The IPC$ is a hidden share
maintained by the Server service (Disabling the service will remove the share).
The IPC$ share is used for performing RPC (Remote Procedure Call), allowing the client to send different commands to the server:
List all shares
List all users
List files within a share
Stop/Start services
...
Certain commands can be accessed anonymously
through a NULL session depending on the configuration of the server.
If the command cannot be called anonymously, then the client has to authenticate.
Access is granted if the client can provide proper credentials (username and password),
that matches an account on the server. If not able to do this, then the user at the client
machine will get an error like:
IPC$, The domain password you supplied is not correct
You must supply a password to make this connection:
Incorrect password or unknown username for:
Note it is possible to access the IPC$ share of a server by using a different credentials,
than those used when logging on the client machine. (Even if needing to use a domain-user
to access a server from outside the domain).
net use q: \\10.0.0.2\c$ [password] /user:[domain\]username
Note Windows 95/98/Me doesn't support logon with different credentials.
Therefore one have to make sure the userid and password
on the Win9x machine matches one of the accounts on the WinNT machine.
This can be done by using one of the following options:
Create an account on the WinNT machine which matches the username and password (If any) used on the Win9x machine.
If the account already exist, then try to reenter the account password for the account (And check the password doesn't expire)
Create an account on the Win9x machine which matches the username and password of an account on the WinNT machine and then logon to Win9x with the new account.
Activate the guest account, though it is not recommended:
By default the drive letters are shared (C$, D$, etc.) as hidden shares
for Administrator access. Even if you delete the shares manually they will be recreated at next bootup.
To remove these shares for good add the following DWORD registry values :
Note that the IPC$ share will not be removed by
setting these registry values.
Note that it will only stop Windows from creating the shares at startup, one have to
delete the admin shares one self, but only once after changing the above registry keys.
Besides using the standard interface for removing the shares, one can also find and delete
the shares by editing the registry database at this location:
Note the administrative shares are required by Microsoft Operations Manager (MOM)
and Microsoft Systems Management Server (SMS), and have to be enabled on the client
machines for them to function properly.
Every 12 mins the Server Service
will announce itself to the Master Browser on each protocol installed. If having a 1000 clients doing this on two protocols
like the TCPIP- and Netbios-protocol, then it will lead to 10000 packets/hour.
One can stop this announcement / broadcasting by adding this DWORD value in the registry:
Typically when sending files to a remote WinNT4 system, then CORE SMB mode is used, which is slow.
The following table describes the typical transfer modes used in different situations:
Initiator
Operation
Remote System
Transfer Mode
WinNT4
Receive From
WinNT4
RAW SMB (64 KB)
WinNT4/Win2k
Send To
WinNT4
CORE SMB (4 KB)
Win2k
Send / Receive
Win2k
CAP_LARGE_FILE (60 KB)
Win2k
Receive From
WinNT4
CAP_LARGE_FILE (60 KB)
It is possible to change how much it should send/receive in CORE SMB mode with the DWORD value (Server service will use more RAM):
[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \lanmanserver \parameters]
SizReqBuf = 17424 (Default=4356 Bytes, More than 512 MB RAM=16384 Bytes, Range 1024-65536)
Note if using a WinNT4 as a print server then increasing this value will improve the speed of
transferring the print job to the WinNT4 machine.
Note if using a large CORE SMB buffer and at the same time making small requests (Directory listings),
then delayed ACK might cause low performance.
Note if on a high latency network, then increasing this value might cause improvement in transfer speed.
One can control how a computer participate in the Master Browser election, with these STRING registry keys :
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Browser \Parameters]
MaintainServerList = "Auto" (Pro = "Auto", Server = "Yes", Off = "No")
IsDomainMaster = "True" (On = "True", Off = "False", Default = "False")
The MaintainServerList controls if it should participate in the election at all.
The IsDomainMaster gives the computer a higher priority in the election.
Note to discover/detect the current master browser on the network use the reskit tools browmon or browstat.
Note if the service Computer Browser
is disabled then the computer will not participate in the election. Setting MaintainServerList = No will keep the Browser
service from starting, any attempt will give the following error:
It is possible to configure WinNT SP3+ to increase the network security by enabling
SMB signing, though enabling it will cause a performance hit because the security requires extra processing.
Note the standard policy for Domain Controllers and Windows 2003 is to use SMB Signing, so
if using such device as a fileserver in a trusted network, then one might consider
disabling SMB Signing.
Note one might experience "Delayed Write Failed"-errors when saving/writing to files on network share.
This is caused by an error in SMB signing and it can be fixed by updating Win2k and WinXP according to this article. More Info MS KB Q814112.
Another solution is to set EnableSecuritySignature = 0.
Note to disable SMB Signing for all Domain Controllers in an Active Directory:
Open Active Directory Users and Computers
In the console tree, right-click Domain Controllers and click Properties
Select the Group Policy tab.
Click Default Domain Controllers Policy and click Edit
Under Security Options right-click Microsoft network server: Digitally sign communications (Always) and select properties
7. Configure Password Encryption level over network
A low Password Encryption level is used by default to give a higher level of compatibility, but makes it easy
for an intruder to use a network sniffer for discovering other user's username and password.
Configure the Lan Manager Compatibility level (WinNT4 SP6+):
MaxCmds specifies the maximum outstanding network requests for the client to the server,
which is used when negotiating a Server Message Block (SMB) connection with a server.
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanmanWorkstation \Parameters]
MaxCmds = 100 (The range is 0 - 255(NT4) - 65535(Win2k) and the default is 15)
MaxMpxCt specifies the maximum outstanding network requests for the server per client,
which is used when negotiating a Server Message Block (SMB) connection with a client.
Note if the value is set beyond 125 older Windows 9x client will fail to negotiate.
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanmanServer \Parameters]
MaxMpxCt = 100 (The range is 0 - 100(NT4) - 65535(Win2k) and the default is 50)
MaxWorkItems specifies how many active requests the server will handle at once (Besides those outstanding)
before it starts to reject or throttle incoming requests. Note the default value is calculated and is
based upon the total amount of RAM and CPU's, and it should only be changed on servers where the calculated
value is not enough to handle all client requests (The value should at least be 4 times the value of MaxMpxCt).
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanmanServer \Parameters]
MaxWorkItems = 512 (The range is 0 - 64(Prof.) - 65535 (Srv.))
The MaxFreeConnections and MinFreeConnections controls how many connection objects, which are
preallocated. The preallocation requires extra memory, but enables faster handling of network
requests.
The MaxThreads specifies how many threads is allowed to run at once, each thread allows one outstanding operation.
By increasing this you can increase the amount of simultaneous work. Each extra execution thread will take 1 Kbyte of additional nonpaged pool memory.
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanmanWorkstation \Parameters]
MaxThreads = 30 (The range is 0-255 and the default is 17)
The MaxCollectionCount specifies how much data there can be stored in a named pipe
before a write operation is triggered. Increase this value can increase performance for
applications which uses named pipes, as it will lower the amount of write operations.
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanmanWorkstation \Parameters]
MaxCollectionCount = 32 (The range is 0-65535 and the default is 16)
10. How to enable Win9x filesharing in Windows 2000
It is advised to create an account with a secure password for each user,
who should have access to a share MS KB Q258717.
But some times it is just too cumbersome, even if one creates a group
containing all the users which should have access.
Enable the guest account, so everyone will use that to access your shares:
Go to "Computer Management" -> "Local Users and Groups" -> "Users"
Double click the "Guest" user
Make sure the checkbox "Account is disabled" is unchecked and press "Ok" button
Right click the "Guest" user and select "Set Password" and just let the password be empty
Now make your shares using the Guest account and everyone should have access with no password. (Remember that by default Win2k gives full permissions to the shares you create)
In the treeview go to "Local Policies" -> "User Rights Assignment"
Check that "Access this computer from the network" has these groups included "Guests" and "Everyone"
Check that "Deny access to this computer from the network" doesn't contain the above groups
Remember to reboot after setting security policies so they take effect.
Note the above settings only opens the policies for allowing guests to access the computer.
When making a share one have to allow guests to access the share, and if the folder being shared
is placed on a NTFS drive, then one have to Set NTFS permissions to allow guest access.
If one continue to have problems with security policies, then try to import default policies
"basicwk.inf" and "compatws.inf"
MS KB Q234926
The default configuration of WinXP is to use Simple Filesharing, which is just
as easy as the Win9x filesharing. Just right-click a folder and select share. This
share will now be available to anyone without needing to provide password or
anything.
Simple Filesharing uses the Guest account (even if the account is disabled),
but it requires that "Access this computer from the network" includes Everyone and Guest.
If using WinXP Pro and wants mixed environment where guest should have access to
a limited set of folders and special users access more folders, then one have to
disable Simple Filesharing (Not possible in WinXP Home):
Start Button -> My Computer
In the menu of My Computer select "Tools" -> "Folder Options"
In "Folder Options" select the "View" fan
Uncheck the setting "Use Simple File Sharing (Recommended)"
This change should be reflected in this registry key:
It is advised to create an account with a secure password for each user,
who should have access to a share. But some times it is just too cumbersome,
even if one creates a group containing all the users which should have access.
Enable the guest account, so everyone will use that to access your shares:
Check that "Network access: Sharing and security model for local accounts" is set to "Classic: local users authenticate as themselves"
Remember to reboot to make sure settings are activated.
Note the above settings only opens the policies for allowing guests to access the computer.
When making a share one have to allow guests to access the share, and if the folder being shared
is placed on a NTFS drive, then one have to Set NTFS permissions to allow guest access.
With Windows 2000 the first move away from netbios was made.
Instead DNS should be used for name resolution and SMB Direct Hosting at TCPIP port 445 for requests instead of port 139.
By standard both port 139 and 445 is open to get the highest degree of compatibility.
A client will try to request on both ports and continue the communication on the
port which responds first.
To disable SMB use of Netbios port 139 (Forces use of port 445):
On the Start menu, point to Settings, and then click Network and Dial-up Connections
Right-click Internet facing connection, and then click Properties.
Select Internet Protocol TCP/IP and select Properties
Click Advanced and select the WINS tab
Tick Disable NetBIOS over TCP/IP and click Ok
To disable SMB use of port 445 with this DWORD (Forces use of port 139):
14. Configure the scanning for shares and printers in WinXP
There is a builtin scanner that crawls/scans/searches the network and any share or printer
discovered are added to My Network Places or Printers and Faxes.
The scanner is started in the following situations:
At startup
When opening My Network Places
When refreshing My Network Places by pressing F5
The scanner is not started if one of the following conditions are true:
If more than 10 computers are detected sharing folders (To be gentle on corporate networks)
If using DUN or VPN connection
If the scanner is disabled.
The scanner saves its findings here (If more than 7 days old then they are deleted)
15. Lower trafic from mapped network shares in WinXP
When WinXP maps to a network share it registers for events happening on that certain share.
So if a file changes on any level in the directory structure of the mapped network share, then
each WinXP workstation receives a SMB notification about this change. If many users are updating
files on the network share, then it will cause a lot of traffic and make the tree-view in File Explorer flicker.
One can configure it to only register for events happening in the root of the mapped network share:
Note if using software which relies on being notified of file changes and its files are placed
on a mapped network share, then this change in policy might give unpredictable results.
Note only WinXP SP2+ reacts to the registry entries above, or if having applied the Critical Update Q810565
16. Stop fetching file details when opening a remote file in Win2k/WinXP
When opening a file over a network, then besides requesting the file contents, then it also request
extended details about the file and the share it resides upon. This gives extra traffic and
can increase the time it takes to open a file (Especially if on slow network connections like VPN over DialUp).
One can disable this fetching of extended details by adding the following values to the registry:
17. Configure automatic handling of sharing violation
A sharing violation happens when one program requests write-access to a file, which another
program already have opened with share restriction read-only access. When a sharing violation
happens on a local file, then the request for write-access will fail at once.
When a sharing violation happens on a network file, then the Server service
on the remote machine will detect the sharing violation, but instead of failing right away,
then it retries to open the file with certain intervals.
This retry mechanism is quite nice when using programs in a network environment, which
haven't been made to handle sharing violation, as it will lower the "visible" sharing violations.
If the programs trying to access the same file is already capable of handling the sharing violation,
with their own retry mechanism, then this change in behavior with network files might interfere,
and lower performance.
Note it is strange that Microsoft have implemented this polling strategy, incase
several programs are trying to request the same file, then one or more programs might experience
that they never gets access because between each delay another program "steals" the access.
When accessing a file on the network, then the file operations are converted to network requests and replies.
To minimize the amount of network request and replies it is best to read/write in large blocks (64K), but
many applications only read/write a single byte at the time, thus generating a large amount of network traffic.
Opportunistic locking is a way to help such applications, by implementing a read ahead and a lazy write cache.
The client requests a read or write lock on the file, when they are granted the lock, then the client caches
the file locally so sequent read/write operations from the application only affects the cache.
If another client requests a read or write lock on the file, and it conflicts with an existing
opportunistic lock, then the opportunistic lock is broken (Caches are flushed),
and instead the access for all clients will revert to network requests/replies.
To configure the use of opportunistic locking for a Windows NT4 client:
To configure the use of byte-range locking that allows a client to only lock portions of a read-only file,
but at the cost of updating the lock continuously (WinXP/Win2k3):
19. Enable caching of long filenames for network files in Win2k/WinXP
When requesting a file on the network, the request is handled by the MUP,
and depending on configuration, then the request is passed to the Microsoft Network SMB Redirector (MrxSmb).
The SMB Redirector keeps a cache of recent accessed files, but by default it only caches short-filenames.
If frequently accessing the same network files (Like ex. a database), then performance can be improved by
using 8.3 short-filenames. Another solution is to configure the SMB redirector to cache long-filenames.
Note the client redirector has a scavenger thread, which cleans old file handles from its cache.
One can configure how often it should look for old handles to remove (WinXP/Win2k3):
[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanWorkstation \Parameters]
ScavengerTimeLimit = 30 (Default = Every 10 secs, Min = 10 secs, Max = 120 secs)
Aliasing is a feature that is included with Windows Server 2003. This feature lets multiple
long file names or multiple short file names refer to the same file. Disabling file system aliasing
can improve performance by increasing the server service caching that is available on the
Windows Server 2003-based computer.
21. Configure commit write for network files on Win2k3
When writing to a file it is possible to perform a commit operation, which specifies that all data in cache should be flushed to disc.
If the machine crashes without having performed a commit operation, then all data in cache is lost.
Therefore many applications often perform commit operations to avoid data loss, at the cost of disc performance.
When the file is placed on a network drive, then the flush request is converted to a SMB_COM_FLUSH message sent to the server,
which causes the server to flush its cache and only when it is done it responds back to the client. Instead
of just affecting the client machine, then it also affects the server, which can cause very slow performance
for all clients using the server.
It is possible to configure the server so it will not perform the commit operation, and thus avoiding the
slow file operation (The client will have flushed its own cache):
Microsoft have created several limitations in the Workstation/Professional/Home edition of Windows,
to encourage users to buy the more expensive server license.
If sharing a file/printer, then there is a limit for how many users that can access this shared resource from the network.
The actual user session limit (Prof=10)/(Home=5) can be seen by running this command:
net config server
If a user tries to access a shared resource on a computer where the limit is reached, then it will give this error:
No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept.
If having problems with users getting the above message then one can consider the following solutions:
Upgrade to a Windows Server license. If having upgraded from a Windows NT4 Workstation to a Windows NT4 Server, then update this registry key:
Note if having placed the "My Documents" on a remote share, and have enabled caching
of the desktop.ini, then it might give slow performance, because a bug in the cache process makes it cache
the entire contents of the "My Documents" folder. More Info MS KB Q898612
1. More knowledge of the TCP/IP settings from Microsoft
A little curious if all of these settings exist, then check here :
MS KB Q120642 TCP/IP & NBT Configuration Parameters for Windows NT and Windows 2000
MS KB Q224829 Description of Windows 2000 and Windows Server 2003 TCP Features
MS KB Q314053 TCP/IP and NBT Configuration Parameters for Windows XP
MS KB Q142641 Internet Server Unavailable Because of Malicious SYN Attacks
MS KB Q315669 HOW TO: Harden the TCP/IP Stack Against Denial of Service Attacks in Windows 2000
MS KB Q324270 HOW TO: Harden the TCP/IP Stack Against Denial of Service Attacks in Windows Server 2003
To configure maximum receive window size for all interfaces in bytes.
To ensure that Window Scaling doesn't create receive windows that takes too much memory (Win2k+ Only):
[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Tcpip \Parameters]
GlobalMaxTcpWindowSize = 17520 (Standard Range = 0-65535, Window Scaling Range 0-1GByte, Default not set)
Note none of these registry entries can be found in the registry after a clean
install, so to return to the default values just delete the registry entries.
If having several adapters in the registry, one can find the wanted Adapter, by making
changes to the TCPIP configuration for the Adapter in Network Properties.
Example set an odd DNS-Address for TCPIP protocol bound to the adapter, and then look
at the TCPIP setting for each adapter to find the odd DNS-Address.
To configure MTU in WinNT4:
Adapter MTU (Go to the Services-key and do a search for "TCPIP" to find the different adapters using TCPIP)
[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \{Adapter-Name} \Parameters \Tcpip]
MTU = 1500
4. Configure the priority of networks known by the MUP
The following happens when an application requests a network resource using the Uniform Naming Convention (UNC):
The request is received by the Multiple UNC Provider (MUP)
The MUP checks it's cache for a recent handle to the wanted resource (Since the last 15 Minutes) if available it is returned
The MUP goes through the available network redirectors and ask them if they know the wanted resource (Sorted by priority)
Each network redirector responds back with a handle to the wanted resource if available (Asked synchronously)
The MUP returns the handle from the redirector which responds back first (Highest priority).
One should make sure the redirectors/providers (Like "Microsoft Client for Microsoft Networks" or "Novell Client for Novell Netware"),
which knows the majority of the wanted network resources, has the highest priority.
To configure the priority of redirectors in WinNT4:
Open Control Panel
Double click Network applet
Select Services tab
Click Network Access Order
To configure the priority of redirectors in Win2k/WinXP:
Open Control Panel
Double click Network and Dial-Up Connections
In the menu select Advanced and select Advanced Settings...
Select the Provider Order tab and set the priority of Network Providers
Note MUP.SYS is usually the last driver being shown before launching the operating system, and if there
is a problem with loading Windows, then it might seem like MUP.SYS is causing the problem (But it is not).
5. Configure the priority of protocols bound to the network services
When a service needs to make a network request it has to use a protocol. To get the fastest responses
one should assign the highest priority to the protocol (Like "TCPIP" or "NetBEUI"),
which gives access to the majority of the wanted network resources. Another way is to unbind/disable/uninstall
protocols, which are not necessary for accessing resources on the network.
To configure the priority of protocols in WinNT4:
Open Control Panel
Double click Network applet
Select Bindings tab
Show bindings for All Services and change the order of protocols for each service
To configure the priority of protocols in Win2k/XP:
Open Control Panel
Double click Network and Dial-Up Connections
In the menu select Advanced and select Advanced Settings...
Select the Adapter and Bindings tab and in Advanced Settings - Connections select the network connection to configure bindings for.
In Bindings for Local Area Connections: set the order of protocols for each service for the selected connection.
When using a dialup modem with win2k and have booted without starting the modem
the modem will be unavailable unless you do a scan for new hardware or reboot the
machine and makes sure the modem is on.
This can be solved by going into Phone and Modem Options in the Control Panel and remove
the current modem. Then Add the modem again. During the reinstall it will ask you if it
should detect the modem for you, answer no. Now you will be shown a list of modems, there
you can find the modem you had installed before, unless you have the modem drivers on a disk.
This trick only works when you turn the modem on after booting into Win2k, if having
the modem turned on and booting into win2k the modem will be redetected, if it has been
installed as said above.
11. Reset the TCPIP protocol or handle several network setups in Win2k/XP
If having a laptop which you use in different networks (Home, Work, Customer, etc.),
then one can use NetShell to backup each network configuration and restore them again at will.
NetShell replaces Routemon from WinNT4.
When using NetShell to change network settings it doesn't require a reboot.
One can also use hardware profiles to save the network configuration, but it will require a reboot to
change from one hardware profile to another.
To reset the TCPIP protocol if it has gone bad (Useful as WinXP cannot uninstall the TCPIP stack)
netsh int ip reset <PATH>\resetlog.txt
Note WinXP includes an option called Alternative Configuration, which is used
when in a network without an available DHCP server, without needing to fiddle with netsh.
On the Start-menu, click Control Panel.
Click Network and Internet Connections and click Network Connections.
Right-click the wanted connection and select Properties.
Select Internet Protocol (TCP/IP) and press Properties.
If the normal configuration is DHCP, then the Alternate Configuration-tab should be available.
More info MS KB Q283676
The RandomAdapter specifies whether it should respond back with a random IP-Address (One for each adapter),
or if it should respond back with the IP Address for the adapter the request was received from.
The SingleResponse says that it should only send one IP address when WINS does a name query request.
Note there is also a technology called Windows NT Load Balancing Service (WLBS - NT4)
or Network Load Balancing (NBL - Win2k+),
which handles clustering of several machines to act like a single unit. The cluster of several machines can provide
redundancy for critical applications and higher load handling. The above registry settings does not have anything to do with this kind of service.
Note not all applications supports that the underlying TCP/IP layer responds with random IP-addresses.
Instead one can try to setup Manual load balancing using metric.
Note hardware solutions (Ex. from Intel) for network load balancing also exists where several NIC's are binded together (Also called "teaming"/"trunking"/"grouping"),
to team together as a single NIC using only one IP-Address.
Note due to a bug the display of errors is placed a little odd in the dialog box.
Note the Status dialog box also shows the amount of data received and sent, though sometimes
it is shown in packets and other times it is shown in bytes. This behavior is caused by the
drivers used for the network adapter or dialup-modem. If on a Ethernet LAN, then one have the
possibility to see how much data(in bytes) that has been sent and received by opening a cmd-prompt and execute this command:
14. Setting up a Virtual Private Network in Win2k/WinXP
Virtual Private Network(VPN) allows you to create a protected/encrypted network between
two machines using a tunnel, so other machines are not able to access this network.
The VPN is created by one machine running a VPN client that connects to the other
machine that is running a VPN server (RRAS).
Note IIS in Pro version is by default configured to handle 10 concurrent people browsing.
It is possible to increase this limit to 20 (Each client requires 2 connections):
Open a command prompt in this folder:
c:\inetpub\adminscripts
Execute this command (Max value for Srv. is 2000000000):
cscript adsutil.vbs set w3svc/MaxConnections 40
Note IIS keeps the connection open for 5 min, by lowering the timeout it will close the connections quicker, thus giving room for new connections:
Open a command prompt in this folder:
c:\inetpub\adminscripts
Execute this command:
To lower timeout:
cscript adsutil.vbs set w3svc/ConnectionTimeout 60
To disable timeout (Closes connection right after request):
cscript adsutil.vbs set w3svc/AllowKeepAlive 0
16. Setting up WinXP Internet Connection Firewall (ICF)
Microsoft provides a simple firewall in Windows XP that protects from incoming traffic,
but it will not block for outgoing traffic maybe caused by a virus that have taken over the computer.
Windows XP SP2 includes an updated firewall, which still doesn't block for outgoing traffic,
but it gives a better interface for controlling incoming traffic (File Sharing, Games, etc.)
To configure if the WinXP SP1 firewall should allow ping :
In Control Panel double click "Networking and Internet Connections"
Right click the connection which you would like to get pinged, and select "Properties"
On the Advanced-tab press the Settings-button
On the ICMP-tab tick "Allow incoming echo request"
17. Setting up Internet Connection Sharing
For Win2k :
Setup connection sharing : MS KB Q307311 HOW TO: Set Up Internet Connection Sharing in Windows 2000 MS KB Q237254 How to Enable Internet Connection Sharing on a Network Connection in Windows 2000
Forward ports to local server : MS Technet To configure Internet connection sharing for applications and services
For WinXP :
Setup sharing of a connection : MS KB Q306126 HOW TO: Configure Internet Connection Sharing in Windows XP MS KB Q314066 How to Enable Internet Connection Sharing on a Home or Small Office Network Connection in Windows XP
Setup sharing of a PPPoE connection : MS KB Q316276 How to Share a PPPoE Internet Connection with Windows XP MS KB Q319661 Connectivity Problems on ICS Clients When You Use a PPPoE Connection on a Windows XP ICS Host
Use static IP on local server : MS KB Q309642 How to Configure a Static Client for Windows XP Internet Connection Sharing
Forward ports to local server : MS KB Q309524 How to Configure Windows XP ICS for an Internal PPTP Server
Create bridge with connection sharing : MS KB Q309640 Creating a Bridge with Two Internal Adapters on ICS Host MS KB Q302348 Bridge May Not Work With a Non-Promiscuous Mode Network Adapter MS KB Q892892 Bridge between network adapters may not enable in Windows XP
Troubleshoot the connection sharing : MS KB Q308021 Resources for Troubleshooting Internet Connection Sharing in Windows XP
For Win2k3 :
Setup connection sharing : MS KB Q324286 HOW TO: Set Up Internet Connection Sharing in Windows Server 2003
Note to do ICS in WinNT4 a proxy server has to be installed:
MS KB Q306496 HOW TO: Configure or Disable Solicited Remote Assistance in Windows XP
MS KB Q306556 HOW TO: Obtain Remote Assistance Using Windows Messenger in Windows XP
MS KB Q306791 HOW TO: Provide Remote Assistance in Response to an E-mail Invitation
MS KB Q306757 HOW TO: Obtain Remote Assistance by Sending an E-mail Message in Windows XP
MS KB Q306800 HOW TO: Provide Remote Assistance In Response to Windows Messenger Invitation
MS KB Q884910 HOW TO: Offer remote assistance to a user with Windows XP SP2
To launch Remote Assistance from a command line:
%SystemRoot%\System32\rcimlby.exe -LaunchRA
19. Installing NetBEUI on WinXP/Win2k3
Microsoft has stopped the support for the NetBEUI(NetBIOS Extended User Interface) protocol. Though you can still find the needed files (Nbf.sys & Netnbf.inf) on your WinXP CD-ROM (DriveLetter-X) :
X:\Valueadd\Msft\Net\Netbeui
To install the protocol on WinXP/Win2k3 from the WinXP Install CD:
Copy the file Nbf.sys to the folder %Systemroot%\System32
Copy the file Netnbf.inf to the folder %Systemroot%\Inf (Hidden folder)
Click Start, Click Control Panel and double-click Network Connections
Right click the connection, where NetBEUI should be used, and then click Properties
On the General tab, click Install
Click Protocol, and click Add
Select the NetBEUI Protocol and then click Ok
Note some users has trouble with occasional "Network not available" when using the NetBEUI supplied with WinXP.
They had better success using NETNBF.INF and NBF.SYS from a Win2k CD-ROM (Maybe the fact that they reinstalled the protocol is the clue).
20. Configure the AFD default Send-Window to increase upload speed
Usually when reading about TCPIP there is only mentioned one
Receive Window for a connection,
which is used to control congestion created by network latency.
In the WinNT network architecture a layer is placed on top of the TCPIP layer
called AFD(Ancillary Function Driver for Winsock). The AFD provides the winsock interface,
which is used by most network applications in Windows and is also supporting things
like DNS and DHCP.
The AFD provides two windows which acts as a flowcontrol for the application creating
the socket:
AFD-Send-Window: Used when the application is sending data over a connection, if
if more data is sent than the receiver is able to acknowledge then the AFD-Send-Window will block
the transfer for the application, when it reaches the limit of the AFD-Send-Window.
AFD-Receive-Window: Used when the application is receiving data over a connection,
if the application is not able to receive data fast enough or is blocked by other
processing which keeps it from receiving data, then the AFD-Receive-Window will act as
a buffer until it reaches the limit of the AFD-Receive-Window, where it will then
block the remote-application from sending data.
The two AFD-Windows are by default self tuning using the following
values depending on the total amount of RAM detected. When an application creates
a socket it can specify a different AFD-Window than the default.
Default AFD Send- & Receive-Window = 4096 Bytes (If less than 19 MByte RAM)
Default AFD Send- & Receive-Window = 8192 Bytes (If more than 19 MByte RAM)
If using a high latency or high bandwidth network then the AFD windows can affect performance.
Too low AFD-Send-Window will constantly be blocking the application sending data.
Too low AFD-Receive-Window will constantly be saturating the application receiving data (And blocking the remote sender).
The two AFD-Windows should have the same value as the
optimal TCPIP-Receive-Window
to get the best speed.
To set the default size of the AFD-Windows use the following DWORD registry keys :
Note that the AFD-Windows should be rounded to a multiple of page size (Usually 4096 Bytes).
Not a multiple of the Maximum Segment Size(MSS) which is recommended for the TCPIP-Window.
Note that applications which specifies their own AFD-Windows for each of their sockets by
using setsockopt and specifying a new value for the SO_RCVBUF parameter (Not possible for RPC services),
will not be affected by changing the default AFD-Windows.
21. Configure how long to cache negative DNS replies in Win2k/XP
When accessing a domain like www.google.com it first has to convert the domain to an IP Address.
This conversion is done by sending the domain to a DNS server which replies back with the IP Address.
This conversion can be seen when pinging a domain.
With Windows 2000 the DNS Client
caches the DNS lookups, so it doesn't have to spend time on contacting the DNS Server
all the time, and decreases the traffic to the DNS server. But negative DNS replies
are also cached and used for up to 15 min before it again requests the DNS Server.
This waiting time can be annoying if the domain is correct and the DNS Server just
were sick for a moment. The waiting time can be configured with these DWORD values:
22. Delayed TCPIP ACK can cause slow network throughput
When a file is sent over the network the file is chopped up in small packets, which then are sent.
The TCPIP protocol is a secure protocol and demands that each packet is acknowledged by the receiver.
It is possible to acknowledge several packets at once, to avoid spamming the network by sending an
ACK for every packet received. Delayed acknowledge ACK sends an ACK packet with a certain interval and
acknowledges all the packets received since last interval. The interval depends on a timeout value (default 200 ms)
and outstanding ACKs (default 2). The delayed ACK (RFC 2581)
saves network bandwidth and helps against congestion, but it sacrifices max network throughput.
To configure the interval timeout in WinNT SP4 (Go to the Services-key and do a search for "TCPIP" to find the different adapters using TCPIP):
[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \{Adapter-Name} \Parameters \Tcpip]
TcpDelAckTicks = 1 (Default=2, 0=Sent ACK for every packet, 1-6 = 100-600 ms)
To configure the interval timeout in Win2000 SP3+:
To configure the max outstanding ACKs in Windows XP/2003+:
[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Tcpip \Parameters \Interfaces \{Adapter-id}]
TcpAckFrequency = 2 (Default=2, 1=Sent ACK for every packet, 2-n = If n outstanding ACKs before timed interval, sent ACK)
Note if disabling or shortening delayed ACK on a few machines (Like a file-server or domain-controller), then it will probably result in greater
network performance for those machines. If on large corporate network and disabling delayed ACK for all
computers, then it will most likely lower the available bandwidth for actual filetransfer as more of the bandwidth
is used for sending ACKs.
Increased performance will only be seen if requests are sent to your machine, and the requesters doesn't request anything else before your machine replies back(ACK) to the first request.
Some additions to the above statement:
If the application doing socket communication uses the socket option TCP_NODELAY, then it will override the default delayed ACK frequency.
If all of the upload bandwidth is already used (easy if slow connection), then then disabling delayed ACK will lower performance because it will generate even more upload traffic.
If on a half duplex connection, then disabling delayed ACK will lower performance because only one party can sent at a time (Receiver will block the sender when sending ACK).
If on a ethernet hub with other computers(Instead of a switch), then disabling delayed ACK will lower performance because the increased traffic will increase chance of collision and require retransmissions.
Note Explorer.exe doesn't copy the next file before the previous file was acknowledged (XCOPY doesn't have this behavior).
This means it that the receiver will only accept a file at every ACK interval, and as the default ACK interval is 200 ms,
which means that the it will copy max 5 files/sec for a single connection (Imagine copying 1000 files of 1 Kbyte).
The performance can be improved some if dragging a folder containing the files instead of selecting all the files and dragging.
Note SMB Signing requires that SMB commands are processed synchronously,
so a client is only allowed to send the next SMB command when it receives ACK of the previous one (Only one outstanding).
This means that a client can max sent 5 SMB Commands/sec, as it has to wait for the Server's 200 ms ACK delay before it
is allowed to sent the next SMB Command. This can cause very low performance when copying small files to a Server with
SMB signing enabled (Imagine copying 1000 files of 1 Kbyte).
Note if a computer's only job is to receive large files or streaming data, one can increase performance by increasing
the number of outstanding ACKs before it sends an ACK (TcpAckFrequency). It will allow acknowledgment of large chunks of data
with a single ACK packet instead of sending ACK for every 2 packet. Make sure that the TCPIP RWIN
is larger than TcpAckFrequency*MTU,
as the sender will stop sending data if it fills the TCPIP RWIN without getting an ACK. Recommended values:
Note a 16 Million connection limit sounds very promising, but there are other parameters (See below), which keeps us from ever reaching this limit.
When a client makes a connect() call to make a connection to a server, then the client invisible/implicit bind the socket to a local dynamic (anonymous, ephemeral, short-lived) port number.
The default range for dynamic ports in Windows is 1024 to 5000, thus giving 3977 outbound concurrent connections for each IP Address.
It is possible to change the upper limit with this DWORD registry key:
Note it is possible to reserve port numbers so they aren't used as dynamic ports in case one have
a certain application that needs them. This is done by using the ReservedPorts (Q812873) setting.
Even when not having 3977 concurrent connections for each IP Address, then it is still possible to run out of available port numbers or TCB's.
This can happen if quickly opening and closing connections, because after a connection is "closed" it enters the state
TIME_WAIT, and will continue to occupy the port number for 4 minutes (2*Maximum Segment Live, MSL) before it is actually removed.
This behavior is specified in RFC 793,
and prevents attempts to reconnect to the same party, before the old socket is recognized as closed at both sides.
It is possible to change how long a socket should be in TIME_WAIT state before it can be re-used freely:
Note with Win2k the reuse of sockets have been changed, so when reaching the limit of more than
1000 connections in TIME-WAIT state, then it starts to mark sockets that have been in TIME_WAIT state
for morethan 60 secs as free. It is possible to configure this limit:
Note with Win2k3 SP1 the reuse of sockets have been changed, so when it has to re-use sockets
in TIME_WAIT state, then it checks whether the other party is different from the old socket.
Eliminating the need to fiddle with (TcpTimedWaitDelay) and (MaxFreeTWTcbs) any more.
If using an application protocol that doesn't implement timeout checking, but relies on the TCPIP timeout checking without specifying how often it should be done,
then it is possible to get connections that "never" closes, if the remote host disconnects without
closing the connection properly. The TCPIP timeout checking is by default done every 2 hour, by sending a keep alive packet.
It is possible to change how often TCPIP should check the connections (Affects all TCPIP connections):
For each connection a TCP Control Block (TCB - Data structure using 0.5 KB pagepool and 0.5 KB non-pagepool) is maintained.
The TCBs are pre-allocated and stored in a table, to avoid spending time on allocating/deallocating the TCBs every time connections are created/closed.
The TCB Table enables reuse/caching of TCBs and improves memory management, but the static size limits how many
connections TCP can support simultaneously (Active + TIME_WAIT).
Configure the size of the TCB Table with this DWORD registry key:
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Tcpip \Parameters]
MaxFreeTcbs = 2000 (Default = RAM dependent, but usual Pro = 1000, Srv=2000)
To make lookups in the TCB table faster a hash table has been made, which is optimized for finding a certain active connection.
If the hash table is too small compared to the total amount of active connections, then extra CPU time is required to find a connection.
Configure the size of the hash table with this DWORD registry key (Is allocated from pagepool memory):
Note Microsoft recommends for a multiprocessor environment, that the value should not be higher
than the maximum amount of concurrent connections (MaxFreeTcbs), also if multiprocessor then it might be interesting
to look at the registry-key NumTcbTablePartitions (Recommended value CPU-count multiplied by 4).
Note if using the Professional/Home edition of Windows then it is very likely that it is
crippled (By Microsoft) not to handle many concurrent TCP connections. Ex. Microsoft have
officially stated that the backlog limit is 5 (200 when Server), so the Professional
edition is not able to accept() more than 5 new connections concurrently. More Info MS KB Q127144
Note even if having optimized Windows to handle many concurrent connections, then
connections might still be refused when reaching a certain limit, in case a NAT-Router/Firewall
is placed infront of it, which is unable to handle so many concurrent connections.
Note if having activated SYN-Attack-Protection
(Enabled by default in Win2k3 SP1) or installed WinXP SP2, a limit is introduced on how many connection attempts
(half-open) one can make simultaneously. This will limit worms like blaster
and sasser from spreading too fast, but it will also limit other applications
that creates many new connections simultaneously (Like P2P).
EventID 4226: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts
24. Microsoft TCP/IP Version 6 (IPv6) can make network slow
Internet Procotol ver. 6 (IPv6) contains many new improvements:
128 bit address space (IPv4 uses 32 bit)
Easier configuration (IPv4 uses DHCP or manual setting static IP address)
Built-in security
Better support for QoS
Sadly enough not all Internet Service Providers (ISP) are able to handle IPv6 properly.
For example some IPv4 DNS servers cannot handle IPv6 "AAAA"-record lookup requests.
Instead of replying NOERROR and an empty reply, then they respond NXDOMAIN or NAME_ERROR or not
responding at all. This either causes very slow DNS lookups because of timeouts or failure
to perform the DNS lookup at all.
To uninstall IPv6 (And only use IPv4):
Open Control Panel -> Network Connection
Right Click the network interface card, and select Properties.