 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2768 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2771 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2774 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2777 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2780 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2783 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2784 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2789 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2792 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2795 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2798 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2801 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2804 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2807 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2810 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2813 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2816 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2819 ESTABLISHED 1492
TCP 127.0.0.1:1025 61.176.17.128:2822 ESTABLISHED 1492
C:\Documents and Settings\youyang>
[/code]
看到这种被TCP/IP限制的连接应该在State下面出现SYN_SEND表示,是PID的1492
3,然后到您的“任务管理器”中,先选中“进程”选项卡,然后选择“查看”,后选择“选择列”,最后选择“PID”,这样就可以看到PID对应的进程名称。
4,如果在您运行软件的同时大量出现ID:4226的警告,您可以按照上面的方法结束进程,并且验证这个进程是否合法。
页:
[1]