Various Windows notes

From Helpful
Jump to: navigation, search
This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)


Contents

Errors and issues

"The specified network name is no longer available"

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

This Windows error, most commonly received during network data copy, seems to be caused by the underlying network connection dropping, often for just a fraction of a second, sometimes more permanently.


Apparently, a common culprit is having a a duplex mismatch between networking ends: full duplex on one and and half on the other, particularly on direct network card-to-card connections where these settings can be forced, but also when the network card or switch is just dumb about autodetection.


Other possibilities seem to include:

  • bad drivers,
  • a bad hub/switch, (e.g. a cheap one that freezes up sometimes)
  • bad wireless connections,
  • a damaged cable


See also


Windows handles, handle-related problem

A windows Handle is a reference to one of about three dozen types of resources (Kernel Objects) - specifically resources that are managed by windows itself, and used only through a windows API. (Handles themselves are uint32 numbers, the have meaning as a (dynamically allocated) identifier)


The types applicable varies with version of windows, and a little on how you count. Some of the more significant are event handles (for critical section type things), file handles, registry-key handles, section handles (shared memory stuff), thread handles, window handles, some other types relating to GUI elements and DirectX, and a few more of which there can easily be at least a few hundred system-wide.


Windows does not deal well with running out of allocatable handles, even in user-space programs. In theory it's hard to run out, because many of the types have limits (per process and/or system-wide(verify)).

Handle leaks of some of the types can easily crash the system, so some bugs can cause trouble in windows.


There is an overall handle limit per process (224, ~16 million) (though the amount of memory also limits how many you can actually allocate).


See also:


Windows file or directory can't be removed

Windows (XP?) has had a problem for years where you can't delete a file after some specific actions.

There are a few things that bring it out this bug, which include:

  • Trying to delete it while it is still open. Sometimes this will cause it to be undeletable afterwards (because explorer.exe keeps it open)
  • Directories with files like this (implicitly, because it contains an open file)

Windows will say it is in use, but there's no application with it open.


The quick and dirty solution is rebooting, but there are other ways.

In particular, Process Explorer lets you both search for open handles by their path name. (and close handles, but that's a bad idea when they are actively in use, in that the program may not be expecting it and the file may be in a half-updated state, but if it's lingering only because of a bug, the difference between this and what will happen at the next shutdown/reboot isn't much)


Notes on handle leaks, and inspecting handles

Most processes tend to have have a few dozen to a few hundred handles open, so a system with a bunch programs installed and running may easily have 10000-25000 handles open in total.


One or two thousand is normal for explorer.exe, some services, 'System', and a few others (each partly because it's a bunch of things in one). Lots of apps open (e.g. 80 chrome tabs) also adds up. In some cases, up to 60Kish total isn't crazy.


More than a few thousand, and steady growth to thousands (over minutes or hours), is likely to indicate that a program doesn't close them as it should.

Eventually this will be a problem to the system - eventually the OS will run out of some resource or other.


Inspecting

You can identify the count with just Windows's own Task Manager (Ctrl-Shift-Esc):

  • Recent windowses: Go to the Details tab, right click the header, 'Select columns', add the 'Handles' column
  • Older windowses: Go to the process tab, via View → Select columns / recent window, add the 'Handles' column

In some cases, just knowing the process that is misbehaving is enough information to know what to update/downgrade/uninstall. For example, I had a webcam helper that had a handle leak related to it looking for its registry settings every second, but not closing that handle).


In other cases it's not so simple, particularly when the offending process is 'System' as you can't tell what specific part is misbehaving. It's likely to be some driver or other, but it's hard to tell from just the count.

If you want more detail:

  • On Windows Vista and Windows 7 there is "Resource Monitor" (part of(verify) and reachable via Performance Monitor).
    • In the CPU tab you can view the handles for the selected processes (seems to show only some types of handles(verify))
    • seems not to report on System process (verify)

Some usage notes for Handle.exe:

  • without the -a option it shows only file (and section?) handles. To show all types, use -a.
  • invoked without options at all it shows (the file handles for) all processes.
  • you can inspect a specific process using -p, giving it a PID or a process name (partial is allowed, seems to be a starts-with test)
  • You can get an overall summary (count per type) by using handle.exe -s, though this doesn't mean much if you don't know how much of each type is to be expected


In one case of the misbehaving System process, Handle.exe showed thousands of thread handles it couldn't access - but the process's thread count was low, which likely meant it leaked thread handles. It turned out to be a specific driver.

User interface tweaks

Kiosk-style notes

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

Disabling various system utilities

For example, if you want windows to complain whenever someone tries to run

  • the command prompt (cmd) is used: "The command prompt has been disabled by your administrator" when you try to run
  • the task manager (e.g. Ctrl+Alt+Del on XP): "Task Manager has been disabled by your administrator"
  • the registry editor (regedit): "Registry editing has been disabled by your administrator"

(Malware may do some of these things, to try to make it harder for you to kill it)


Via the registry

These settings are in the registry. Larger sites (and people who like explanations more than numbers) may prefer the policy editor.

As such, you can use the policy editor to fix this (except in versions of windows that MS removed that tool, such as XP Home).

Registry sections (See Registry editing) where various related policies may be stored (different ones in different locations):

HKLM\SOFTWARE\Policies\Microsoft\System
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKLM\SOFTWARE\Policies\Microsoft\Windows\System

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKCU\Software\Policies\Microsoft\Windows\System

...so you probably want to search for the actual key that's keeping you.


The keys (names vary somewhat between versions of windows) have names like:

DisableCMD
DisableRegistryTools
DisableTaskMgr
NoControlPanel 
NoTrayContextMenu 

These tend to be DWORD entries that you want to be 0 instead of anything else.

For a longer reference with all sorts of specific tweaks (down to things like disabling the 'Background' tab in the Display settings), see the description of a virus or spyware that does this.


Further restrictions

Keyboard filtering

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)



Policy editing

It is often easiest to use the policy editor (run gpedit.msc via the dialog) since it's both friendlier and more organized than trying to find the registry entries they imply. It's also handy if your registry editing is disabled in the first place.

Most of the interface lockdown is in two places:

  • User Config\Admin Templates\Start Menu and Taskbar allows you to strip down the start menu items and task bar behaviour, including:
    • remove links to control panel, network settings, printers, windows update, Run, Search, Help, Favorites, various My somethings
    • remove personal start menu entries and/or 'All users' entries
    • disable access shut down, enable logoff item
    • start menu user's name
    • taskbar right-clicking and/or properties menu
    • taskbar balloon tips
    • taskbar locking
    • toolbar lockdown
    • system tray hiding
    • remove 'frequent program' list
    • not keeping a document history
  • User Config\Admin Templates\System, such as:
    • Prevent access to registry Editing Tools
    • Prevent access to the command propt
    • Custom user interface (see below)
    • Ctrl+Alt+Del Options
      • Remove Task Manager
      • Remove Lock Computer
      • Remove Change Password
      • Remove Logoff

The Ctrl+Alt+Del Options are WinNT/Win2K-centric, referring to the dialog you get when you press Ctrl-Alt-Del. They may be remapped a bit; in XP, 'Remove Task Manager' refers to pressing ctrl-alt-del to get the task manager.


See also [1].

'Custom user interface'

The Custom user interface option allows you to tell windows to not run the default, explorer.exe, and instead run something else. (This also kills features that come from explorer, such as shortcuts like windows-R.)


You could, for example, run internet in its kiosk mode ("iexplore -k" meaning fullscreen, and the menu is disabled).

Firefox has similar functionality in plugins, for example r-kiosk. Note that with firefox, you probably want to disable the tab/session restore feature, and instead unconditionally go to the configured start page. (Go to about:config, find browser.sessionstore.resume_from_crash, set it to false)

Software restriction

Other tweaks

Considerations:

  • you may want to disable the screensaver
  • you may want to set up remote desktop, for remote administration.
  • you may want to disable Active Desktop, IE's 'set as background', and such (not airtight?(verify))
  • you may want to make program kills harsher program at shutdown, to avoid a scheduled/remote shutdown hanging. Set HKEY_CURRENT_USER\Control Panel\Desktop\AutoEndTasks to 1 (REG_SZ type)
  • When firefox and/or the OS was shut down somewhat harshly you may get the session recovery question. You may want to disable that so that you'll always start at agive

You may want to disable the session recovery in firefox (and just start at a given homepage), to avoid having to answer a question when a machine was shut down somewhat harshly.

  • To disable running arbitrary things is actually hard.


See also

Global key shorcuts

Basic windows-wide shortcuts:

  • Wine: Open new explorer window
  • Winl: Lock screen (goes to login window, leaves your session intact)


  • Wind: 'show desktop', much like:
  • Winm: Minimize all windows
  • WinShiftm: Restore windows hidden by last Win-m

Since windows 7:

  • Winuparrow - maximize
  • Windownarrow - minimize
  • Winleftarrow, Winrightarrow cycles through: dock left, dock right, don't dock. Is aware of multiple monitors.


For keyboard without windows/menu keys:

  • CtrlEsc: Windows key
  • ShiftF10: Menu key


For admins:

  • WinBreak (as in the Pause/Break key) shows System Properties
  • CtrlShiftEsc - open Task Manager (more immediate than going via Ctrl-Alt-Del)


Keyboard+Mouse

  • Alt-doubleclick: Properties


Avoiding the mouse:

  • ShiftF10 - imitate right mouse click
  • F4 - Go to Explorer's address bar
  • F2 - Rename item

Making your windows installation smaller

This article is marked 'feel free.' Often because its authors know they won't spend as much time on it as they should. Your help is appreciated.

First of all, drive space is almost completely unrelated to sluggishness.

Do it only because you are, right now, starting to run out of space (or perhaps to avoid that on an SSD).


Some of the easier, more effective things

Most of these things clean up crud that builds up, so only need to be done once in a while, or just once.


Window's Disk Cleanup utility

In particular, consider

  • removing all but the most recent restore point (see More Options)
  • cleaning up after windows update, or updating windows (see Clean up system files)

Utilities that clean up

Such as CCleaner and similar.

They know about crud various specific apps leave behind.


Note:

removes only a few MB on a brand-new install
potentially gigabytes on something you've used for a while and never cleaned this way, while
doing this regularly is almost pointless, because little of it adds up very quickly

See where large files are

Particularly your own files, when you just forgot where they were.

See tools like WinDirStat

Remove programs you never use (and can reinstall easily)

Such as big games you haven't played in a while.


Less effective, fairly manual, riskier hardcore nerdery, etc.

Many other things have less effect, and/or require more hardcore (and potentially dangerous) nerdery.


Removing all but the most recent Java update

actually recommended on the java site itself



Removing windows components you don't need

...though this hardly makes a dent.

On XP you could strip ~200MB of things you probably never used
The "Windows Features" thing in Win7 mainly just disables things and does not remove them(verify)

%windir%\SoftwareDistribution

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

(Part of Windows Update)

tl;dr:

  • %windir%\SoftwareDistribution\Download
    seems to be safe to clear - assuming it's not in use right that moment.
  • Don't touch the other parts.

Installers, installer caches

MSOCache

MSOCache is a local copy of some MicroSoft Office installation files, which Office's setup copies to in the root of one of your partitions when, at install time, it decides there's enough space for it.

It often takes up on the order of 250MB, sometimes more.


It helps Office do repairs, install patches/updates, and some component (re)installs without needing the CD.

The MSOCache is one Local Installation Source (LIS) set (of which there may be more than one(verify)).


Not creating

You can ask installers for some (but not all - which?(verify)) Office versions that you don't want this cache.


Removing

You can remove the directory. If you do, know where your office CD is.

If you delete, Microsoft suggests you don't do it manually using Explorer, but with the standard windows Disk Cleanup utility (do Disk Cleaning for the drive the MSOcache is on and manually check the option 'Office setup files').


Moving

If you e.g. have a cramped system drive and a separate large storage drive, then it can make sense to move the LIS caches.

You can do this cleanly using the LIS tool:


See also

Microsoft pages:

Other pages:

%windir%\Installer (WinXP, Win7, more?)

Usually meaning C:\Windows\Installer


Can easily contain a few hundred MB to 1GB or so of installers, all named something like 46b0ca2.msi

Deleting these files usually means the program it belongs to will not uninstall anymore, and possibly not update, which may be more bother in the long run than a couple hundred MB is worth.

You may wish to leave anything that may update/change regularly (iTunes, Silverlight, Office, etc. - which are some of the largest) alone.
The various smaller ones add up too. You could go through them if you have too much time.


To find out what each of these is

  • right-click, properties, details will sometimes show a clear name.
  • ...if not, you could run them, since almost all installers will gives a 'repair, uninstall, cancel' window before they do anything. Not everything, though...


Some of these files compress well, but most don't. You may be able to shave off a few hundred MB, and it won't affect speed of anything but the fairly rare event of uninstalls and updates.

Apple's Installer Cache

Somewhere in the All Users profile, though the exact path seems to vary.

Usually a few dozen MB (for iTunes, Quicktime) up to perhaps 600MB (many old versions of iTunes, Quicktime, Safari).

It seems that you can delete at leas the old versions you don't have installed anymore.

There seem to be other places Apple places installers for different software (the background services it adds, iPhone updates)(verify).

Chrome versions/installers

tl;dr: No need / no point. But you can.


Somewhere under a user's App Data, there's a Chrome\Application directory which contains chrome.exe, and two \version directories, each of which include an \Installer directory.

Chrome stores the current version and one old one, presumably to transparently fall back in case of problems. It automatically cleans up older versions. So while there's (order-of-magnitude) 200MB that isn't being used, it's a feature, it won't grow, and you'll get a new version on every minor chrome update.

WinSxS (Vista, 7, 8, 10)

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

tl;dr: Not all of it is useful, but there's little you can safely prune.


Some possible cleanup:

  • If you have installed language packs you don't use, you can use
    lpksetup.exe
    to remove them.
  • Win7: If you have updated to SP1, you can use
    dism
    to clean up a bit (verify)
  • Vista: If you have SP1, you can clean a bunch of files that are only necessary to uninstall this service pack. Look for vsp1cln.exe (part of the service pack).

Beyond that, don't mess with it. (you can skip reading the rest of this section)


Summary:

  • "Side by side" (SxS) is how windows organizes its components and (DLLcache-like) backup filess, particularly the potentially shared stuff. Used since Vista/7ish.
  • The windows directory looks bigger than the storage it actually takes, by easily a few GB (varies), because parts use hardlinks (multiple files on the filesystem that actually point to just one stored copy of the contents[2]).
    • Most utilities (including Explorer itself, at least AOTW do not check whether entries are duplicated via hardlinks, so simply count each copy. To get an idea of actual disk-space use, look for utilities like Hardlink Scanner.
  • WinSxS is functional. It helps avoid avoid DLL hell trouble. While it is sometimes overzealous in what it keeps, a lot of it isn't bloat. Unless you have a particularly small disk, the risks of pruning this are probably not worth the small space gained.
  • WinSxS contains
    • windows's current system files (System32 and SysWOW64 have a bunch of hardlinks into WinSxS)
    • other programs hardlink to libraries they install into SxS
    • a good chunk of the windows install DVD (so that you won't have to grab it later)
    • what was previously the DLLcache is now Winsxs\Backup (sort of)
  • You can remove things from this directory, in that you can manage to remove the protection.
...you do so at the risk risk breaking some updates, installs, and programs.
  • For most things in there, there is no automated cleanup, not even of components you don't use. You can try manual deletion, but it's risky unless you know for sure it's not.
For example, you break search if you remove naturallanguage6


Removing windows update files (XP)

...those that are useful only for reverts.

(mostly for XP, not so much under Vista and Win7 and later)

CCleaner can do this, as can various other things. If you know what you're doing you can do it manually.

The windows DLLCache (XP)

tl;dr: Safe to remove, but doesn't remove much and it saves you grabbing your install CD. Probably best to leave alone.

(...unless you're making netboot images for kiosk installs or such)


Purpose

The DLL cache is part of Windows File Protection (WFP) used in Windows NT, 2K, 2K3, XP, and somewhat differently in Vista and Windows 7(verify).


WFP keeps an eye on system files (DLLs and more) and will notice (based on signatures) when such files are replaced, and transparently and quietly puts back the most proper version (that is knows of and has). This protects you from e.g. old installer programs that blindly overwrite system files with old/bad versions because they were meant for older or other versions of windows. (over time it's become infeasible to even expect these installers to check)


The major source of these good versions is the DLL cache. This is why you generally want to keep it, unless you really really need the 200MB to 500MB that the cache typically takes.


Notes:

WFP is a convenience feature, not a security feature. Once a program is allowed to write to the windows directory, it can usually also write to the DLL cache and everything else in your system, so if a program is malevolent (malware, virsuses) it can usually circumvent this well enough.
WFP looks for files in the DLL cache, the driver cache, the installation medium (which may be a copy of the install CD on a local directory, or network directory), and failing all of those will fall back to asking you for your install CD.
It probably also looks in the directories for hotfixes, since those register new DLL versions with WFP too.
SFC.exe (System File Checker) refers to a run-once command that does the same thing, which you can e.g. set to run at bootup. (It was apparently introduced in Win98, which didn't have the WFP as a service yet.)


DLLcache size, settings, and emptying

Unless and until a size limit is explicitly set, the dllcache will easily grow to a few hundred MB, depending on the variety of installs you do, hardware you plug in, and such. It shouldn't grow much beyond 500MB as there are only so many files to protect.

Different versions of windows also have (varying) implicit limits - none should completely fill op your drive.


You can also change most settings in the policy editor in Computer Configuration/Administrative Templates/System/Windows File Protection.


A number of these can also be set with the sfc.exe utility, which primarily lets you:

  • empty the cache:
    sfc /purgecache
    . Can be handy when you suspect something in it is corrupt. Alternatively, you can just delete the files in the dllcache directory.
  • set a limit on its size:
    sfc /cachesize=100
    The number is interpreted as megabytes.
  • trigger a check:
    sfc /scannow
(...and a few other things). See
sfc.exe /?
for more details. You'll need a windows command prompt.


You can move the DLLcache - the directory it's in is looked up via a registry entry.



See also


Driver cache (XP)

tl;dr: You usually do not want to remove this.


The driver cache is a set of commonly useful drivers, such as low-level hardware that may change (ports enabled in the BIOS and such), support for basic USB device types, and more. The driver cache means installation of these things can go fluidly, often transparently (without prompts to you), by having these files always be fetchable from this cache.

It's at %SystemRoot%\Driver Cache\i386\driver.cab (by default; it is pointed to by a registry key). Windows service packs may store additional driver cabinets in the same directory, for example sp2.cab.


You can delete the driver cache if you are really pressed for space - but doing so will disable installation of a lot of (lower-level) hardware to be transparent to the user.

Disabling such previously automatic hardware installation is potentially useful for some admins, because it will now ask to look in other places, and for admin credentials to install. In short, you can use it to prevent users from installing their own devices. This is usually not necessary, it may include USB sticks and make your users very unhappy, and in some cases you may just be creating a lot of extra work for yourself.

Some notes

on Windows 10

Windows 10 is cleverer about being compact than earlier versions, including compression, so there's less to be won in the details.

Of course, remove any programs/apps you don't use.


If you did an update, it kept the previous windows copy, probably taking on the order of 10GB. You can use Disk Cleanup to remove that.


on Shadow Copy (Vista, 7)

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

Says microsoft: "The Volume Shadow Copy Service provides the backup infrastructure for the Microsoft Windows XP and Microsoft Windows Server 2003 operating systems, as well as a mechanism for creating consistent point-in-time copies of data known as shadow copies."


It has existed since the later days of XP, but in Vista and Win7 it has more integration, and more things use it.

It supports:

  • System Restore,
  • 'Previous Versions' tab for files & dirs
  • Certain backup programs (and the filesystem-level implementation (NTFS-only?) avoids locking problems)


You can clear them, change the maximum size allocated to it (usually a percentage of your disk size)

If you have WinDirStat/WizTree/Sequoiaview or such, you'll see these inside System Volume Information (on NTFS filesystems, at least)


See also:


Semi-sorted

Something taking 100% CPU

Various windows services are known to be buggy and, under certain circumstances, take all CPU for little to no good reason.

To diagnose, run the windows task manager (Ctrl-Alt-Del) or Process Explorer (the latter shows more description of otherwise cryptic process names) to see whether there are any other processes constantly using CPU.

You can try quitting some system-tray applications the usual way (or via task makanger or process explorer) to see if you can tell whether something it doing this.


Note: This page does not address inefficiently coded/accessed things (soft modems, stupid/lazy drivers, some uses of parallel ports)


lsass.exe taking all CPU

Assuming you've checked for viruses and spyware (there are a few that infect lsass.exe specifically)...


lsass.exe is the Local Security Authentication Server, and is used in many networked situations, handling local logon(verify) and various other security/authentication details, such as SSL connections (verify).


On desktop windowses like XP, lsass is sort of a relic from its NT pedigree and is rarely doing much beyond helping secure connections.


On workstations, bugs in applications (or theoretically even just a lot of load from one) can can cause lsass to take a lot of CPU. Think secured VPN, VOIP, some chat programs, a webcam proxy application, and such. (In my case, a buggy logitech webcam service caused the problem - one of the few processes related to it frequently went crazy with requests on lsass. These processes could only be seen and killed in the process list)


On server-edition windowses, lsass may be handling domain logins, so on it may be taking a lot of CPU because it can barely keep up with incoming authentication requests (because of, say, an inefficient LDAP server or so). If so, the high usage is a fact of current software. In some cases the high usage may be a known and resolved bug which can be solved with an update or service pack.

HelpSvc.exe taking all CPU

A bug in the 'Help and Support' service caused it to use all CPU for a few minutes and possibly longer.

There is a hotfix for this, which was also included in at least XP's SP2, and probably others.

An alternative would be to have windows not start the service (set the service to be to manually started, or disabled.)


See also:


SvcHost.exe taking all CPU

Various causes, including....

Windows update

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

Windows update may fail to start up, and take 100% CPU in the process (continuously, or for a few minutes each time it checks).


Diagnosis: If running
net stop wuauserv
stops the CPU use, this is your problem.


A temporary fix is to disable the service (Right-click My Computer → Management → Services and Applications → Services → )

A better one, if it works, is the correct hotfix for your problem.


See also:



This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)


Spurious windows installer starts

When doing seemingly everyday windows interaction (exporer, specific software) you get an installer. Either you have to cancel it a few times before the action goes through, or it seems to last forever.


The thing it is trying to install does not seem the cause. It seems to be the fact that you removed something around installscript's back, and probably some reason for the installer to be triggered to do some check - no idea.


The easiest way to solve this seems to be Microsoft's Windows Installer CleanUp Utility, see:




SIDs

Security IDentifiers (SIDs) identify users, groups, accounts, and also domains themselves.

...not usernames, though SIDs are usually shown as names whenever possible .


This allows everyone within a domain to have unique identities. Mote that uniqueness is only possible within domains (and since Win2000 in forests). Windowses not part of a domain generate their own SIDS when new accounts are created, so even two different installations on the same computer will generate different SIDs.


A SID is a variable-length identifier. It must contain:

  • a top-level identifier authority, and
  • one or more relative identifiers (RID). (up to eight(verify))

RIDs allow you to refer to things in the context of the issuer, and of the RIDs that come before. RIDs are 32-bit integers, and may be stored as such in the structs in memory that represent SIDs.

SIDs are often shown as strings, in which the RIDs are shown in radix 10.


A rough overview of the more interesting RIDs follows. Note that most things without domain identifiers are virtual groups - placeholders that qualify users, or not.


  • S-1-5 is the 'NT authority', which contains
    • A good number of system-related and useful pre-defined SIDs (a number of which are placeholders). Includes 'Administrators' group, Guest user, guest group, network/dialup logins, interactive logins, anonymous logins, print/backup/duplication operators, and also references to the SIDs of domain members/clients, and domain controllers. Some of the more interesting ones:
      • S-1-5-32-544: 'Administrators' group
      • S-1-5-32-545: 'Users' group
    • Domain SIDs (RIDs under S-1-5-21 -- or more?, possibly up to S-1-5-31?(verify)), currently 96-bit numbers (3 RIDs), e.g. S-1-5-21-3082338359-1506123309-1605093288
      • User accounts in a domain, e.g. S-1-5-21-3082338359-1506123309-1605093288-3008
      • Pre-set users per domain, like S-1-5-domain-500: domain's Administrator - you can identify the administrator by that 500 even if the name has been changed.

Other notes conflict, noting that Domain SIDs are S-1-5-5-X-Y, where X is the 'domain RID' and S-1-5-5-X the domain SID - and Y is a number that helps domains with multiple PDCs work. TODO: figure that out.


  • S-1-0 is the 'null authority'
    • mostly for S-1-0-0, 'Nobody'
  • S-1-1 is the 'world authority'
    • mostly for S-1-1-0, 'Everybody', a.k.a. 'World'
  • S-1-2 is the 'local authority'
    • mostly for S-1-2-0, 'Local'
  • S-1-3 is the 'creator authority', placeholders that qualify the actual creator:
    • S-1-3-0: creator user
    • S-1-3-1: creator group
    • (S-1-3-2: creator owner server, S-1-3-2: creator group server, obsolete?(verify))


Less used are:

  • S-1-4 is the 'non-unique authority'
  • S-1-9 is the 'resource manage authority'


See also:






Windows connection limits

Errors like:

  • (EventID 4226) TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
  • (EventID 2022) The server was unable to find a free connection number times in the last number seconds.

...seen in the Event Log (System log).


The cause is one of various windows limits:

  • concurrent incomplete (half-open, SYN_SENT(verify)) outbound TCP connection attempts
    • In WinXP:
      • (change since SP2?)
      • 5 per second for WinXP home
      • 10 per second for WinXP pro
    • Vista somewhere between 2 and 25 depending on variation (verify)
    • Disabled in Windows Server (by default; can be enabled); 10 if enabled (verify)
  • total inbound connections (any state?(verify))
    • 5 per second for WinXP home
    • 10 per second for WinXP pro, NT workstation


These are mostly settings, although most are baked into drivers for specific windows variations.


Rate limits are handled via a queue that is handled according to this rate. If your real usage is above this limit, e.g. a file server with more clients, then these imposed limits may make your services and the host in general seem unresponsive or have spurious dropouts (as it is likely to lead to one of various TCP timeouts on the client side of a connection to this host).



Things that run into such limits:

  • port scanners (and some other security tools)
  • malware
  • basic personal file sharing on a medium-size network
  • peer to peer networking, most commonly peer to peer file exchange
  • on occasion, personal security tools (e.g. firewalls)

The outgoing limit seems to be justified by MS as a means to limit the speed of malware spreads. This seems relative nonsense since the spread will be exponential regardless of any local limit, and a user isn't actually notified so will likely be infected long enough to play a real part such distribution.

That said, there are other, sensible reasons for this limit .



See also:

Software Protection Service