Description of Windows TCP features - Windows Server (2023)

  • Article
  • 14 minutes to read

This article describes the TCP features in Windows.

Applies to: Windows 10 – all editions, Windows Server 2012 R2
Original KB number: 224829


This article describes the following TCP features in Windows:

  • TCP window size
  • TCP options now supported
  • Windows scaling - RFC 1323
  • Timestamp - RFC 1323
  • Protection against Wrapped Sequence Numbers (PAWS)
  • Selective Acknowledgments (SACKS) - RFC 2018
  • TCP retransmission behavior and fast retransmit

The TCP features can be changed by changing the entries in the registry.


The following sections, methods, or tasks contain steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

TCP window size

The TCP receive window size is the amount of receive data (in bytes) that can be buffered during a connection. The sending host can send only that amount of data before it must wait for an acknowledgment and window update from the receiving host. The Windows TCP/IP stack is designed to self-tune itself in most environments, and uses larger default window sizes than earlier versions.

Instead of using a hard-coded default receive window size, TCP adjusts to even increments of the maximum segment size (MSS). The MSS is negotiated during connection setup. Adjusting the receive window to even increments of the MSS increases the percentage of full-sized TCP segments used during bulk data transmissions.

The receive window size is determined in the following manner:

  1. The first connection request sent to a remote host advertises a receive window size of 16K (16,384 bytes).
  2. When the connection is established, the receive window size is rounded up to an even increment of the MSS.
  3. The window size is adjusted to four times the MSS, to a maximum size of 64 K, unless the window scaling option (RFC 1323) is used.


See the "Windows scaling" section.

For Ethernet connections, the window size will normally be set to 17,520 bytes (16K rounded up to twelve 1460-byte segments). The window size may reduce when a connection is established to a computer that supports extended TCP head options, such as Selective Acknowledgments (SACKS) and Timestamps. These two options increase the TCP header size to more than 20 bytes, which results in less room for data.

In previous versions of Windows NT, the window size for an Ethernet connection was 8,760 bytes, or six 1460-byte segments.

To set the receive window size to a specific value, add the TcpWindowSize value to the registry subkey specific to your version of Windows. To do so, follow these steps:

  1. Select Start > Run, type Regedit, and then select OK.

  2. Expand the registry subkey specific to your version of Windows:

    (Video) Microsoft Windows TCP/IP Configuration Overview

    • For Windows 2000, expand the following subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

    • For Windows Server 2003, expand the following subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  3. On the Edit menu, point to New, and then select DWORD Value.

  4. Type TcpWindowSize in the New Value box, and then press Enter

  5. Select Modify on the Edit menu.

  6. Type the desired window size in the Value data box.


    The valid range for window size is 0-0x3FFFC000 Hexadecimal.

This value isn't present by default. When you add the TcpWindowSize value, it overrides the default window size algorithm discussed above.


TcpWindowSize can also be added to the Parameters key to set the window size globally for all interfaces.

TCP options now supported

Previously, TCP options were used primarily for negotiating maximum segment sizes. In Windows, TCP options are used for Window Scaling, Time Stamp, and Selective ACK.

There are two types of TCP options:

  1. A single octet TCP option, which is used to indicate a specific option kind.
  2. A multiple octet TCP option, which consists of an option kind, an option length and a series of option octets.

The following list shows each TCP option kind, length, name, and description.

Kind: 0
Length: 1
Option: End of Option List
Description: Used when padding is needed for the last TCP option.

Kind: 1
Length: 1
Option: No Operation
Description: Used when padding is needed and more TCP options follow within the same packet.

Kind: 2
Length: 4
Option: Maximum Segment Size
Description: Indicates the maximum size for a TCP segment that can be sent across the network.

Kind: 3
Length: 3
Option: Window Scale Option
Description: Identifies the scaling factor to be used when using window sizes larger than 64k.

(Video) TCP: Sliding Windows

Kind: 8
Length: 10
Option: Time Stamp Option
Description: Used to help calculate the Round Trip Time (RTT) of packets transmitted.

Kind: 4
Length: 2
Option: TCP SACK permitted
Description: Informs other hosts that Selective Acks are permitted.

Kind: 5
Length: Varies
Option: TCP SACK Option
Description: Used by hosts to identify whether out-of-order packets were received.

Windows scaling

For more efficient use of high-bandwidth networks, a larger TCP window size may be used. The TCP window size field controls the flow of data and is limited to 2 bytes, or a window size of 65,535 bytes.

Since the size field can't be expanded, a scaling factor is used. TCP window scale is an option used to increase the maximum window size from 65,535 bytes to 1 Gigabyte.

The window scale option is used only during the TCP three-way handshake. The window scale value represents the number of bits to left-shift the 16-bit window size field. The window scale value can be set from 0 (no shift) to 14.

To calculate the true window size, multiply the window size by 2^S where S is the scale value.

For Example:

If the window size is 65,535 bytes with a window scale factor of 3.
True window size = 65535*2^3

True window size = 524280

The following Network Monitor trace shows how the window scale option is used:

TCP: ....S., len:0, seq:725163-725163, ack:0, win:65535, src:1217 dst:139(NBT Session) TCP: Source Port = 0x04C1 TCP: Destination Port = NETBIOS Session Service TCP: Sequence Number = 725163 (0xB10AB) TCP: Acknowledgement Number = 0 (0x0) TCP: Data Offset = 44 (0x2C) TCP: Reserved = 0 (0x0000) + TCP: Flags = 0x02 : ....S. TCP: Window = 65535 (0xFFFF) TCP: Checksum = 0x8565 TCP: Urgent Pointer = 0 (0x0) TCP: Options + TCP: Maximum Segment Size Option TCP: Option Nop = 1 (0x1) TCP: Window Scale Option TCP: Option Type = Window Scale TCP: Option Length = 3 (0x3) TCP: Window Scale = 3 (0x3) TCP: Option Nop = 1 (0x1) TCP: Option Nop = 1 (0x1) + TCP: Timestamps Option TCP: Option Nop = 1 (0x1) TCP: Option Nop = 1 (0x1) + TCP: SACK Permitted Option 

The window size used in the actual three-way handshake isn't the window size that's scaled, per RFC 1323 section 2.2:

"The Window field in a SYN (for example, a [SYN] or [SYN,ACK]) segment itself is never scaled."

It means that the first data packet sent after the three-way handshake is the actual window size. If there's a scaling factor, the initial window size of 65,535 bytes is always used. The window size is then multiplied by the scaling factor identified in the three-way handshake. The table below represents the scaling factor boundaries for various window sizes.

Scale FactorScale ValueInitial WindowWindow Scaled
0165535 or less65535 or less

For example:

If the window size in the registry is entered as 269000000 (269M) in decimal, the scaling factor during the three-way handshake is 13. A scaling factor of 12 only allows a window size up to 268,431,360 bytes (268M).

The initial window size in this example would be calculated as follows:
65,535 bytes with a window scale factor of 13.
True window size = 65535*2^13
True window size = 536,862,720

When the value for window size is added to the registry, and its size is larger than the default value, Windows attempts to use a scale value that accommodates the new window size.

The Tcp1323Opts value in the following registry key can be added to control scaling windows and timestamp:


(Video) Configuring TCP/IP on a Windows host

  1. On the toolbar, select Start > Run, and then type Regedit to start the Registry Editor.

  2. In the Registry Editor, select Edit, point to New, and then select DWORD Value.

  3. In the New Value box, type Tcp1323Opts, press ENTER, and then on the Edit menu, select Modify.


    The valid range is 0, 1, 2 or 3 where:
    0 (disable RFC 1323 options)
    1 (window scale enabled only)
    2 (timestamps enabled only)
    3 (both options enabled)

This registry entry controls RFC 1323 timestamps and window scaling options. Timestamps and Window scaling are enabled by default, but can be manipulated with flag bits. Bit 0 controls window scaling. Bit 1 controls timestamps.


Previously, the TCP/IP stack used one sample per window of data sent to calculate the round-trip time (RTT). A timer (retransmit timer) was set when the packet was sent, until the acknowledgment was received. For example, if the window size was 64,240 bytes (44 full segments) on an Ethernet network, only one of every 44 packets were used to recalculate the round-trip time. With a maximum window size of 65,535 bytes, this sampling rate was sufficient. Using window scaling, and a maximum window size of 1 Gigabyte, this RTT sampling rate isn't sufficient.

The TCP Timestamp option can now be used on segments (data and ACK) considered appropriate by the stack, to do operations such as:

  • RTT computation
  • PAWS check

Using this data, the RTT can be accurately calculated with large window sizes. RTT is used to calculate retransmission intervals. Accurate RTT and retransmission time-outs are needed for optimum throughput.

When TCP time stamp is used in a TCP session, the originator of the session sends the option in its first packet of the TCP three-way handshake (SYN packet). Either side can then use the TCP option during the session.

TCP Timestamps Option (TSopt):

Kind = 8Length = 10TS Value (Tsval)TS Echo Reply (Tsecr)
1 byte1 byte4 bytes4 bytes

The timestamp option field can be viewed in a Network Monitor trace by expanding the TCP options field, as shown below:

TCP: Timestamps Option TCP: Option Type = Timestamps TCP: Option Length = 10 (0xA) TCP: Timestamp = 2525186 (0x268802) TCP: Reply Timestamp = 1823192 (0x1BD1D8)

Protection against Wrapped Sequence Numbers (PAWS)

The TCP sequence number field is limited to 32 bits, which limits the number of sequence numbers available. With high capacity networks and a large data transfer, it's possible to wrap sequence numbers before a packet traverses the network. If sending data on a one Giga-byte per second (Gbps) network, the sequence numbers could wrap in as little as 34 seconds. If a packet is delayed, a different packet could potentially exist with the same sequence number. To avoid confusion of duplicate sequence numbers, the TCP timestamp is used as an extension to the sequence number. Packets have current and progressing time stamps. An old packet has an older time stamp and is discarded.

Selective Acknowledgments (SACKs)

Windows introduces support for a performance feature known as Selective Acknowledgment, or SACK. SACK is especially important for connections that use large TCP window sizes. Before SACK, a receiver could only acknowledge the latest sequence number of a contiguous data stream that had been received, or the "left edge" of the receive window. With SACK enabled, the receiver continues to use the ACK number to acknowledge the left edge of the receive window, but it can also acknowledge other blocks of received data individually. SACK uses TCP header options, as shown below.

SACK uses two types of TCP Options.

The TCP Sack-Permitted Option is used only in a SYN packet (during the TCP connection establishment) to indicate that it can do selective ACK.

The second TCP option, TCP Sack Option, contains acknowledgment for one or more blocks of data. The data blocks are identified using the sequence number at the start and at the end of that block of data. It's also known as the left and right edge of the block of data.

Kind 4 is TCP Sack-Permitted Option. Kind 5 is TCP Sack Option. Length is the length in bytes of this TCP option.

Tcp SACK Permitted:

(Video) Overview & Configuration of Network Load Balancing (NLB) Cluster | Windows Server 2019

Kind = 4Length = 2
1 byte1 byte

Tcp SACK Option:

Kind = 5Length = Variable
1 byteLeft edge of first block to Right edge of first block
Left edge of Nth block to Right edge of Nth block

With SACK enabled (default), a packet or series of packets can be dropped. The receiver informs the sender which data has been received, and where there may be "holes" in the data. The sender can then selectively retransmit the missing data without a retransmission of blocks of data that have already been received successfully. SACK is controlled by the SackOpts registry parameter.

The SackOpts value in the following registry key can be edited to control the use of selective acknowledgments:


  1. On the toolbar, select Start > Run, and then type Regedit to start the Registry Editor.
  2. Locate and select the above key in the Registry Editor, and then select Modify on the Edit menu.
  3. Type the desired value in the Value data box.


The valid binary value is 0 or 1, the default value is 1. This parameter controls whether or not Selective ACK (SACK - RFC 2018) support is enabled.

The following Network Monitor trace illustrates a host acknowledging all data up to sequence number 54857341, plus the data from sequence number 54858789-54861685. The missing data is from 54857341 to 54858788.

TCP: .A...., len:0, seq:925104-925104, ack:54857341, win:32722, src:1242 dst:139 TCP: Source Port = 0x04DA TCP: Destination Port = NETBIOS Session Service TCP: Sequence Number = 925104 (0xE1DB0) TCP: Acknowledgement Number = 54857341 (0x3450E7D) TCP: Data Offset = 44 (0x2C) TCP: Reserved = 0 (0x0000) + TCP: Flags = 0x10 : .A.... TCP: Window = 32722 (0x7FD2) TCP: Checksum = 0x4A72 TCP: Urgent Pointer = 0 (0x0) TCP: Options TCP: Option Nop = 1 (0x1) TCP: Option Nop = 1 (0x1) + TCP: Timestamps Option TCP: Option Nop = 1 (0x1) TCP: Option Nop = 1 (0x1) TCP: SACK Option TCP: Option Type = 0x05 TCP: Option Length = 10 (0xA) TCP: Left Edge of Block = 54858789 (0x3451425) TCP: Right Edge of Block = 54861685 (0x3451F75)

TCP retransmission behavior and fast retransmit

TCP retransmission

As a review of normal retransmission behavior, TCP starts a retransmission timer when each outbound segment is handed down to the Internet Protocol (IP). If no acknowledgment has been received for the data in a given segment before the timer expires, then the segment is retransmitted.

The retransmission timeout (RTO) is adjusted continuously to match the characteristics of the connection using Smoothed Round Trip Time (SRTT) calculations as described in RFC 793. The timer for a given segment is doubled after each retransmission of that segment. Using this algorithm, TCP tunes itself to the normal delay of a connection.

Fast retransmit

TCP retransmits data before the retransmission timer expires under some circumstances. The most common cause is a feature known as fast retransmit. When a receiver that supports fast retransmit receives data with a sequence number beyond the current expected one, some data was likely dropped. To help inform the sender of this event, the receiver immediately sends an ACK, with the ACK number set to the sequence number that it was expecting. It will continue to do so for each additional TCP segment that arrives. When the sender starts to receive a stream of ACKs that's acknowledging the same sequence number, a segment may have been dropped. The sender will immediately resend the segment that the receiver is expecting, without waiting for the retransmission timer to expire. This optimization greatly improves performance when packets are frequently dropped.

By default, Windows resends a segment under the following conditions:

  • It receives three ACKs for the same sequence number: one ACK and two duplicates.
  • The sequence number lags the current one.

This behavior is controllable with the TcpMaxDupAcks registry parameter.

The TcpMaxDupAcks value in the following registry key can be edited to control the number of ACKs necessary to start a fast retransmits:


  1. On the toolbar, select Start > Run, and then type Regedit to start the Registry Editor.
  2. Locate and select the above key in the Registry Editor, and then select Modify on the Edit menu.
  3. Type the desired value in the Value data box.


The valid range is 1-3, the default value is 2.

This parameter determines the number of duplicate ACKs that must be received for the same sequence number of sent data before fast retransmit is triggered to resend the segment that has been dropped in transit.


What is the purpose of the TCP window? ›

What Is TCP Windowing? "TCP windowing" is what we call it when the Transmission Control Protocol (TCP) uses a sliding window protocol to mitigate problems with clients and servers trying to share segments of data that are too large or small, and therefore cannot transmit effectively.

Which is the type of windows used in TCP? ›

There are three TCP windows used in a TCP connection: Receive Window (RWIN) Send Window (SWIN) Congestion Window (CWIN)

How do I check my TCP connection on Windows Server? ›

Press the Windows key + R, then type "cmd.exe" and click OK. Enter "telnet + IP address or hostname + port number" (e.g., telnet 1723 or telnet 10.17. xxx. xxx 5000) to run the telnet command in Command Prompt and test the TCP port status.

What does TCP window full mean? ›

When you see TCP Window Full flags, it usually means that the sender is using the full capacity of the TCP flow, limited by the recipient's receive window. The network may have higher capacity.

What are the main features of TCP? ›

The main TCP features are connection management, reliability, flow control and congestion control. Connection management includes connection initialization (a 3-way handshake) and its termination. The source and destination TCP ports are used for creating multiple virtual connections.

What are the two functions of TCP? ›

Providing Flow Control and Congestion Avoidance Features: TCP allows the flow of data between two devices to be controlled and managed. It also includes features to deal with congestion that may be experienced during communication between devices.


1. Domain join and TCP/IP settings: How to configure Windows Server 2019 Server Properties
2. How to change the default TCP listening ports in IIS Windows 2019 server
(Robert McMillen)
3. How to configure IP?
(Silent Wraith)
4. Windows How to set IPv6 address in Windows 7, Windows 8, Windows Server 2008 (Hindi and English)
(Priy Ranjan)
5. Windows Server 2019 Features | What's New | Explained
6. transfer control protocol | TCP | Networking | Bhanu Priya
(Education 4u)
Top Articles
Latest Posts
Article information

Author: Dean Jakubowski Ret

Last Updated: 02/09/2023

Views: 6220

Rating: 5 / 5 (70 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Dean Jakubowski Ret

Birthday: 1996-05-10

Address: Apt. 425 4346 Santiago Islands, Shariside, AK 38830-1874

Phone: +96313309894162

Job: Legacy Sales Designer

Hobby: Baseball, Wood carving, Candle making, Jigsaw puzzles, Lacemaking, Parkour, Drawing

Introduction: My name is Dean Jakubowski Ret, I am a enthusiastic, friendly, homely, handsome, zealous, brainy, elegant person who loves writing and wants to share my knowledge and understanding with you.