Solved

iexplore.exe and firefox.exe leak memory in RDP sessions on Windows Server 2003

Posted on 2011-03-09
14
3,023 Views
Last Modified: 2013-11-21
Server running Windows Server 2003 Standard, SP2, with Terminal Services installed in application mode. IE8 and Firefox installed. From the desktop of the server, IE8 and Firefox open and operate normally.
But if you open either IE8 or Firefox from inside a terminal services session, the pgm opens normally. IE8 opens 2 iexplore.exe processes. But if you watch the processes in task manager, the memory usage continues to climb, even though I am doing nothing within IE or Firefox.
So far, I have tried uninstalling and reinstalling IE8 and scanning with malwarebytes and with Vipre. Each has found 3-5 different infections and quarantined them, but the behavior continues. What I found interesting is that 2 different browsers exhibit the same behavior, but neither misbehaves when run on the server desktop. I have deleted a profile, then logged back in with the same account, allowed the system recreate the profile, but the problem persists.

Has anyone ever seen this before or can someone suggest a resolution?

Thanks.
0
Comment
Question by:ClydeB
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 14

Expert Comment

by:Justin Yeung
Comment Utility
sounds like an issue with browser plug in. Try to disable all Add-on and see if the issue still exist
0
 
LVL 5

Expert Comment

by:nazg82
Comment Utility
Does anyone have a solution yet?

Disabled all browser plugins but the problem still exists.
Thanks!
0
 
LVL 14

Expert Comment

by:Justin Yeung
Comment Utility
is the page that you open using Flash?

what processor and cpu are using on the server?
0
 
LVL 5

Expert Comment

by:nazg82
Comment Utility
It happens even on the about:blank page. Also when we start Internet Explorer without addons, it will consume memory. Same thing happens to firefox.

CPU is Intel Xeon quad core 2,2 Ghz.
0
 

Expert Comment

by:IC-Automatisering
Comment Utility
I have the exact same problem, as a workaround i installed google chrome that does not have the problem. Did you come with a solution yet?
0
 

Author Comment

by:ClydeB
Comment Utility
No solution yet. I appreciate all of the observations. We have opened an incident with Microsoft and have engaged the IE team on this. Still sending tons of dump files for their analysis.
What is really weird is why does it only occur in the TS sessions? And why with both IE and Firefox? On the desktop, IE works fine.
I will try Chrome.
0
 

Expert Comment

by:IC-Automatisering
Comment Utility
I agree, i even tried a portable versions of firefox with the same effect. Our client (a small firm with only 7 users) has installed Google chrome for each seperate user. The use Chrome without any problems. Ofcourse this is a workaround so the client can resume normal operations.
The Windows 2003 EE SP2 terminal server is fully patched and both Eset Business Edititon and Malware byte detect no threads. Because it only occurs in a TS session and not on the console itself i do not think it is virus or malware.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 5

Expert Comment

by:nazg82
Comment Utility

Anyone?
0
 

Expert Comment

by:IC-Automatisering
Comment Utility
Did Microsoft found a cause of the problem in the dump files you send for analysis yet?
0
 

Author Comment

by:ClydeB
Comment Utility
We have sent them dump files and they have turned us over to their Antivirus team. We have basically given up, and will be going in this weekend, wiping the server, reinstalling the OS, and reinstalling all applications.
0
 
LVL 5

Expert Comment

by:nazg82
Comment Utility
Hi folks,

we are on to something! If it all works, i'll post te solution tonight!

0
 
LVL 5

Accepted Solution

by:
nazg82 earned 500 total points
Comment Utility
Okay guys,

First we drink a vodka, then we apply the solution. :)

Open your task manager. Search for all the processes with the name rundll.exe and kill them all.
Now startup Internet Explorer. Is your memory leak gone? Yes? Then read on!

open command prompt on the terminal server and goto c:\windows\tasks.
type: dir<enter>
then type: dir *.* /ah<enter>
Do you see any difference? Yes? Great, read on.

In our situation there was a hidden file called emeigww.job. This job started the rundll.exe and was also causing the memory leak.
This file cannot be deleted by the DEL command. So download jt.zip from the microsoft FTP server.
Extract jt.exe to the local C: drive of the terminal server. type the following command: jt.exe /sd c:\windows\tasks\the_Hidden_jobfile
Reboot your terminal server.
0
 

Expert Comment

by:IC-Automatisering
Comment Utility
Hi, i first applied the solution and tested it before the vodka.

In our situation we had a hidden file called ssjn.job. After i removed the job with jt.exe and rebooted the server the users are able to browse with IE again and no memory leak!.
Sad to see the users stop using Google Chrome, it saved us from reinstallling the server and gave us time to wait for a solution.
Just to be curious, how did you came up with this solution??

The bottle of vodka is now empty :-)
0
 

Author Closing Comment

by:ClydeB
Comment Utility
You are THE MAN! We were headed to this site this weekend to wipe their server and do a complete re-install. Once again, you have proven the value of Peer Power!

Thank you !
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Know what services you can and cannot, should and should not combine on your server.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now