Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Open Session in Remote Desktop is continuously staying connected, even after closing session

Posted on 2013-06-12
4
Medium Priority
?
1,016 Views
Last Modified: 2013-06-12
We have a 2003 server running terminal services, not heavily used, mostly one or two connections/sessions on a regular basis.  One internal machine that has no need to be accessing the terminal server (and doesn't connect to it intentionally) shows a constant, continuous session ope with the terminal server.  It doesn't show up in the Terminal Services Manager tool where it shows a remote user or a user on the console; it shows up in Computer Management under Shared Folders/Sessions (usually where you'll go to see who's in what file/folder on a server).  It shows '0' open files under # Open Files, but when we right-click on the session and select "Close Session", it gets deleted and then pops right back up upon refresh, showing the local user as the account being used to make the connection.  I've gone to the machine reporting the connection, and nothing is running on that machine that would need the remote desktop connection.  We've gone to that machine and checked the services to try to turn off anything that would open that connection but really can't find anything...It's not apparent that this constant connection is causing any problems, but we're concerned that it never closes and would like to shut it off.  Any ideas?  It's a little difficult to search for a solution because of the vagueness of the problem, so any information would be appreciated!  Thanks!
0
Comment
Question by:mdcr1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39241841
0
 

Author Comment

by:mdcr1
ID: 39241897
I think the issue is that it is not showing up as a remote session through Terminal Server Manager; it is just an open session to the server.  Plus, I've set timeouts for disconnected sessions to 1 minute just to see if that session will get dropped but it still shows "Connected Time" of more than a minute (even went in and closed the session manually so if it only applied to new connections/sessions, it would apply). The group policy seems to only affect users who use remote desktop sessions, and this connection seems like it's independent of the terminal server/service.  There is a share listed on the server that is titled "IPC$" with one (1) Client Connection showing, which makes it seem like a null session exploit, but I've scanned that client machine with Malwarebytes/Barracuda Anti-Spyware tool, but it didn't find anything...
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 39241923
Sometimes network information services will open up all available shares (or at least all ipc$ ones) they can get knowledge of.
If you really want to know what is causing that, run ProcMon from www.sysinternals.com on the "offending" machine, set up a filter like "Path", "starts with", "\\TerminalServerName". Make sure the magnifying glass icon has no red cross, so data is collected, and "Drop Filtered Events" in "Filter" menu is checked (important if you want to monitor for a longer period).

You should see the process, time and some more details of access now.
0
 

Author Comment

by:mdcr1
ID: 39242339
ProcMon is showing nothing but constant access to \\servername\pipe\spoolss with operations consisting of CreateFile, ReadFile, WriteFile, and FileSystemControl.  The results of those operations are either SUCCESS or BUFFER OVERFLOW....okay, so it looks like that was connecting to a printer on that server, even though it wasn't using it for anything (connecting to a PDF converter printer), checked printers, deleted that one, and session is gone!  Well that ProcMon worked alright, thanks Qlemo!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question