⚑ Deus Ex Machina ➽ Eventlog Lookup

Deus Ex Machina » Eventlog » Event 56 - TermDD

TermDD - 56


Error

Description »
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Data formatted as » WORDS
0000: 00040000 00000001 00000000 C00A0038 
0008: 00000000 C00A0038 00000000 00000000 
0010: 00000000 00000000 D00A0032

On Windows 2008 R2, this event is helpful enough to tell you what the IP of the client was, eg:

The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 192.168.11.152.

This event tells you that somebody's remote desktop session got disconnected. The last ntstatus value in the data will give you more information about why this happened. The ntstatus value in the data (formatted as words) will actually appear with a D instead of a C at the beginning. This is, according to the Performance Team blog, the result of converting an HRESULT to an ntstatus value. In the example above, the ntstatus value is C00A0032, which is "STATUS_RDP_PROTOCOL_ERROR" - which is rather uninformative. Really? An error in the protocol because of an error in the protocol? You don't say!

You may find that other ntstatus values are of more use, such as C00A0006 - STATUS_CTX_CLOSE_PENDING or C00000B5 - STATUS_IO_TIMEOUT.

You might find these events if there's an interruption to your network connection, such a teamed interface failing over, or a NIC renogtiating its speed/duplex settings.

Check your NICs are not set to auto/auto, but are hard-set to whatever your network infrastructure can provide. If you are using NICs with a Broadcom chipset, disable "Scalabale Networking" (eg TCP Chimney, Receive-Side Scaling).

Also, check out the article The Curious Case of Event ID: 56 with Source TermDD at the Performance Team blog, which details more ntstatus/hresults which may appear in the data section, and suggests using WMI event tracing to troubleshoot event ID 56.

You may also find values which do not originate from the ntstatus.h header file. For example, the last DWORD may be 80090304, which is an HRESULT, defined in winerror.h and means SEC_E_INTERNAL_ERROR - or "The Local Security Authority cannot be contacted".