?
Solved

SBS 2011 Hundreds of Instances of LogonUI

Posted on 2012-03-13
11
Medium Priority
?
854 Views
Last Modified: 2012-05-03
Every morning when I check our SBS 2011 server, I find that the server is using up almost all of its memory and is running very slowly.  When looking at the Memory usage I find hundreds of instances of LogonUI running taking up each about 10K of memory.  When I reboot the server these instances are not there.  But over night, it seem the system is loading them for some reason.  Can anyone help me determine what may be causing this?
0
Comment
Question by:maike9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
11 Comments
 
LVL 6

Expert Comment

by:crash2000
ID: 37714237
Sounds like Malware
Try a full security scan with whatever product you use and let me know.

Mark
0
 
LVL 8

Expert Comment

by:Elmar-H
ID: 37714238
you use the server for rdp? perhaps you should configure the time for logoff for closed and disconnected sessions?
0
 

Author Comment

by:maike9
ID: 37715016
I discovered that my predecessor failed to install adequate AV software on the server.  I'm installing Norton Endpoint Protection on server now.  

Yes, this server is used for RDP however no one remoted in last night.  Since rdp is exposed to internet, is it possible that connection attempts that fail to gain access will open up LoginUI instances, and since I am not sure if there is a timeout on them, that they are being left open?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 6

Assisted Solution

by:crash2000
crash2000 earned 450 total points
ID: 37715027
I would definetely say that something is comprimised on your server.
Can you turn off RDP until scanning is complete?

Mark
0
 
LVL 8

Accepted Solution

by:
Elmar-H earned 450 total points
ID: 37715035
You can manage timeouts via GPO under
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions
0
 

Author Comment

by:maike9
ID: 37717295
UPDATE:  

Mark, I installed Norton Endpoint Protection on the server and ran a full system scan.  All that was found was a single cookie which was removed.

Elmar-H, I tried to find the location where the RDP timeout is set but was unable to find it based on the information you gave above.  Can you please expand your guidance on how to modify the timeout settings for RDP connections.

Also, I want to disable RDP temporarily to see if the problem goes away.  Is there a setting to change or a service to disable that will disable RDP temporarily?

Thank you for all your help.

Mike
0
 
LVL 6

Expert Comment

by:crash2000
ID: 37717307
Hi Mike,

Can you run malwarebytes on there too please?
I'm not convinced it's clear.

Mark
0
 

Author Comment

by:maike9
ID: 37717369
Will ad-aware suffice?
0
 
LVL 8

Expert Comment

by:Elmar-H
ID: 37718705
See Attachement :-)
GPO.jpg
0
 
LVL 6

Expert Comment

by:crash2000
ID: 37718868
I would use Malwarebytes. You can get it free from http://www.malwarebytes.org
You don't need the paid version.

I am out today, so may not be able to answer quickly.

Mark
0
 

Author Comment

by:maike9
ID: 37722304
Update

This morning the LogonUI issue was not a problem.  Not sure if what I did to the server yesterday helped.  Today, I concentrated on removing unneed/redundant software from the box.  My predecessor had installed Comcast Toolbar on the machine which installed a bunch of other crap.  I removed the Comcast Toolbar, CA Pest Patrol Protection, and ComcastAntiSpyware.  After removing that last item, I noticed a significant increase in the speed of machine.

I also ran a full system scan using AD-Aware Pro which found and removed 9 cookies.  I then uninstalled Ad-Aware and installed MalwareBytes.  I ran a quick scan using MB and it found and additional trojan called Trojan.FakeFireFox.  I removed the trojan using MB.  I am currently doing a full system scan using MB.

One other thing I'd like to note.  I was going through the System Event logs and I'm seeing thousands of entries under the Terminal Services-RemoteConnectionManager source I think since we enabled RDP.

"Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated."

Could this mean that something is trying to hack the remote connection?  Could this cause the LogonUI instance issue?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question