Last Updated: 12/12/2002

Version 1.2.0

High Performance TCP/IP Networking for Windows 2000/XP/2003

This text file is part of Windows 2000/XP/2003 High Performance TCP/IP Package
(HPTP) [13 KB, free GPL]:
http://www.mdgx.com/files/HPTP.ZIP
HPTP consists of 4 text files:
- HPTPREAD.TXT: ReadMe = MUST read first!
- CALCULAT.TXT: Calculations + formulas for TCP/IP registry settings.
- HPTCPIP.TXT: TCP/IP performance, security documentation + how-tos. (this
file)
- NONREG.TXT: Non-registry Internet + online gaming performance procedures.
______________________________________________________________________________

The Windows 2000 family of operating systems was designed for complete and
fast networking from the ground up. For the most part, Microsoft did a good
job, much better than the sad attempts in the 9x days. However, Windows is not
a hacker's OS and has plenty of room for performance improvement in the TCP
stack. :)
My own experimentation, discovery and the gracious help of those frequenting
DSLnuts.com and SIESystems.com has made this documentation possible.
I have developed what I believe are the ultimate TCP/IP registry settings for
Win2000 systems with a *CABLE* Internet connection.
These settings might not work optimally for DSL users or WinXP users.
These settings work for me, but I cannot guarantee they will work for you.
You may need to do a little experimentation to find the parameters that work
best for you.
In addition to the performance/throughput hacks, here are a few good security
hacks which will make you sleep a bit better at night.

PERFORMANCE/THROUGHPUT SETTINGS

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]

1. DefaultTTL: dword=0x40
Defines the maximum Time-to-Live of an IP packet. This is the maximum
number of hops that a packet may travel before it is dropped. While its
direct effect on TCP/IP performance is a myth, it can save you the trouble
of having to wait for packets that might come *extremely* slowly or not at
all. Values can be between 32 and 128 (decimal), but a good value is
probably 48 or 64.
2. EnableFastRouteLookup: dword=0x1
When routing, allows Windows to use "fast route lookup" mode. This can help
when acting as a router, but won't help a lot on single adaptor client
systems. Important is "enabled can't hurt". :)
3. EnablePMTUBHDetect: dword=0x0
Controls whether black hole routers are detected. Unless you run into
problems, black hole detection should be disabled as it must be performed
for every new connection and just slows things down.
4. EnablePMTUDiscovery: dword=0x1
Enables path MTU discovery. This means that the TCP stack is able to
dynamically determine the lowest Maximum Transfer Unit (MTU) along a given
data path, enabling data to be sent as quickly and efficiently as possible
 due to a reduction in packet segmentation.
5. ForwardBufferMemory: dword=0x24400
Defines how many bytes of memory are used for sending data by default.
6. MaxForwardBufferMemory: dword=0x400000
Sets the maximum memory in bytes that can be used for packet transmission.
7. GlobalMaxTcpWindowSize: dword=0x12890 + TcpWindowSize: dword=0x12890
Sets the global and standard maximum TCP window size. This setting is very
tricky, and you will need to experiment to find your own optimal setting.
As a hint, increasing your TCP window size can speed up connections a
*lot*, but making the window too large will make your connection as slow or
even slower than it is by default. The setting here works for me, but try
it yourself and go from there.
THIS VALUE IS AN EXAMPLE, SEE CALCULAT.TXT ABOUT HOW TO CALCULATE THE
CORRECT MAX TcpWindowSize FOR YOUR INDIVIDUAL CONNECTION!
NOTE: For best performance, my testing has shown that every max TCP window
size registry setting should be set to the same optimal value. Different
settings seem to confuse and slow down the TCP stack.
8. KeepAliveTime: dword=0x927c0
Sets the connection keep alive time in seconds. The value shown here is 600
seconds (10 minutes). This is a good general value, but it may need to be
higher (such as the default of 7200 seconds) for large servers who serve
distant high latency clients worldwide.
9. PerformRouterDiscovery: dword=0x0
Discovers whether or not the TCP/IP stack should try to "discover" routers.
This should be disabled. If the router works, it works, but if it doesn't,
discovering it won't help matters at all. :D
10. PrioritizeRecordData: dword=0x1
When enabled, this setting will force the DNS cache service to sort its
data, resulting in quicker DNS lookups.
11. SackOpts: dword=0x1
Enables "selective acknowlegements". This means that acknowlegement
packets are only transmitted when needed, rather than at an interval.
In some cases this could lead to data corruption over *VERY* damaged
lines, but this is very rare.
12. Tcp1323Opts: dword=0x1
Defines the nature of window scaling and time stamping. A value of 1 is
window scaling only (recommended for best performance), 2 is time stamps
only, and a value of 3 enables both.
Window scaling is required for large TCP receive windows, so it should be
enabled.
Time stamping on the other hand will slow the connection a bit and is very
rarely required, except in certain circumstances. If you don't know what
these circumstances are, then assume that you don't need time stamping.
13. TcpMaxDupAcks: dword=0x3
Controls the number of ACKs (handshake acknowledgements) that must be
initiated before a retransmit of lost data is requested. The value can be
from 1-3, 2 being the default. Setting this parameter to 3 reduces the
number of retransmits required, but can lead to periodic data corruption
over poor quality lines.
14. TcpRecvSegmentSize: dword=0x5b4 + TcpSentSegmentSize: dword=0x5b4
Defines the Maximum Segment Size (MSS) of data packets. Cable and DSL
connections have a Maximum Transfer Unit (MTU) of 1500 bytes, but 40 bytes
are reserved for the header space in every packet, leaving a maximum of
1460 bytes for usable data.
15. FastSendDatagramThreshold: dword=0x1000
Datagrams smaller than this value are allowed to pass through "fast I/O"
and are sometimes buffered. This is beneficial for small amounts of data
in transit.
16. TcpLogLevel: dword=0x1
 Determines the logging level of the TCP stack. The default of 16 logs all
"unusual events". This is good if you use the Windows log files, but if
you're lazy like me and don't, because they only seem to catch aplication
errors and the like, you can safely set logging to its lowest value of 1.
This will log only the most critical errors and won't bother with useless
information that you don't need.
17. TcpTimedWaitDelay: dword=0x1e
Determines the timeout length for TCP connections. After this period the
connection will be dropped, freeing up resources for other connections.
Due to the way the TCP/IP protocol works, the effective timeout value is
actually 2x the TimedWaitDelay value [in this case 60 seconds (1 minute)].
If problem occur, increase this value: the default is 240 seconds.
18. MaxFreeTcbs: dword=0x2000
Sets the maximum number of free TCP Control Blocks (TCBs) reserved for
connections. Each connection requires 1 block, so this also defines the
number of maximum simulaneus connections to the system. The default of
1000 for Win2000 Pro and 2000 for Win2000 Server. This should be more than
sufficient for normal use, but this reduces the posibility of dropped
connections due to memory requirements, especially in a server environment
where many concurrent connections are expected.
19. MaxHashTableSize: dword=0x4000
Controls the memory mapping of TCBs. It should be increased if the number
of free TCBs is increased.
20. MaxNormLookupMemory: dword=0x2525a0
Specifies the maximum ammount of memory the TCP stack uses for routing
tables. Increasing it can enable the storing of more routes in memory.
21. DisableTaskOffload: dword=0x0
When disabled, this parameter will enable the use of task offloading.
This means that network tasks will be first processed on a task offloading
compatible NIC, freeing up the CPU for other tasks.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

22. MaxConnectionsPer1_0Server: dword=0x27 +

MaxConnectionsPerServer: dword=0x27
These 2 parameters specify the maximum number of connections (39) Internet
Explorer can make to an HTTP/1.0 and HTTP/1.1 server, respectively.
This should give a boost to other programs which are based on or depend on
IE for network connectivity. A good value for DSL or slower cable links is
32 (decimal). The maximum number is 99 (decimal), but a value higher than
about 39 will degrade performance.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD\Parameters]

23. DefaultReceiveWindow: dword=0x5DC00 + DefaultSendWindow: dword=0x8000

Specifies the default send and receive window sizes. For maximum
performance these values should reflect your theoretical maximum download
and upload speeds, as advertised by your ISP. My ISP Cox@Home has a
theoretical transfer limit (or "cap") of 3 mbps download and 256 kbps
upload.
Contrary to what I said before, it is actually *NOT* a good idea to set
the default send/receive windows to your max TCPWindow value. Instead
refer to CALCULAT.TXT for more info on how to determine what settings
should work for your connection.
THIS VALUE IS AN EXAMPLE, SEE CALCULAT.TXT ABOUT HOW TO CALCULATE THE
CORRECT MAX TcpWindowSize FOR YOUR INDIVIDUAL CONNECTION.
24. InitialLargeBufferCount: dword=0x64 InitialMediumBufferCount: dword=0x12c
+ InitialSmallBufferCount: dword=0x1f4
Specifies the initial large medium and small buffer sizes in bytes. When
 the default network buffer levels are raised, more memory can be allocated
to network data, improving performance significantly.
25. LargeBufferSize: dword=0xa000 MediumBufferSize: dword=0x3ac0 +
SmallBufferSize: dword=0x280
These seem to define the maximum network buffer sizes.
26. MaxFastCopyTransmit: dword=0x80
This parameter controls the maximum size of data that uses copy instead of
cached memory on the fast path. Fast I/O is essentially copying data and
bypassing the I/O subsystem, instead of mapping memory and going through
the I/O subsystem. This is advantageous for small amounts of data, but is
neutral when applied to larger quantities.
27. MaxFastTransmit: dword=0x40
This parameter controls the maximum size of data that uses copy instead of
cached memory on the fast path (uses kernel rather than user mode memory
for faster I/O).
28. PriorityBoost: dword=0x00
The priority boost that AFD gives to a thread when it completes I/O for
that thread. The valid range for this parameter is 0-16. Multi-threaded
applications can benefit from a lower setting.
NOTE: The lower the number, the higher the priority (examples):
0 = highest priority
10 = 10th priority
29. TransmitWorker: dword=0x20
This parameter controls how Afd.sys uses system threads. Setting it to
0x10 causes AFD to use system threads to perform I/O that results from a
long (more than 2 SendPacketLength worth of data) TransmitFile request.
Setting it to 0x20 causes AFD to use kernel mode APC for I/O and to
execute everything in the context of the same thread. This can improve
performance by reducing the number of context switches in long
TransmitFile requests.
30. BufferMultiplier: dword=0x200
This setting name is a bit misleading. In reality BufferMultiplier value
defines how much DefaultReceiveWindow and DefaultSendWindow are divided by
to determine how many datagrams can be sent/received before flow control
is implemented. The default is 0x200 or 512 (decimal), and it is in all
likelyhood the best setting. You may be able to attain better performance
by decreasing this value to 0x100 or increasing it to 0x400, but I highly
recommend the default here. :D

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters]

31. NegativeCacheTime NegativeSOACacheTime NetFailuerCacheTime +

NetFailureErrorPopupLimit: dword=0x0
By default the Windows 2000/XP/2003 DNS Cache Service will cache all DNS
lookup results, even failures. By setting these values to 0 the DNS cache
will no longer store failed DNS lookups, leaving only valid information
for quick access by the system.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\ServiceProvider]

32. DNSPriority: dword=0x1 HostsPriority: dword=0x6 LocalPriority: dword=0x5 +

NetbtPriority: dword=0x8
These settings prioritize various aspects of networking. They are
processed from the smallest integer to the largest. Setting the values
shown can increase avarage web page loading significantly.
Alternatively, some setups attain better page load performance by setting
all 4 above values to dword=0x1. Try both to see which one works best for
you.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]

33. RandomAdaptor: dword=0x1

If you have 2 or more NICs connected to the Internet, you can improve
performance by enabling load balancing between them with this reg entry.

SECURITY SETTINGS

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters]

1. QueryIpMatching: dword=0x1
Controls whether the DNS server used by the DNS Resolver Cache Service is
compared to the DNS response for a given address. This is a simple way to
detect and reject DNS server spoofs.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]

2 SynAttackProtect: dword=0x2
Helps prevent TCP_SYN "denial of service" (DoS) attacks by reducing the
retransmissions of the TCP stack and suspending the connection until a 3
way handshake is performed.
TcpMaxHalfOpen: dword=0x64 (2x value for 2k Server)
This controls the number of connections in the SYN-RCVD state allowed
before SYN-ATTACK protection begins to operate.
TcpMaxHalfOpenRetried: dword=0x32 (2x val for Win2000 Server)
Defines how many connection retries are allowed before SYN-ATTACK
protection kicks in.

3. EnableDeadGWDetect: dword=0x0
When disabled prevents Windows from looking for a secondary gateway if the
first fails. In home networks or bussiness networks with only 1 gateway,
this prevents a malicious user from redirecting connections from your
gateway to another system on the LAN or Internet.

4. EnableICMPRedirect: dword=0x1
Defines whether ICMP_REDIRECT is enabled. In rare cases this can be
exploited in a DoS attack, but is required for most LAN networking. Only
disable this function if you own a home computer connected directly to the
Internet with no other networking going on.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters]

5. AutoShareWks: dword=0x0 (Windows NT4 Workstation/2000 Pro/XP/2003)

AutoShareServer: dword=0x0 (Windows NT4 Server/2000 Server/2003 Server[?])
These parameters disable "auto-sharing" of drives (e.g. $C etc). This helps
reduce the chances of system compromization.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA]

6. RestrictAnonymous: dword=0x1
Defines the restrictions imposed on "anonymous" or "guest" users of the
system. The default of 0 imposes no restriction, 1 imposes the denial of
SAM (Security Account Manager) info and a value of 2 denies access without
explicit permission. Unless you know what you are doing, a value of 1 is
recommended.

[HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\AFD\Parameters\]
7. DisableAddressSharing: dword=0x1
Prevents processes from sharing addresses, assuring that sockets opened by
an application cannot be stolen by another process. This could be exploited
by data gathering or trojan horse programs. If you run into problems,
especially with older applications, disable this feature:
DisableAddressSharing=0

NON-NETWORK SECURITY SETTINGS

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory
Management]

1. ClearPageFileAtShutdown: dword=0x1
Forces a cleaning of the swap file at shut down. This eliminates the
posibility that the swap file contents can be read by a malicious user.
It may also have the (unconfirmed) benefit of keeping your swap file
contiguous at each boot.
NOTE: your shut down/restart time might be increased by a few seconds with
pagefile clearing enabled.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\]

2. RestrictGuestAccess: dword=0x1
Prevents access to the system logs by guest users. Malicious users could
use your log file info to find vulerabilities.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\]
(WinNT4/2000)

3. ProtectionMode: dword=0x1 (WinNT4)

KnownDLLs: dword=0x1 (Win2000)
On WinNT4 + Win2000 this prevents the presence of the "Known DLLs Cache",
which can be read and exploited by crackers. No performance is lost by
disabling the DLL cache.

MISC. NETWORKING SETTINGS

Settings and parameters in this section are not directly related to the above
performance and security categories, they may either be directly related to
both security AND performance or completely unrelated.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ipsec]

1. EnabledOffload: dword=0x1
Enables IPSEC task offloading for ethernet cards wich support this feature.
Task offloading forces a feature (in this case IPSec or "IP Security") to
the device responsible for it directly, leaving the CPU to perform other
tasks. If you use IPSec and have a compatible card, this can speed things
up a bit, but do not attempt to enable this if you do not use IPSec.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\RemoteComput
er\NameSpace]

1. Deleting the {D6277990-4C6A-11CF-8D87-00AA0060F5BF} registry subkey will

 prevent the checking of scheduled tasks on Win98/ME machines by your
Win2000/XP/2003 machine, therefore making network share browsing much
faster.
______________________________________________________________________________
� 2002 Andrew D. Bourdon - GNU General Public License (GPL):
http://www.gnu.org/licenses/gpl.txt