Windows Vista and Scalable Networking

Over a year ago, I explored an issue of Windows Vista and its problems with using default networking settings relevant to Windows Scaling. The first known problem with Windows Scaling was an exciting networking option called Receive Window AutoTuning, which became a problem when an older router was in use.

Besides AutoTuning, which is a problem with older routers, there are two additional networking options - TCP Offload ("Chimney") and Receive-side Scaling ("RSS"), which are a similar problem with older networking adapters. If your computer suffers from symptoms similar to the well known MTU setting problem, and you get no relief from disabling RWin AutoTuning, consider disabling TCP Offload and Receive-side Scaling.

In a Vista command window (Run as Admin), enter

netsh interface tcp set global chimney=disabled
netsh interface tcp set global rss=disabled

TCP Chimney Offload takes a portion of the TCP/IP network stack, currently run on your computer as part of the Windows operating system, and runs it in a dedicated processor on a TOE capable network adapter. Less work for the operating system + processing as part of the physical networking adapter = better performance.

Receive-side Scaling allows processing of incoming network traffic to be properly run on a multi-processor computer, by ensuring that all packets from a single TCP network connection are consistently processed by the same processor. All incoming packets for each TCP connection processed by the same processor = packets never getting out of sequence, which can be a problem otherwise with multiple processors. Obviously, you'll need a multiple processor system, to get any benefit here.

Try Internet access with TCP Offload and Receive-side Scaling disabled, and see if network performance improves. If it does, see if you can upgrade or replace your network card with one that is TOE capable, which was stated to cost $25 - $50 earlier this year. Once you have the right network hardware, or if the above change doesn't provide any relief from your symptoms, you can re enable TCP Offload and Receive-side Scaling

netsh interface tcp set global chimney=enable
netsh interface tcp set global rss=enable

If you do see a bandwidth improvement and / or network utilisation drop after enabling chimney and / or rss, restart the system. You may see still more improvement after restarting. Use of proper tools for objective measurement of bandwidth and network utilisation, access to high speed Internet service, and use of high bandwidth network applications like streaming video, will make the success of this change a bit easier to assess.

Besides Scalable Networking, look at other possible problems with Windows Vista Networking Innovations, in Windows Vista and Explicit Congestion Notification.

For more details about this issue, see

• Dana Epps Find your bandwidth in Vista really slow?
• Microsoft The Cable Guy Microsoft Windows Server 2003 Scalable Networking Pack Overview
• Microsoft TechNet New Networking Features in Windows Server 2008 and Windows Vista
• Smallvoid NDIS 6 hardware features that increases network performance

Windows Vista, and Network Location Awareness, With Multiple Network Adapters

Some owners of laptop computers, running Windows Vista, are reporting an inaccurate network status indicator when the computer is first started, and connected to the network.

When a Vista computer is started, the network status indicator - the little globe icon in the tooltray - will indicate "Local Only" status. If you go ahead and start a browser, or other Internet client component, you'll get a connection, but it may be very slow for a while. Eventually, the network status indicator will change to show "Local and Internet", and connectivity will return to normal.

This is a problem with the Network Connectivity Status Indicator (NCSI) component of the Network Location Awareness (NLA) service, and how it determines Internet connectivity when there is no active network traffic. Even if the NLA is able to verify Internet connectivity, when there is more than one network adapter on the computer, NLA can't determine which adapter has connectivity, so NCSI shows all adapters as being connected locally only. This is a problem when connectivity is through a router, and a DNS probe is used to determine connectivity.

Many late model (which is what you would want running Vista, after all) computers have an IEEE 1394 (Firewire) port. Similar in function to USB (but receiving less consumer support), a 1394 Firewire port is supported as a network adapter in many desktop and laptop computers. If your desktop or laptop computer has the problem with "Local Only", and it has only one network adapter, run "IPConfig /all", and examine the log.

If you see an entry for "IEEE 1394", this could be a problem. You can disable this device from the Network wizard (called in Windows XP, "Network Connections"), or using the Device Manager under System Properties, if you don't intend to use a 1394 network. Not a lot of us use (or intend to use) 1394 networking.

Firewire is the best known alternative networking adapter, which is part of what is being called Personal Area Networking (PAN). Two other possibilities include InfraRed and USB.

Another possible contribution to the problem would be the IPV6 Tunnel adapters. You may get relief from the problem by (KB929852): disabling IPV6.

Microsoft Help and Support: (KB947041): The network connectivity status incorrectly appears as "Local only" on a Windows Server 2008-based or Windows Vista-based computer that has more than one network adapter describes the problem in more detail, and should eventually identify a solution.

>> Top

Online Analysis Of Suspicious Websites

One of the neatest ways to distribute malware nowadays is by serving it from a web site. Why push malware by files to the victims computer - just put the bad stuff on your web site, and entice the victim to surf there. If he does so, intentionally, he's more likely to trust you, and badda bing, download your malware to his computer.

The classic way of protecting us from malicious web sites was stopping us from surfing there, generally using Hosts file based web site blocking.

Besides web site blocking, and malware protection (both active and passive) on your computer, you need malware scanning of any web site that you access. And what better way to do this than by using the power of the web?

• AVG / Exploit Prevention Labs provides LinkScanner, which can be accessed as a browser add-on or queried online. LinkScanner does a live scan on Google, Yahoo and MSN search results, rather than querying a database of previous scan results.
• FireTrust provides SiteHound, which can be accessed as a Firefox or Internet Explorer toolbar.
• McAfee provides Site Advisor, which can be accessed as a Firefox add-on, or queried online. SiteAdvisor has an accumulated database, a web site popularity meter ("nitecruzr.net" shows a 2 of 4 - "some users"), plus does real-time evaluation when requested. They also accept comments from site readers, and from site owners.
• A partnership between top academic institutions, technology industry leaders, and volunteers provides StopBadware.org, which feeds the Google search engine results pages. Google uses the StopBadware database, and accepts input by site owners through Google Webmaster Tools.
• Symantec provides Norton SafeWeb, which appears to be intended as a plugin to a Norton security suite, though it does provide for web based queries. SafeWeb accepts comments from site readers.

So there are choices. Try them, and see which one suits your needs to the best degree.

---

(Update 2009/09/18): Today, we note a significant increase in vigilance.

---

>> Top

Event ID 2021 Caused By IRPStackSize Problem

Microsoft, in their article (KB317249): How to troubleshoot Event ID 2021 and Event ID 2022, provides a fairly robust assortment of diagnostics, for us to run when we see an "Event ID 2021" or "Event ID 2022" in our System Event Log.

The KnowledgeBase article advises us

Event 2021 is logged when there is accumulation of work items in the server service. But you must understand that the most common cause of the accumulation of work items in the server service is because the disk subsystem does not keep up with the number of requests.

Nowhere, however, does the article mention a very commonly known problem in Windows Networking, the IRPStackSize error. Yet, in one case presented in Windows XP Networking and the Web: Mapped file share unavailable within seconds, the problem mentioned was resolved in that well known way

I solved this problem by further increasing IRPStackSize, to 45 decimal ...

We should note that the KnowledgeBase article mentioned above was purposed for server operating systems, not stated to include Windows XP Home. But in this case, the client found the content of the article sufficiently interesting that he was motivated to increase IRPStackSize, and thus reached his solution.

>> Top

Windows Vista And The Network Map

Most of us who have computers in our homes also have Internet service (what else is the computer for anyway?). Many of us who have computers have more than one computer, and some of us who have more than one computer need a network management product, like The Dude (what a name for something priced so nicely) to keep track of our computers.

Auto discovery, which automatically generates a graphical display and inventory of the computers on the network, is an expected feature in many network management products like The Dude. Now Auto Discovery is a built in feature of our favourite new operating system, Windows Vista. One of the shiniest features of Windows Vista is The Network Map - its ability to show you a semi graphical display of all of the computers, routers, and switches on the network.

The Network Map uses a new protocol - Link-Layer Topology Discovery (LLTD). Regardless of what firewalls, or other hardware or software protective devices we have on our network, LLTD discovers all devices connected. LLTD has basically the same strengths and weaknesses as other well known alternate protocols IPX/SPX and NetBEUI (neither of which are available for Vista).

• Regardless of what Windows Networking protocol you're using - IP, IPX/SPX, or NetBEUI, LLTD will show you a map of all computers running Windows Vista and Windows XP (when equipped).
• Regardless of what firewalls or routers you may have setup to segment your network, and protect some computers from others, LLTD will pass through to each segment, and will inventory all computers on the segment.
• Regardless of whether LLTD shows you a computer, you won't necessarily have the ability to access that computer, or even determine its network address, for Windows Networking.

The Network Map presents additional challenges.

• It is only available on Windows Vista (and Windows XP, with (KB922120): the optional LLTD Responder).
• Its availability, and the fact that "it simply works", can cause confusion among computer owners, who can't get Windows Networking to work, when a Windows Vista computer is installed.
• People confuse the Network Map with the "Network" wizard (previously known as Windows Explorer in Windows XP and previous Windows editions), which provides a similar functionality, but will display different information.

It's a great tool, but you need to be aware of its limitations.

>> Top