Win2003 Remote Admin Mode TS Lots Winlogon/csrss processes running

[JB1268]

Hi all,

I have been dealing with Windows 2003 server that is causing me fits.

TS on this server is not allowing any connections after a few days. I can connect, get the background, but no logon prompt. Same response via a console, no logon prompt. The weird thing is that File shares are ok for now & our DBA can connect via SQL Tools.

The more I try to connect, I get more TS sessions... Up to 11 now & this is just in Remote admin mode.

I've had to reset this system 2 times to get this back to some control.

Any thoughts would be helpful.

Thanks in advance

SESSIONNAME USERNAME ID STATE TYPE DEVICE
>console 0 Conn wdcon
rdp-tcp 65536 Listen rdpwd
2 Down
3 Down
4 Down
5 Down
...
11 Down

From PSLIST
csrss 1236 13 3 57 740 16:14:15.031 23:09:00.936
winlogon 2516 13 1 134 1340 0:00:00.234 23:09:00.874
csrss 3920 13 9 60 784 0:00:00.062 22:52:09.139
winlogon 1136 13 1 134 1340 0:00:00.093 22:52:09.124
csrss 2400 13 9 61 784 0:00:00.078 22:43:02.802
winlogon 4036 13 1 134 1340 0:00:00.125 22:43:02.786
csrss 604 13 9 61 764 0:00:00.078 22:30:40.823
winlogon 3076 13 1 136 1312 0:00:00.109 22:30:40.823
csrss 3112 13 2 63 772 16:20:13.859 22:29:05.153
winlogon 1348 13 1 136 1312 0:00:00.109 22:29:05.138
csrss 2572 13 9 61 784 0:00:00.125 22:03:00.003
winlogon 3060 13 1 134 1340 0:00:00.093 22:02:59.988
csrss 2244 13 9 60 796 0:00:00.093 20:44:44.066
winlogon 2280 13 1 133 1340 0:00:00.156 20:44:44.050
csrss 3912 13 9 59 776 0:00:00.046 20:35:02.191
winlogon 2276 13 1 136 1312 0:00:00.125 20:35:02.175
dmadmin 1084 8 1 118 2016 0:00:00.078 20:29:01.457
DWHWizrd 4068 8 1 73 1024 0:00:00.125 12:17:39.476
csrss 3496 13 9 67 784 0:00:00.109 0:35:23.149
winlogon 940 13 1 134 1340 0:00:00.125 0:35:23.133

 

[NetIntruder]

just a quick bandaid, but try pushing the rconsole application to the server (located in the resource kit) and do an rclient to the server from your workstation. From there type "Logoff 2" "Logoff 3" , etc, etc, through the sessions. This will kill remnant sessions and hopefully get you in far enough to continue troubleshooting w/o rebooting.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 

[JB1268]

NetIntruder,

I will look for rconsole/rclient. I've been using psexec to run those commands, maybe rconsole will have better luck.

Thanks!

 

[NetIntruder]

psexec will do as well, though you may have to make a quick .bat file that you copy up and run.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 

[MiniOrganMorgan]

I've seen a mad situation, whereby on trying the first RDP connection just produces a grey screen but the second concurrent RDP connection from the same machine allows login and is perfectly normal. Most bizarre.

 

[JB1268]

I'm thinking that a user of mine is running something that can't shutdown & hangs the session.

Thx,
JB

 

[NetIntruder]

can you list all the processes running on that server? There is a potential for a "rogue" application hanging sessions, but i doubt that it would have the same behavior that you are seeing.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 

[JB1268]

I was able to use pslist before, now I'm not able to, time to reset...

Ouch.

 

[NetIntruder]

try pulist \\servername from your xp station quick... see if that works

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003