Quantcast
Channel: Remote Desktop Services (Terminal Services) forum
Viewing all 21489 articles
Browse latest View live

Default Printers Resetting or Changing - GPO Printers Disabled, Printers installed from Shared Printers on Print Server

$
0
0

I work as a "systems engineer" supporting a whole bunch of different customer environments. Lately I have been battling with this issue where in the end (and what I am having to do yet again tonight) the only working permanent fix is to nuke all the shared printer BS, clear out all the drivers and connections from the existing RDS Host, and manually install the printers locally.

The issue is the customers users will have their defaults set. In the case of using RemoteApp this can be a huge pain to get right but we do usually just through publishing the "devices and printers" Control Panel as a RemoteApp. So all good, default is set, you can close that, go back in and confirm, open applications confirm they have the right default all OK.

To confirm usually at this point we have used GPP Printers to create the printer connections. We do so we the CREATE options, with it set to "RUN ONCE AND DO NOT REAPPLY" and enable "RUN UNDER LOGGED IN USERS ...".

At some random point later the users start reporting that their set defaults are no longer defaults. It will have changed to the Microsoft OneNote Printer or the Microsoft PDF Printer.

Ok, so then at that point despite all the GPO stuff being set correctly that it should not interfere, connections should never be "updated" or "recreated" we turn that off. We just delete the link to the GPO containing that. So would expect to fix it.

But NO. The issue just keeps happening.

So.. There is very clearly something at play on 2012 R2 and 2016 where for some reason the shared printer connections "recreate" or "refresh" even for the smallest split second at some point, and when this occurs because Windows sees no other connections present it defaults back to one of the local printers, apparently whichever is first alphabetically.

So.. Then we are stuck where we are implementing something by fucking letter that Microsoft say should work, but we then look beyond incompetent to the customer. I look stupid to my colleagues, because despite being told 10 years ago to use local printers then on a Terminal Server because GPO is just too unreliable I say "no, this is meant to work, this should work because MICROSOFT SAID IT WILL".

I have said before and I stand by it. You (Microsoft) make me hate my job. You make my job so unnecessarily complicated and BS. You make me have to stress about stupid shit like this. I mean... It's printers guys. This is simple shit and you incompetent children still can't get printers right. Like, we still have almost 20 year old tools around print deployment... Why isn't there something I can just say "give these users these printers" and it just work? Why are you not innovating in anyway on any of this? Why do you fire a QA team that would probably of picked up on whatever bug whatever update you released has probably kicked off this issue?

Just fix this. it's childish. its a joke. Do your jobs and fix this.


Local printers are not redirected when connecting to Session Host on Server 2016

$
0
0

I've have an issue redirecting local printers in my WS2016 RDS farm.

When I connect to any of my Server 2016 Remote Desktop Session Host I am not able to see redirected printers. This happens with full desktop or with Remoteapp, for example, with Wordpad.

This issue happens when connecting from RDS Gateway or when connecting from the intranet. Despite that, I'm able to redirect local printers if I connect to the sesion host with the /admin console session (mstsc.exe /admin). I have EasyPrint enabled and configured with preference via GPO.

I have configured print management and installed several server printers. The users are able to see those printers, but they cannot see redirected ones. I believe it's a driver issue, as I am able to see the TS redirected ports (TSxxx PRNx) but no printer installed in any of those ports.

I do not have any clue why. Could you please help me? 

The farm is a standard RDS Farm, with 4 session host. The DCs are in another server, so no problem with that.

Thank You

Silently Deploy RemoteApp and Desktop Connection

$
0
0

Hi,

When I'm trying to deploy RemoteApp and Desktop Connections through GPO, it works but then it fails to update.

Start-Process -FilePath rundll32.exe -ArgumentList 'tsworkspace,WorkspaceSilentSetup', "\\shares\feed.wcx" -NoNewWindow -Wait

the Feed.wcx file:

<?xml version="1.0" encoding="utf-8" standalone="yes"?><workspace name="Enterprise Remote Access" xmlns="http://schemas.microsoft.com/ts/2008/09/tswcx" xmlns:xs="http://www.w3.org/2001/XMLSchema"><defaultFeed url="https://remote.domain.com/RDWeb/Feed/webfeed.aspx" /></workspace>

Applying the previous works perfectly for the first time, but when I update the connection from Task Scheduler it fails with the following error in event viewer:

An error occurred. Contact your workplace administrator for assistance.
Connection name: Work Resources
Connection URL: https://remote.domain.com/rdweb/feed/webfeed.aspx
Error code: 0x800700B7, 0x0

Now, when I manually add the connection in control panel, the update task works normally without any issues.

Do you have any idea why silently deploying the connection causes an issue with the update task?

Thanks in advance,

Housam Smadi,


If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

Internal Error after configuring SSL encryption and CA server template.

$
0
0
I am unable to log into any system via RDP on my domain after I configured GPO to point at my CA for a specific certificate template. We are running Windows 2012R2 and Windows 10. We are trying to stop the use of self signed certificates.

calculate Terminal Server hardware requirements

$
0
0

Hi all

How do I calculate the resources for terminal server with this details:

100 active users.  using all Office apps , SAP , IE , Chrome and more.

thank you

Redirect My Documents to Network Share

$
0
0

We are using Horizon View to present Windows 10 VDI Desktops to our users.  We have a Standalone (not integrated to AD) Microsoft File cluster with two Server 2012 boxes connected to shared storage.  This MS File Cluster presents shares to our user's desktops and Windows 10 VDI desktops.

While in the office, our users access files from the fileshares.  In order to prevent users from saving documents from the shares locally on the VDI Desktops, I am trying to redirect the "my documents" folder on all my Windows 10 VDI Desktops to our fileshares.  In other words, whenever they try to save to or open a file from "My Documents", I want the fileshares to be listed instead of anything in "My Documents". 

I have tried two methods:

1. Created a Group Policy that sets "Basic (Redirect everyone's folder to the same location)" and the location is "\\fileshare\root".  Our users have access to various folders off of the root, so normally they only see what they have access to.  This does not work.  I get 1085 & 1112 errors in the event log on the Windows 10 VDI desktop.  Another thread told me the "Domain Users" need full access to the destination path.  I tested that with one test folder and then it works, but I cant do this because my users would have access to all the folders.

2. I used a reg file to make changes to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Value Name: Personal
Value Type: REG_SZ
Value Data: complete path to storage location

I use a script to add the reg file after the user logs in to the Windows 10 VDI desktop so that the reg file gets imported to the correct user key.  This does not change anything when the user clicks on "MY Documents".  Also it does not matter if domain users have full access to the test folder I setup in #1.

Can anyone offer any advice on how to get this working?  Our shares are already created and I cant have the users creating new shares just for VDI.  Any advice is appreciated.

Ejecución RemoteApp falla al ejecutar dos instancias con el mismo usuario

$
0
0

Hola, tengo la siguiente situación:

 

1. Tengo instalada una aplicación en mi servidor de aplicaciones.

 

2. Esta aplicación la tengo publicada en mi Collection del servidor y desde un espacio de trabajo accedo por RemoteApp a dicha aplicación.

 

3. En esta aplicación debo configurar una conexión que apunta a un servidor el cual me permite traer la información requerida que se mostrará en la aplicación.

 

4. Según el punto anterior, tengo configuradas en la aplicación dos conexiones diferentes hacia el mismo servidor.

 

(Aquí inicia mi consulta como tal)

 

5. Requiero tener dos instancias de la aplicación ejecutándose en simultáneo. Una instancia de la aplicación se conecta a una de las configuraciones internas según el punto 4, y la otra instancia de la aplicación apunta a la segunda conexión configurada.

 

6. Cuando accedo remotamente a mi servidor de aplicaciones, puedo ejecutar las dos instancias de mi aplicación cada una conectándose a las configuraciones del punto 4.

 

7. Sin embargo, al intentar hacer esto ejecutando la aplicación desde el entorno de trabajo vía RemoteApp, ésta no me permite tener dos sesiones en simultáneo ya que dice que otro usuario está conectado.

 

Según mi análisis, cuando ejecuto la aplicación vía RemoteApp aparecen dos árboles de procesos y en cada uno aparece el .exe de mi aplicación, mientras que cuando ejecuto la aplicación en el servidor directamente solo hay un árbol de procesos donde aparecen las dos instancias .exe de la aplicación ejecutada.


¿Es posible que cuando ejecuto la aplicación vía RemoteApp los dos procesos .exe queden bajo el mismo árbol de procesos como cuando lo hago directamente en el servidor?

 

Espero haberme hecho entender.

 

Gracias.

Windows Server 2008 and Windows 2008 R2 CALs Issuance to Windows 2016 RDSH Servers

$
0
0

Hi Guys

Seeking clarity if it's possible and anyone has come across this scenario.

We have a Windows 2008 R2 based RDS License Server that has free CALs. The installed CALs (CAL Version) read as "Windows Server 2008 or Windows Server 2008 R2 : Installed TS or RDS per User CALs".

My Windows 2008 / Windows 2008 R2 and even Windows 2012 R2 server RDSH servers are able to contact the license server and get license issued. However, I recently enabled RDSH role on Windows 2016 servers (the only other difference is that these new RDSH servers re in Azure and my license server is on-premises). The new Windows 2016 RDSH servers are not getting the license even after pointing them to the on-premises license server using Server Manager.

I've followed the article https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx to allow port communication through Network Security Groups (NSG) in Azure.

This is the error I see on the RDSH severs:

Is it even possible that the existing Windows 2008 / R2 CALs can be consumed by Windows 2016 RDSH servers?

If yes, what else could be the cause of the issue and possible fix.

Thanks

Taranjeet Singh


zamn



help! my cellphone was stolen and i had my account open!

$
0
0
how can i change my password inmediatly? im afraid to wait 30 days! what if they have acces to my personal data?

Connection to a RemoteApp program from within an RDP session does not work if the user has a startup program defined in the user profile

$
0
0

Hi,

Connection to a RemoteApp program from within an RDP session does not work if the user has a startup program defined in the user profile.

I'm using Windows Server 2012 R2. I used calculator as the RemoteApp program to verify that it's not a problem in my custom program.

1st scenario - works:

1. Connect to the server using RDP (no RemoteApp) --> Desktop opens
2. From the RDP session, try to make an RDP connection using RemoteApp. I'm using a pre-configured RDP file with remoteapplicationmode and remoteapplicationprogram parameters and I'm connecting to the same server in this example --> The RemoteApp screen appears and after entering credentials the RemoteApp program opens

2nd scenario - does not work:

1. Using an admin account, on the server, go to local user management and set a startup program for the user that is used for the test, cmd.exe for example (Environment tab --> Starting program --> Start the following... --> Program file name ="cmd.exe").

2. Connect to server with the test user --> cmd.exe opens

3. Try to connect with RemoteApp like step 2 in the previous scenario --> the RemoteApp screen appear but the program does not start, after a while the session closes.

I checked using ProcMon and the Event Viewer and I see that a connection is established, but for some reason the program does not start (rdpinit.exe should start the program, but it doesn't - I don't see any call for CreateProcess).

Is this a bug in Windows?

Thanks,
Gabriel

Remote Desktop App with Azure AD

$
0
0

It seems that I am unable to connect to a computer on my network with the Remote Desktop App (trusted Windows Store App on my Windows Laptop or from the iOS App store on my iPhone), while I am able to connect successfully to it from Remote Desktop Connection (old Windows app).

The remote computer is joined to Azure AD (Windows 10 Pro, up to date; again, this works from the old Remote Desktop Connection application on Windows).

Can anyone tell me if connection to a machine joined to Azure AD is supported on the Remote Desktop App or if there is something I need to do to configure it properly?

Thanks.


Security Alert message after logging into windows 7 pc thru RDP

$
0
0

Hello All,

I am suddenly having this issue occur. To preface the pc's are fully updated and this problem did not occur after the last applied updates.

I am on a win 10 pro desktop I use Netgear vpn client to create a vpn tunnel to my office network.

From there I open a rdp connectio to a pc at the office once I log in a security alert message displays on the remote pc desktop. I click OK and continue working but I want to know why this is occurring on every remote pc I log into I am assuming something on my pc has changed because this behavior occurs on all the networks I connect to.

Any thoughts are greatly appreciated.



RDS 2016 - Outlook 2016 issue

$
0
0

Just want to know if anyone has seen this problem before:

I have an RDS Server (2008 R2) with Outlook 2016 as RemoteApp connecting to an Exchange 2010 on-prem server. It was working fine until we did some updates on the Exchange server (Server 2008 R2 Updates + Update Rollup 21 for Exchange Server 2010 Service Pack 3). Now we are getting the following error for any new users:

"Outlook cannot log on. Verify you are connected to the network and are using the proper server and mailbox name. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete the action"

I've spooled up a new Server 2016 for testing. Outlook works perfectly fine until installing the RDP Service. I'm not sure if this is some sort of conflict with RPC of HTTP, which I believe RDS and Outlook will use.

Any suggestions??

The computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable

$
0
0

I am also getting the same error 

The computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable.

Recent Change Implemented: Renewed Wild Card Certificate

Issue: This issue occurs only when users are connecting from outside network but when they try to access RDS withing network it works flawlessly

Steps Followed So far;

1) Verified RDGateway Certificate and its expiry date

2) Verified Internet Explorer Settings - TLS1 , 2 and 3

3) Imported Server Certificate into the client machine's trusted root store

4) Verified Public facing domain and its resolution over internet

5) TSGateway  service Restarted 

6) Created/Edited a 32 bit DWORD value called RDGClientTransport in Client Machines registry at      Computer\HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\PublisherBypassList

7) IIS ->  Default Web Site -> RDWeb -> Pages -> Application settings -> Defaults TS Gateway (Verified URL) 

Please help

Remote Desktop session host role

$
0
0

Greetings,

    I have a valid, configured license server with 100 per user CALS - Lets call it serverL.

  I want to RDP to ServerX and I want ServerX to get a license from serverL.

   Do I do this by targeting a group policy to serverX specifying the serverL as the license server and specifying the license mode?

  Do I also need to install the Remote Desktop Session Host role on ServerX?

  What about the broker role?

Thanks

David Z


During RD session, video-window, on remote desktop, interferes with the GUI events of the app that hosts the video...

$
0
0

There is a Windows PC which is running an application that displays video from a camera. The video updates at between 10 and 25 Hz. When I'm at that PC, the application is very responsive. If I remote-desktop to that same PC, then the application becomes extremely sluggish; scrolling over the app's menu-bar reveals that the app is not responding to mouse-events (while scrolling over the menu-bar of, say, Windows Explorer behaves normally). However, if (within the RD session) I reposition the remote application's window such that the embedded-video is off-screen, then the application starts responding to mouse-events normally.  Similarly, dragging another window (on remote PC) over the video-window also causes the app to run freely.

This behavior makes it impossible to use the video-application on the remote desktop.

Any help is appreciated. 

It keeps doing this

$
0
0
Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/15/2018 4:02:34 PM
Event ID:      1530
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      User-PC
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

 DETAIL - 
 15 user registry handles leaked from \Registry\User\S-1-5-21-4110290550-3471919552-1771245654-1000:
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\trust
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\Root
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\My
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\CA

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1530</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-15T20:02:34.540882900Z" />
    <EventRecordID>30921</EventRecordID>
    <Correlation />
    <Execution ProcessID="1152" ThreadID="3832" />
    <Channel>Application</Channel>
    <Computer>User-PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_HIVE_LEAK">
    <Data Name="Detail">15 user registry handles leaked from \Registry\User\S-1-5-21-4110290550-3471919552-1771245654-1000:
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\trust
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\Root
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\My
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\CA
</Data>
  </EventData>
</Event>

Terminal Services RDP in Server 2016

$
0
0

Hello,

I need to allow four users to work remotely by connecting from outside the organization to Server 2016.

Which role is needed to accomplish this, is it Remote Desktop Services or Remote access?

Thanks in Advance.

Delegate standard user ability to log off RDS Sessions - RDS 2016

$
0
0

From researching there doesn't seem to be a clear cut way of delegating this role.

The best idea I've came across is something like this but would probably require the user to connect to the server still.

https://idefixwiki.no/2016/02/12/delegate-logoff-permission-rds-2012/

Anyone have any better solutions to this? Really must be a better way than that.

thanks,

Andrew

I keep getting errors

$
0
0

Greetings can someone lend some insight thanks 

Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/15/2018 4:02:34 PM
Event ID:      1530
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      User-PC
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

 DETAIL - 
 15 user registry handles leaked from \Registry\User\S-1-5-21-4110290550-3471919552-1771245654-1000:
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\trust
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\Root
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\My
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\CA

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1530</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-15T20:02:34.540882900Z" />
    <EventRecordID>30921</EventRecordID>
    <Correlation />
    <Execution ProcessID="1152" ThreadID="3832" />
    <Channel>Application</Channel>
    <Computer>User-PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_HIVE_LEAK">
    <Data Name="Detail">15 user registry handles leaked from \Registry\User\S-1-5-21-4110290550-3471919552-1771245654-1000:
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\trust
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\Root
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\My
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 112 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4110290550-3471919552-1771245654-1000\Software\Microsoft\SystemCertificates\CA
</Data>
  </EventData>
</Event>

Viewing all 21489 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>