Explaining Close_Wait

•March 9, 2010 • Leave a Comment

I have been working with a customer recently who has a print server that has had its spooler crashing after a 3rd Party service running on it was locking up and freezing and falling over.

One of the signs it was about to fall over was running the following command against the server and seeing lots and lots of Close_waits. This was observed by running the

Netstat –an command. Example output below.netstat2

So what do the “State” actually mean. And what is the significance of Close_Wait.

Understanding the TCP sequence of steps for socket closing

As the TCP conversation is a ports and sockets sequence, to understand how to troubleshoot it and carry out root cause analysis. This was an excellent blog that explains this tcp socket conversation very well


Also see below for the explanation of the different states sockets can enter into as part of that conversation.

State Description


Indicates that the server has received an ACK signal from the client and the connection is closed

Indicates that the server has received the first FIN signal from the client and the connection is in the process of being closed

So this essentially means that his is a state where socket is waiting for the application to execute close()

A socket can be in CLOSE_WAIT state indefinitely until the application closes it.
Faulty scenarios would be like filedescriptor leak, server not being execute close() on socket leading to pile up of close_wait sockets

Indicates that the server received the SYN signal from the client and the session is established

Indicates that the connection is still active but not currently being used

Indicates that the client just received acknowledgment of the first FIN signal from the server

Indicates that the server is in the process of sending its own FIN signal

Indicates that the server is ready to accept a connection

Indicates that the server just received a SYN signal from the client

Indicates that this particular connection is open and active

Indicates that the client recognizes the connection as still active but not currently being used

So the explanation for a close_wait situation is as below;

CLOSE is an operation meaning "I have no more data to send." that is the

client/server has chosen to treat CLOSE in a simplex fashion. The user who CLOSEs

may continue to RECEIVE Until he is told that the other side has CLOSED also. Thus,

a program/application could initiate several SENDs followed by a CLOSE, and then

continue to RECEIVE until signalled that a RECEIVE failed because the other side has

CLOSED. We assume that the TCP will signal a user, even if no RECEIVEs are

outstanding, that the other side has closed, so the user can terminate his side

gracefully. A TCP will reliably deliver all buffers SENT before the connection was

CLOSED so a user who expects no data in return need only wait to hear the

connection was CLOSED successfully to know that all his data was received at the

destination TCP. Users must keep reading connections they close for sending until

the TCP says no more data.

 Adjusting Registry Settings

Registry keys to look at which can sometimes help to configure and adjust this conversation.




TCP Connection States and Netstat Output




• MaxUserPort

This entry makes more ports available. 

• TcpTimedWaitDelay

Reducing this value from its default setting of 240 seconds will make ports expire sooner. This parameter determines the length of time that a connection stays in the TIME_WAIT state when it is being closed. While a connection is in the TIME_WAIT state, the socket pair cannot be reused. This is also known as the 2MSL state because the value should be double the maximum segment lifetime on the network. See RFC 793 for more details. 


Powershell script to help check WMI setting has been configured

•February 27, 2010 • Leave a Comment

We all know how powerful Powershell is, so it is great to highlight an example of where it was showed to be very effective and really quick to create a positive result.

Recently I highlighted and issue that affected 2003 Domain Controllers which caused High CPU on WMIprvse.exe caused by a memory leak dnsprov.dll.


Well with my customer I work with we implemented the change across the entire estate and wanted to check and verify whether this change had been implemented successfully.

Well one of the guys I was working with had recently attended a Premier workshop on Powershell and was eager to try out powershell instead of the vbscript that I had put together.

The powershell script is as below; This checked all the domain controllers to verify that the DNSPROV.DLL is now running within its own isolated wmiprvse.

Powershell line to check DNS shared provider on DCs (note WMI query requires admin rights)

$DCs = [ADSI] $DCs =’LDAP://OU=Domain Controllers,DC=ABC,DC=DEF,DC=Local’; $wmi = foreach($DC in $DCs.psbase.get_children()) {gwmi -namespace Root\MicrosoftDNS -class __Win32Provider -computer $DC.Name}; $wmi | ft __SERVER,HostingModel –au

So if you are applying the workaround mentioned in my previous blog. Please use this powershell script to checkout it has applied across your environment. It certainly worked a treat in our case. Plus also my customer colleague was pleased as punch that he could immediately apply his knowledge from the course. He now has bragging rights as the resident Powershell guru :).

Ladies if you are interested in a Career at Microsoft read on

•February 12, 2010 • Leave a Comment


8th of March 2010

HI Everyone,

I have just come back from a busy week in Amsterdam and my Colleague Charna Westerhold has given me some more details about an exciting event I am taking part in . The event is entitled

No Boundaries Only Unlimited Potential!

International Women’s Day is a global day celebrating the economic, political and social achievements of women past, present and future.

Annually on 8th March, thousands of events are held throughout the world to inspire women and celebrate achievements. A global web of rich and diverse local activity connects women from all around the world ranging from political rallies, business conferences, government activities and networking events.

Microsoft Services will be celebrating International Women’s day by holding an International event to talk about why Diversity and Inclusion is a priority for our business and why here at Microsoft there are no Boundaries only unlimited Potential.


  88 countries, 44 languages, the latest
  technology, and 54 million customer
  touch points per year.


On the 8th March join us to explore a career with no boundaries only unlimited potential. Learn why Diversity and Inclusion is one of Microsoft top priorities through online presentation and webcasts. Participate at online chats with company representatives. Times to be announced shortly. To find out more please visit: http://www.careernomics.com/microsoft

Microsoft Services is the consulting, technical support, and customer service arm of the world’s leading software company. The Microsoft Services professional helps customers and partners discover and implement high-value Microsoft solutions that generate rapid, meaningful, and measurable results

Safer Internet Day 9th February 2010

•February 8, 2010 • Leave a Comment




Being a Mum of two young boys who avidly use the Facebook, MSN, Online Gaming, Mobile phones I am very aware of the importance of keeping them safe online and clear about what to do if they feel uncomfortable in any way. On the 9th of February Microsoft are taking part in Safer Internet Day . We have a whole range of volunteers who have been trained by Ceops to train Parents and Children on how to safely use the Internet.

This year as part of the “Click Clever Click Safe” campaign UKCCIS will be launching a new digital safety code for children– “Zip It, Block It, Flag It”.

Download the CEOP (Child Exploitation and Online Protection Centre) IE8 toolbar Click Clever, Click Safe, Click CEOP add on.



Remember be informed and be safe. Plus IMHO do not let children use the Internet alone on their own in their bedrooms. Have the Computer\Laptop in a public family area where you can keep a friendly eye on what is going on.

Also make yourself aware of the Language being used. For Example

POS = Parent over shoulder ! 🙂

Great Videos to help you learn Cool Stuff

•February 5, 2010 • Leave a Comment

I was reading an internal Newsletter and I found some great information about some great funky videos to help you learn lots about Windows 7 and Office.

These are a little bit different from our normal corporate videos. But I found them cool informative .


Check them out here http://www.microsoft.com/showcase/en/us/channels/officecasual

Also I think I must be the only person in the world who has not seen AVATAR yet. I was also did not realise how much Microsoft was involved in the making of the Movies special effects !. We even get a “special thanks” in the credits :).

Have a great weekend. !

Enterprise Domain Controllers Group and Group Policys

•January 31, 2010 • Leave a Comment

Myself and a colleague Mark Empson have been developing a New Service entitled a GPO Health Check that looks at every aspect of the health of your Group Policies. Well one of the tests involved was checking for any Group Policies that had only the Read Group Policy Object permission and not the Apply Group Policy Permission.

Once this test had run through we found we had virtually every group policy in our test environment registering as having this Read only permission set against a group called the

Enterprise Domain Controllers “ Group. On further investigation this proved to be absolutely correct and is the default setting for a Windows 2003 and Windows 2008 and Windows 2008 R2 environment.

This Read only access is required for Group Policy Modeling  which is a feature of the Group Policy Management Console (GPMC) that simulates the resultant set of policy for a particular configuration. The simulation is performed by a service that runs on domain controllers. To perform the simulation across domains, the service must have read access to all Group Policy objects (GPOs) in the forest

However an important proviso is associated with this which I was blissfully unaware of .

If you are upgrading from a 2000 Forest to 2008 or 2008r2 only  NEW group policies will have this “Enterprise Domain Controllers” permission of Read applied to them. All group policys created previously will not have this permission applied to them.

This will be exhibited by the Group Policy GPMC snap –in informing you that the “Enterprise Domain Controllers “ does not have Read access to the Group Policy.

To remove this error message all you need to do is use a script to update the Group Policy permissions across your Enterprise.

The details of this script , plus also details to run this from the command line are available here.


Well I did not realise the above until just the other day, so another tidbit to store away :).

Changing you Colour Scheme in Office and Outlook 2010

•January 18, 2010 • Leave a Comment

Well my friend and Colleague Justin Zarb showed me something funky in Office2010 beta today. He was running his installation with a great “Black” colour scheme in Outlook, similiar to below;


The way he set this up was to go into options in word and choose optimize ribbon.


Then you have a choice of either Black , Silver or Blue.

Note this not only affects Word but also all your other suite of Office 2010 Applications including Outlook.

It is funny how the small things like that can make me happy !