Event ID 4227

Warning: Before making any registry changes or system change make sure you have backed up you system and registry.

The issue:

Log Name:      System
Source:        Tcpip
Date:          12/2/2013 11:52:26 AM
Event ID:      4227
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      xxxxxxxx
TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period to elapse between successive connections from a given local endpoint to a given remote endpoint.

The fix:

  • First use TCPview or netstat to view how many ports and connections are in use

Fix 1:

You can check the registry and via the command line to see the dynamic port pool size. And change it as need be.

To do it via registry key view HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort and see what that value is set to. Note this key might not exist you can create it if need be. http://technet.microsoft.com/en-us/library/cc938196.aspx. To do this as command line “netsh int ipv4 show dynamicport tcp” you can see more examples at http://support.microsoft.com/kb/929851/en-us if you are running out of ports you can use the command to increase the pool or change the reg key to complete this task.

Fix 2:

This might also be caused by the connection wait delay, if you have this problem you will find lots of connections in a time_wait status in TCPview or netstat.

If this is your problem you can adjust the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay http://technet.microsoft.com/en-us/library/cc938217.aspx to resolve this issue. Note again this key might not exist


Additional helpful link:


large system volume information folder

The problem:

A very large “system volume information” folder at the root of one of your windows drives. My issues turned out to be shadow copies from C drive stored on D. And D was low on space.

More Information:


The fix (for VSS/volume shadow copies):

  1. Checked the volume shadow copies and they where disabled on both C and D (but C drive listed 90GB used on D drive)
  2. As they where disabled to run in the first place (my guess is my backup software created them)
  3. I stopped “volume shadow copy” service
  4. Start “volume shadow copy” service
  5. Checked shadow copies and reported 0 used for both C and D drive.


If you need to perform this on windows past 2003 view http://blog.itprohelp.com/2010/04/system-volume-information-folder-it.html

Windows User profiles

This is going to be a mixed topic about user profile management.

Note: never delete a user profile out of Documents and Settings or Users. This will only remove the profile’s data, but not its information in the registry. This will cause errors later like unknown profiles.

How to correctly remove Windows profiles

  1. Open System in Control Panel.
  2. On the Advanced tab, under User Profiles, click Settings.
  3. Under Profiles stored on this computer, click the user profile you want to delete, and then click Delete.

Automated way to remove profiles

  • Use command line tool “delprof.exe”, works great for a terminal server’s with hundreds of profiles.
  • Tool can be downloaded from Microsoft https://www.microsoft.com/en-us/download/details.aspx?id=5405
  • You can find some good scripts as well just make sure they delete the registry data for the profile as well.

How to delete profiles with “NTUSER.DAT in use

  1. Make sure the user is not logged in
  2. reboot system, if reboot did not unlock ntuser.dat move on
  3. download “User Profile Hive Cleanup Service” from Microsoft https://www.microsoft.com/en-us/download/details.aspx?id=6676
  4. install
  5. reboot
  6. ntuser.dat should no longer be in use.
  • Note: this sometimes will also clean up profiles listed as unknown
  • Note: most “unlock” utilities will not unlock this .dat file.

How to hide unwanted accounts from windows login screen

How to hide a windows account from the login screen list

NOTE: Make sure your system is backed up before making changes to your registry!

  1. From Run launch regedit.exe
  2. Move to key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList” NOTE: that most likely SpecialAccounts and UserList will not be there so just create two new sub-keys.
  3. Under UserList create a new DWORD (32bit) Value, and name it the userID of the account you want hidden (this is not the display name)
  4. Make sure the value is set to 0 (this should be the case by default)
  5. To enable the account again just change the value to 1
  6. Log off or restart for this setting to take effect.

RDP Black screen/console black screen or parts black windows 2003

The Problem:

We have had some Windows 2003 systems logon screens turn black no more gray background or the username and password fields turn from white to black so you can’t see what your typing (this effects RDP and the console). They all still work if you can find them. As with the screenshot below you can see the problem is a nuisance.

Windows login black colors

The Fix:

Note: Always make a backup of your system before changing the registry.

  1. on a working windows 2003 system
  2. open regedit
  3. connect to remote registry
  4. navigate to HKEY_USERS\.DEFAULT\Control Panel\Colors (on the effected system)
  5. create a export of the current key
  6. go to the working system
  7. create a export of HKEY_USERS\.DEFAULT\Control Panel\Colors
  8. import the working registry settings to the remote registry system that is effected by the black screen
  9. Reboot the effected system the color should be restored now.

Additional details can be found http://support.microsoft.com/kb/906510 as well

What the registry settings should be by default:

Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Control Panel\Colors]
“ActiveBorder”=”212 208 200”
“ActiveTitle”=”10 36 106”
“AppWorkSpace”=”128 128 128”
“Background”=”102 111 116”
“ButtonAlternateFace”=”181 181 181”
“ButtonDkShadow”=”64 64 64”
“ButtonFace”=”212 208 200”
“ButtonHilight”=”255 255 255”
“ButtonLight”=”212 208 200”
“ButtonShadow”=”128 128 128”
“ButtonText”=”0 0 0”
“GradientActiveTitle”=”166 202 240”
“GradientInactiveTitle”=”192 192 192”
“GrayText”=”128 128 128”
“Hilight”=”10 36 106”
“HilightText”=”255 255 255”
“HotTrackingColor”=”0 0 128”
“InactiveBorder”=”212 208 200”
“InactiveTitle”=”128 128 128”
“InactiveTitleText”=”212 208 200”
“InfoText”=”0 0 0”
“InfoWindow”=”255 255 225”
“Menu”=”212 208 200”
“MenuText”=”0 0 0”
“Scrollbar”=”212 208 200”
“TitleText”=”255 255 255”
“Window”=”255 255 255”
“WindowFrame”=”0 0 0”
“WindowText”=”0 0 0”

Windows Print queue status offline

I had a painful printer the other day that was listing its queue status as offline, after troubleshooting it to find out is was online was a big pain. I would ping the printer IP address but the queue listed as offline. So I restarted the printer spooler no help. The solution was a miss configuration in the printer port that was created by someone else.

  1. So go to the printer queue on your print server or from print management
  2. Click ports
  3. Configure port
  4. (helpful to take a screenshot of current settings) try to enable/disable SNMP status and update the protocol to see if that fixes your status.

Mine was the SNMP status it was enabled and was telling the queue it was down.

Print Server was windows 2003