Hello,
We have a customer in Mexico who is RDPing into one of our hosted servers via a VPN tunnel. One of the users (primary user) is experiencing issues with logging on multiple times before accessing the desktop of the server. The person has kept a log of the logon incidents and they coincide with Application and Services errors that are logged on the server. Below are the error we are seeing:
Server: Windows 2008 R2 Standard
Client OS: Windows 7
RDC Client: 7.0
-<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<ProviderName="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Winlogon"
/>
<EventID Qualifiers="49152">4005</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreatedSystemTime="2010-11-04T13:43:32.000000000Z" />
<EventRecordID>50419</EventRecordID>
<Correlation/>
<ExecutionProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>xxxxxxxx</Computer>
<Security/>
</System>
<Binary>1F000000</Binary>
</EventData>
</Event>
<ProviderName="Microsoft-Windows-TerminalServices-LocalSessionManager" Guid="{5D896912-022D-40AA-A3A8-4FA5515C76D7}" />
<EventID>20</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x1000000000000000</Keywords>
<TimeCreatedSystemTime="2010-11-04T13:43:32.614546800Z" />
<EventRecordID>2630</EventRecordID>
<Correlation/>
<ExecutionProcessID="544" ThreadID="3804" />
<Channel>Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</Channel>
<Computer>xxxxxxx</Computer>
<SecurityUserID="S-1-5-18" />
</System>
<messageName>connect</messageName>
<errorCode>0xd0000001</errorCode>
</EventXML>
</UserData>
</Event>
Also, I'm not sure if this related but we get these warnings but they don't coincide with the logon attempts.
<ProviderName="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreatedSystemTime="2010-11-04T16:25:31.941695300Z" />
<EventRecordID>50469</EventRecordID>
<Correlation/>
<ExecutionProcessID="860" ThreadID="4608" />
<Channel>Application</Channel>
<Computer>xxxxxxxx</Computer>
<SecurityUserID="S-1-5-18" />
</System>
<Data Name="Detail">3 user registry handles leaked from \Registry\User\S-1-5-21-741534334-2905252545-445207901-1029:
Process 5444 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-741534334-2905252545-445207901-1029 Process 5444 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-741534334-2905252545-445207901-1029\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Process 956 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-741534334-2905252545-445207901-1029\Printers\DevModePerUser</Data>
</EventData>
</Event>
Robert