Heya folks, Ned here again. A few customers have reported this known issue on Windows 11 machines & you may see this event at boot up and perhaps occasionally afterwards. In the Event Log, in the Sys...
Updated Nov 07, 2022
Version 4.0
Blog Post
Hi all,
It keeps happening after my last post.
If you don't know what you are doing and how to interpret the logs and/or information relayed in this post, probably it's a good idea to do not do anything and get in touch with Microsoft directly.
This is far and beyond of what a normal user would do to troubleshoot the issue and find out the root cause, but it's the only thing I am left with, after nothing of the below resolved the issue:
- In-place upgrade to repair any OS corruption
- Runnig SFC and DISM to repair any OS corruption
- Registry settings and GPO to disable NetBIOS and LLMNR resolution
- Power saving settings on the adapters
- Updating chipset and network drivers
- Applying the latest Windows updates
- Resetting the Winsock and the TCP stack (netsh int ip reset & netsh winsock reset, also from the settings menu)
- Resetting and flashing again the firmware on the router
- Renaming the computer
From event viewer (System log, filter on event ID 2505), I was able to work out which are the adapters experiencing the issue, but be aware it can be any or all adapters:
The powershell command to view all the network adapters properties (left on the screenshot) is:
Get-NetAdapter | Select * | Out-GridView
This helped me to identify a lot of Hyper-V adapters, so I made sure to remove the following features from Programs/Turn Windows Features On or Off:
- Hyper-V
- Microsoft Defender Application Guard
- Virtual Machine Platform
- Windows Hypervisor Platform
- Windows Sandbox
- Windows Subsystem for Linux
Furthermore, I've removed the following apps installed from the Microsoft Store:
- Windows Subsystem for Linux Preview
- Amazon App Store
- Windows Subsystem for Andorid (I think it's installed with the Amazon Appstore, couldn't find it on the store)
I am now monitoring again and have enabled the following monitoring solution (event ID 2505 is usally preceded by ephmeral port exhaustion event):
https://docs.microsoft.com/en-us/archive/blogs/clinth/detecting-ephemeral-port-exhaustion#:~:text=If%20you%20suspect%20ephemeral%20port%20exhaustion%2C%20then%20consider%20running%20the%20following%20Powershell%20script%20called%20%E2%80%9CLog%2DEphemeralPortStats.ps1%E2%80%9D%20at%0Ahttps%3A//1drv.ms/f/s!AhuJirRUDDbmkotkPocbTrN0wgKB7Q
While the solution is running, it consumes about 0.4% CPU (i9-9900x) and about 0.1 MB RAM.
You can use the supplied script as it is, but in my experience I had to:
- Unblock the files before extracting them:
- Run the .bat file as adminsitrator to copy the files and create the schduled task:
- Find the task in Task Scheduler and change the arguments to
-ExecutionPolicy Bypass -File C:\WINDOWS\Tools\Log-EphemeralPortStats.ps1 -OutputFilePath C:\WINDOWS\Tools\EphemeralPortStats.log
- Finally, set the task to run with highest privileges:
Run the task manually or reboot the computer (it will trigger on every computer startup) and when the issue occurs check the log:
"C:\Windows\Tools\EphemeralPortStats.log"
I am hoping that with the removal of some Windows features and subsystems for Linux and Android, the issue will no longer occur and if it does, the monitoring solution should give me a little more insight into what happened.