• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1038
  • Last Modified:

Open Session in Remote Desktop is continuously staying connected, even after closing session

We have a 2003 server running terminal services, not heavily used, mostly one or two connections/sessions on a regular basis.  One internal machine that has no need to be accessing the terminal server (and doesn't connect to it intentionally) shows a constant, continuous session ope with the terminal server.  It doesn't show up in the Terminal Services Manager tool where it shows a remote user or a user on the console; it shows up in Computer Management under Shared Folders/Sessions (usually where you'll go to see who's in what file/folder on a server).  It shows '0' open files under # Open Files, but when we right-click on the session and select "Close Session", it gets deleted and then pops right back up upon refresh, showing the local user as the account being used to make the connection.  I've gone to the machine reporting the connection, and nothing is running on that machine that would need the remote desktop connection.  We've gone to that machine and checked the services to try to turn off anything that would open that connection but really can't find anything...It's not apparent that this constant connection is causing any problems, but we're concerned that it never closes and would like to shut it off.  Any ideas?  It's a little difficult to search for a solution because of the vagueness of the problem, so any information would be appreciated!  Thanks!
0
mdcr1
Asked:
mdcr1
  • 2
1 Solution
 
Haresh NikumbhSr. Tech leadCommented:
0
 
mdcr1Author Commented:
I think the issue is that it is not showing up as a remote session through Terminal Server Manager; it is just an open session to the server.  Plus, I've set timeouts for disconnected sessions to 1 minute just to see if that session will get dropped but it still shows "Connected Time" of more than a minute (even went in and closed the session manually so if it only applied to new connections/sessions, it would apply). The group policy seems to only affect users who use remote desktop sessions, and this connection seems like it's independent of the terminal server/service.  There is a share listed on the server that is titled "IPC$" with one (1) Client Connection showing, which makes it seem like a null session exploit, but I've scanned that client machine with Malwarebytes/Barracuda Anti-Spyware tool, but it didn't find anything...
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Sometimes network information services will open up all available shares (or at least all ipc$ ones) they can get knowledge of.
If you really want to know what is causing that, run ProcMon from www.sysinternals.com on the "offending" machine, set up a filter like "Path", "starts with", "\\TerminalServerName". Make sure the magnifying glass icon has no red cross, so data is collected, and "Drop Filtered Events" in "Filter" menu is checked (important if you want to monitor for a longer period).

You should see the process, time and some more details of access now.
0
 
mdcr1Author Commented:
ProcMon is showing nothing but constant access to \\servername\pipe\spoolss with operations consisting of CreateFile, ReadFile, WriteFile, and FileSystemControl.  The results of those operations are either SUCCESS or BUFFER OVERFLOW....okay, so it looks like that was connecting to a printer on that server, even though it wasn't using it for anything (connecting to a PDF converter printer), checked printers, deleted that one, and session is gone!  Well that ProcMon worked alright, thanks Qlemo!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now