Solved

Open Session in Remote Desktop is continuously staying connected, even after closing session

Posted on 2013-06-12
4
995 Views
Last Modified: 2013-06-12
We have a 2003 server running terminal services, not heavily used, mostly one or two connections/sessions on a regular basis.  One internal machine that has no need to be accessing the terminal server (and doesn't connect to it intentionally) shows a constant, continuous session ope with the terminal server.  It doesn't show up in the Terminal Services Manager tool where it shows a remote user or a user on the console; it shows up in Computer Management under Shared Folders/Sessions (usually where you'll go to see who's in what file/folder on a server).  It shows '0' open files under # Open Files, but when we right-click on the session and select "Close Session", it gets deleted and then pops right back up upon refresh, showing the local user as the account being used to make the connection.  I've gone to the machine reporting the connection, and nothing is running on that machine that would need the remote desktop connection.  We've gone to that machine and checked the services to try to turn off anything that would open that connection but really can't find anything...It's not apparent that this constant connection is causing any problems, but we're concerned that it never closes and would like to shut it off.  Any ideas?  It's a little difficult to search for a solution because of the vagueness of the problem, so any information would be appreciated!  Thanks!
0
Comment
Question by:mdcr1
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39241841
0
 

Author Comment

by:mdcr1
ID: 39241897
I think the issue is that it is not showing up as a remote session through Terminal Server Manager; it is just an open session to the server.  Plus, I've set timeouts for disconnected sessions to 1 minute just to see if that session will get dropped but it still shows "Connected Time" of more than a minute (even went in and closed the session manually so if it only applied to new connections/sessions, it would apply). The group policy seems to only affect users who use remote desktop sessions, and this connection seems like it's independent of the terminal server/service.  There is a share listed on the server that is titled "IPC$" with one (1) Client Connection showing, which makes it seem like a null session exploit, but I've scanned that client machine with Malwarebytes/Barracuda Anti-Spyware tool, but it didn't find anything...
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39241923
Sometimes network information services will open up all available shares (or at least all ipc$ ones) they can get knowledge of.
If you really want to know what is causing that, run ProcMon from www.sysinternals.com on the "offending" machine, set up a filter like "Path", "starts with", "\\TerminalServerName". Make sure the magnifying glass icon has no red cross, so data is collected, and "Drop Filtered Events" in "Filter" menu is checked (important if you want to monitor for a longer period).

You should see the process, time and some more details of access now.
0
 

Author Comment

by:mdcr1
ID: 39242339
ProcMon is showing nothing but constant access to \\servername\pipe\spoolss with operations consisting of CreateFile, ReadFile, WriteFile, and FileSystemControl.  The results of those operations are either SUCCESS or BUFFER OVERFLOW....okay, so it looks like that was connecting to a printer on that server, even though it wasn't using it for anything (connecting to a PDF converter printer), checked printers, deleted that one, and session is gone!  Well that ProcMon worked alright, thanks Qlemo!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question