Jump to content

Analyze Event ID 4226


ptrex
 Share

Recommended Posts

Analyze Event ID 4226

Explanation

The TCP/IP stack in Windows XP with Service Pack 2 (SP2) installed limits the number of concurrent, incomplete outbound TCP connection attempts. When the limit is reached, subsequent connection attempts are put in a queue and resolved at a fixed rate so that there are only a limited number of connections in the incomplete state. During normal operation, when programs are connecting to available hosts at valid IP addresses, no limit is imposed on the number of connections in the incomplete state. When the number of incomplete connections exceeds the limit, for example, as a result of programs connecting to IP addresses that are not valid, connection-rate limitations are invoked, and this event is logged.

Establishing connectionrate limitations helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in failed connections, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.

Connection-rate limitations may cause certain security tools, such as port scanners, to run more slowly.

_NetStat()

Func _NetStat()
    Local $sRet

    $sRet = Run(@ComSpec & " /c Netstat -no", "", @SW_HIDE,2)

    While 1
        $line = StdoutRead($sRet)
        If @error Then ExitLoop

        $Info = StringSplit($line,@CR)
        ;ConsoleWrite($line & @CR)
        For $i = 5 to $Info[0] - 1
            ConsoleWrite($Info[$i] & @CR)
            $Pid = StringRight($Info[$i],4)
            ;ConsoleWrite($Pid[4] & @CR)
            
            $Process = $Pid ; = PID
            _ProcessInfo($Process)
            ;ConsoleWrite($Process & @CR)
        next
        ;ConsoleWrite($Info[0] & @CR)
    Wend

    While 1
        $line = StderrRead($sRet)
        If @error Then ExitLoop
        ConsoleWrite( "STDERR read: "& $line & @CR)
    Wend
EndFunc

Func _ProcessInfo($Process)
    Dim Const $wbemFlagReturnImmediately = 0x10
    Dim Const $wbemFlagForwardOnly = 0x20

    $oWMIService = ObjGet("winmgmts:" & @ComputerName & "rootCIMV2")
    If Not @error Then
        $oItems = $oWMIService.ExecQuery("SELECT * FROM Win32_Process where ProcessId = " & $Process, "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

        For $Item In $oItems
            ConsoleWrite(" Name: " & @tab & @tab& @tab& "ProcessId: " & @tab & @tab & "CommandLine: " & @tab & @LF)
            ConsoleWrite(" "& $Item.Name & @tab & @tab & @tab& $Item.ProcessId & @tab & @tab & @tab & $Item.CommandLine & @LF)
        Next
    EndIf
EndFunc

Enjoy !!

ptrex

Edited by ptrex
Link to comment
Share on other sites

Link to comment
Share on other sites

@big_daddy

If I'm understanding this correctly, the console output is each process that has triggered that event?

Not Exactly.

This script helps you analyzing the specific Event ID 4226 in your, mentioned in the Event Viewer.

Without this script it is quite clumsy to analyse what causes these events to happen.

What this event 4226 means is explained in the first post.

I know lot's of people have seen the event pass by, but don't have a clue what it is, are what to do about it.

I hope this helps a bit.

regards

ptrex

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...