ICAAPI!IcaChannelOpen函数和termdd!IcaCreateChannel函数调试记录----认识3389中的channel
ICAAPI!IcaChannelOpen函数和termdd!IcaCreateChannel函数调试记录
0: kd> g
20:25:42.281 892D11FC.E1788B08 TERMSRV: Enter WsxIcaIoControl, IoControlCode=17
20:25:42.281 89639DFC.E16EF2A8 TERMSRV: FindIdleWinStation: (none found)
20:25:42.281 89639DFC.E16EF2A8 TERMSRV: Creating IDLE WinStation
20:25:42.281 89639DFC.E16EF2A8 TERMSRV: StartWinStationDeviceAndStack, (LogonId=-1)
20:25:42.281 89639DFC.E16EF2A8 TERMSRV: StartWinStationDeviceAndStack, Status = 0x0
20:25:42.281 89639DFC.E16EF2A8 TERMSRV: CountWinstationType 6
20:25:42.281 89639DFC.E16EF2A8 TERMSRV: Count 6
20:25:42.281 89639DFC.E16EF2A8 TERMSRV: MaxInstanceCount -1
20:25:42.281 89639DFC.E16EF2A8 TERMSRV: Enter WsxIcaIoControl, IoControlCode=10
20:25:42.281 89639DFC.E16EF2A8 TERMSRV: Enter WsxIcaIoControl, IoControlCode=10
20:25:42.281 89639DFC.E16EF2A8 TERMSRV: Enter WsxIcaIoControl, IoControlCode=14
_TcpSetNagle: Flag 0x0, Result 0x0
TdiDeviceOpenEndpoint: SetNagle 0x0 Result 0x0
TdInBufAlloc: pInBuf=0x895f5ca0
RDPWD: New trace config for E5C01010:
RDPWD: Class: 0
RDPWD: Enable: 0
RDPWD: Prefix info:
RDPWD: None
20:25:42.296 89639DFC.E16EF2A8 TERMSRV: Enter WsxIcaIoControl, IoControlCode=49
20:25:42.296 89639DFC.E16EF2A8 TERMSRV: Enter WsxIcaIoControl, IoControlCode=18
Breakpoint 0 hit
ICAAPI!IcaChannelOpen:
001b:74463844 55 push ebp
0: kd> kc
ICAAPI!IcaChannelOpen
rdpwsx!MCSCreateDomain
rdpwsx!GCCConferenceInit
rdpwsx!TSrvBindStack
rdpwsx!TSrvAllocInfo
rdpwsx!TSrvStackConnect
rdpwsx!WsxIcaStackIoControl
termsrv!WsxStackIoControl
ICAAPI!_IcaStackIoControl
ICAAPI!_IcaStackWaitForIca
ICAAPI!IcaStackConnectionAccept
termsrv!TransferConnectionToIdleWinStation
termsrv!WinStationTransferThread
kernel32!BaseThreadStart
0: kd> dv
hIca = 0x00000420
Channel = Channel_Virtual (0n5)
pVirtualName = 0x70fb7e8c "MS_T120"
phChannel = 0x007f6274
TypeInfo = union _ICA_TYPE_INFO
0: kd> g
Breakpoint 1 hit
termdd!IcaCreateChannel:
ba805400 55 push ebp
0: kd> kc
termdd!IcaCreateChannel
termdd!IcaCreate
termdd!IcaDispatch
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtCreateFile
nt!_KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwCreateFile
ICAAPI!_IcaOpen
ICAAPI!_IcaStackOpen
ICAAPI!IcaChannelOpen
rdpwsx!MCSCreateDomain
rdpwsx!GCCConferenceInit
rdpwsx!TSrvBindStack
rdpwsx!TSrvAllocInfo
rdpwsx!TSrvStackConnect
rdpwsx!WsxIcaStackIoControl
termsrv!WsxStackIoControl
ICAAPI!_IcaStackIoControl
ICAAPI!_IcaStackWaitForIca
ICAAPI!IcaStackConnectionAccept
termsrv!TransferConnectionToIdleWinStation
termsrv!WinStationTransferThread
kernel32!BaseThreadStart
0: kd> dv
pConnect = 0x89631648
openPacket = 0x8921c723
Irp = 0x89647a08
IrpSp = 0x89647a78
0: kd> g
_TdCancelReceiveQueue [00000000]: Endpoint 0x89620808
DeviceCancelIo [89639920]: Endpoint 0x89620808
_TdCancelReceiveQueue [89639920]: Endpoint 0x89620808
DeviceCancelIo [89639920]: Endpoint 0x89620808
_TdCancelReceiveQueue [89639920]: Endpoint 0x89620808
20:25:42.968 89280494.E162E070 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:25:42.968 89280494.E162E070 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
DeviceCancelIo [89284358]: Endpoint 0x892C6270
_TdCancelReceiveQueue [89284358]: Endpoint 0x892C6270
20:25:42.968 89280494.E162E070 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:25:42.968 89280494.E162E070 TERMSRV: Enter WsxIcaIoControl, IoControlCode=37
20:25:42.968 89280494.E162E070 TERMSRV: IcaStackConnectionAccept, Status=0xc00000b5
20:25:42.968 89280494.E162E070 TERMSRV: Connection attempt failed, Status [c00000b5], rc [1]
20:25:42.968 89280494.E162E070 TERMSRV: Closing Endpoint [0x000CF1F8], winsta = 0x000D01E8, Accepted = 0
20:25:42.968 89280494.E162E070 TERMSRV: _CloseEndpoint [000CF1F8] on Temporary stack
_TdiTcpSetInformation: Error 0xc0000120
_TcpSetNagle: Flag 0x0, Result 0xc0000120
TdiDeviceOpenEndpoint: SetNagle 0x0 Result 0xc0000120
TdInBufAlloc: pInBuf=0x89631008
DeviceCancelIo [89639638]: Endpoint 0x892C6270
_TdCancelReceiveQueue [89639638]: Endpoint 0x892C6270
DeviceCancelIo [89639638]: Endpoint 0x892C6270
_TdCancelReceiveQueue [89639638]: Endpoint 0x892C6270
DeviceCancelIo [89639638]: Endpoint 0x892C6270
_TdCancelReceiveQueue [89639638]: Endpoint 0x892C6270
_TdCancelReceiveQueue [89639638]: Endpoint 0x892C6270
_TdCloseEndpoint [89639638]: 0x892C6270
DeviceCancelIo [0x89639638]: Endpoint is NULL
20:25:43.000 89280494.E162E070 TERMSRV: WinStationTerminate, (LogonId=-1)
20:25:43.000 892F067C.E1421168 TERMSRV: TerminateThread, WaitForMultipleObjects, rc=0
20:25:43.000 892F067C.E1421168 TERMSRV: TerminateThread, Waiting for initial command exit (ArraySize=7)
20:25:43.000 89280494.E162E070 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:25:43.000 89280494.E162E070 TERMSRV: Enter WsxIcaIoControl, IoControlCode=37
20:25:43.000 89280494.E162E070 TERMSRV: WinStationDeleteWorker, (LogonId=-1)
20:25:43.015 89280494.E162E070 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:25:43.015 89280494.E162E070 TERMSRV: Enter WsxIcaIoControl, IoControlCode=37
20:25:43.015 89280494.E162E070 TERMSRV: SmStopCsr on CSRSS for Session=-1 returned Status=0
20:25:46.515 892D11FC.E1788B08 TERMSRV: Enter WsxIcaIoControl, IoControlCode=17
20:25:46.515 89681CF4.E16F7938 TERMSRV: FindIdleWinStation: (none found)
20:25:46.515 89681CF4.E16F7938 TERMSRV: Creating IDLE WinStation
20:25:46.515 89681CF4.E16F7938 TERMSRV: StartWinStationDeviceAndStack, (LogonId=-1)
20:25:46.515 89681CF4.E16F7938 TERMSRV: StartWinStationDeviceAndStack, Status = 0x0
20:25:46.515 89681CF4.E16F7938 TERMSRV: CountWinstationType 6
20:25:46.515 89681CF4.E16F7938 TERMSRV: Count 6
20:25:46.515 89681CF4.E16F7938 TERMSRV: MaxInstanceCount -1
20:25:46.515 89681CF4.E16F7938 TERMSRV: Enter WsxIcaIoControl, IoControlCode=10
20:25:46.515 89681CF4.E16F7938 TERMSRV: Enter WsxIcaIoControl, IoControlCode=10
20:25:46.515 89681CF4.E16F7938 TERMSRV: Enter WsxIcaIoControl, IoControlCode=14
_TcpSetNagle: Flag 0x0, Result 0x0
TdiDeviceOpenEndpoint: SetNagle 0x0 Result 0x0
TdInBufAlloc: pInBuf=0x895f5360
RDPWD: New trace config for E5C04010:
RDPWD: Class: 0
RDPWD: Enable: 0
RDPWD: Prefix info:
RDPWD: None
20:25:46.515 89681CF4.E16F7938 TERMSRV: Enter WsxIcaIoControl, IoControlCode=49
20:25:46.515 89681CF4.E16F7938 TERMSRV: Enter WsxIcaIoControl, IoControlCode=18
Breakpoint 0 hit
ICAAPI!IcaChannelOpen:
001b:74463844 55 push ebp
1: kd> kc
ICAAPI!IcaChannelOpen
rdpwsx!MCSCreateDomain
rdpwsx!GCCConferenceInit
rdpwsx!TSrvBindStack
rdpwsx!TSrvAllocInfo
rdpwsx!TSrvStackConnect
rdpwsx!WsxIcaStackIoControl
termsrv!WsxStackIoControl
ICAAPI!_IcaStackIoControl
ICAAPI!_IcaStackWaitForIca
ICAAPI!IcaStackConnectionAccept
termsrv!TransferConnectionToIdleWinStation
termsrv!WinStationTransferThread
kernel32!BaseThreadStart
1: kd> dv
hIca = 0x000004c0
Channel = Channel_Virtual (0n5)
pVirtualName = 0x70fb7e8c "MS_T120"
phChannel = 0x007f2ab4
TypeInfo = union _ICA_TYPE_INFO
1: kd> g
Breakpoint 1 hit
termdd!IcaCreateChannel:
ba805400 55 push ebp
1: kd> kv
ChildEBP RetAddr Args to Child
b961e9e8 ba806ea9 8935ceb0 89630723 89647a08 termdd!IcaCreateChannel (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\drivers\termdd\channel.c @ 224]
b961ea14 ba8072e4 00000000 89647a78 89a98790 termdd!IcaCreate+0x1b1 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\drivers\termdd\dispatch.c @ 522]
b961ea30 80a2675c 89a98790 89647a08 89647a18 termdd!IcaDispatch+0x194 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\drivers\termdd\dispatch.c @ 190]
b961ea4c 80c75af1 89a98778 804edc6c 895fdd00 nt!IofCallDriver+0x62 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 2237]
b961eb48 80d1d034 89a98790 00000000 895fdd48 nt!IopParseDevice+0xd7d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\parse.c @ 1317]
b961ebc4 80d16798 00000000 b961ec04 00000040 nt!ObpLookupObjectName+0x652 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obdir.c @ 2438]
b961ec18 80c61f73 00000000 00000000 00017901 nt!ObOpenObjectByName+0x13e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obref.c @ 767]
b961ec94 80c63967 007f2ab4 c0100000 00e7e85c nt!IopCreateFile+0x44d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 5494]
b961ece0 80c670e1 007f2ab4 c0100000 00e7e85c nt!IoCreateFile+0x73 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 4788]
b961ed24 80afbcb2 007f2ab4 c0100000 00e7e85c nt!NtCreateFile+0x61 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\create.c @ 121]
b961ed24 7ffe0304 007f2ab4 c0100000 00e7e85c nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ b961ed64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
00e7e824 77f2eca8 74461bfc 007f2ab4 c0100000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
00e7e828 74461bfc 007f2ab4 c0100000 00e7e85c ntdll!ZwCreateFile+0xc (FPO: [11,0,0]) [d:\srv03rtm\base\ntdll\daytona\obj\i386\usrstubs.asm @ 435]
00e7e884 74461e3c 007f2ab4 000e6c90 00000032 ICAAPI!_IcaOpen+0x57 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\icaapi\icaapi.c @ 402]
00e7e8a4 74463885 000004c0 007f2ab4 00000001 ICAAPI!_IcaStackOpen+0x76 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\icaapi\stack.c @ 1635]
00e7e8d4 70fc114b 000004c0 00000005 70fb7e8c ICAAPI!IcaChannelOpen+0x41 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\icaapi\channel.c @ 75]
00e7e904 70fc038a 000004c0 000b4c90 007f29f8 rdpwsx!MCSCreateDomain+0x9d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\rdpwsx\mcsmux\mcsapi.c @ 558]
00e7e92c 70fba94b 000004c0 000b4c90 007f29f8 rdpwsx!GCCConferenceInit+0xcd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\rdpwsx\gcc\tgcc.c @ 284]
00e7e950 70fbc609 007f29f8 70fb3bc8 77f6a8dc rdpwsx!TSrvBindStack+0x88 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\rdpwsx\rdpex\tsrvcom.c @ 923]
00e7e96c 70fbbe14 00e7e9ac 000004c0 000b4c90 rdpwsx!TSrvAllocInfo+0x62 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\rdpwsx\rdpex\tsrvinfo.c @ 284]
00e7e98c 70fbf671 000004c0 000b4c90 00e7e9ac rdpwsx!TSrvStackConnect+0x62 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\rdpwsx\rdpex\tsrvcon.c @ 195]
00e7e9b0 7489fbb8 007f2730 000004c0 000b4c90 rdpwsx!WsxIcaStackIoControl+0x315 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\rdpwsx\rdpex\tsrvwsx.c @ 1098]
00e7e9dc 744621c7 000f86a0 000b4c90 0038004b termsrv!WsxStackIoControl+0x69 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\winsta\server\wsxmgr.c @ 535]
00e7ea10 744624fd 000b4c90 0038004b 00000000 ICAAPI!_IcaStackIoControl+0x70 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\icaapi\stack.c @ 1707]
00e7f004 7446342f 000b4c90 000c7f4c 00e7f603 ICAAPI!_IcaStackWaitForIca+0x64 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\icaapi\stack.c @ 2391]
00e7f5e8 74889d05 000004c0 0000002b 000c7ec8 ICAAPI!IcaStackConnectionAccept+0x131 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\icaapi\stack.c @ 936]
00e7ff94 7488a9eb 000c7ea8 000f2e08 00000004 termsrv!TransferConnectionToIdleWinStation+0x4c8 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\winsta\server\winsta.c @ 2787]
00e7ffb8 77e41be7 000c53c8 00000000 00000000 termsrv!WinStationTransferThread+0x67 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\winsta\server\winsta.c @ 2393]
00e7ffec 00000000 7488a984 000c53c8 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]
1: kd> kc
termdd!IcaCreateChannel
termdd!IcaCreate
termdd!IcaDispatch
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtCreateFile
nt!_KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwCreateFile
ICAAPI!_IcaOpen
ICAAPI!_IcaStackOpen
ICAAPI!IcaChannelOpen
rdpwsx!MCSCreateDomain
rdpwsx!GCCConferenceInit
rdpwsx!TSrvBindStack
rdpwsx!TSrvAllocInfo
rdpwsx!TSrvStackConnect
rdpwsx!WsxIcaStackIoControl
termsrv!WsxStackIoControl
ICAAPI!_IcaStackIoControl
ICAAPI!_IcaStackWaitForIca
ICAAPI!IcaStackConnectionAccept
termsrv!TransferConnectionToIdleWinStation
termsrv!WinStationTransferThread
kernel32!BaseThreadStart
1: kd> g
RDPWD: New: ShareClass at E5B468E8, size=1392
20:25:46.546 89681CF4.E16F7938 TERMSRV: Enter WsxIcaIoControl, IoControlCode=19
20:25:46.546 89681CF4.E16F7938 TERMSRV: Enter WsxIcaIoControl, IoControlCode=20
20:25:46.546 89681CF4.E16F7938 TERMSRV: IcaStackConnectionAccept, Status=0x0
20:25:46.546 89681CF4.E16F7938 TERMSRV: Enter WsxIcaIoControl, IoControlCode=75
20:25:46.546 89681CF4.E16F7938 TERMSRV: Enter WsxIcaIoControl, IoControlCode=69
20:25:46.546 89681CF4.E16F7938 TERMSRV: Enter WsxIcaIoControl, IoControlCode=71
20:25:46.546 89681CF4.E16F7938 TERMSRV: Enter WsxIcaIoControl, IoControlCode=72
20:25:46.546 89681CF4.E16F7938 TERMSRV: LCProcessConnectionProtocol, LogonId=-1, Status=0x0
20:25:46.546 89681CF4.E16F7938 TERMSRV: WinStationStart, (LogonId=-1)
GDI: VerifierInitialization: failed to get info from ntoskrnl
(s: 0 0x18c.194 smss.exe) USRK-[Wrn] *** win32k: DBCS:[0] IME:[0] MiddleEast:[0] CTFIME:[0]
Installed
Installed
20:25:46.562 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got a message
20:25:46.562 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got connection message
20:25:46.562 89682D5C.E1A201A8 TERMSRV: WinStationLpcHandleConnectionRequest called
20:25:46.562 89682D5C.E1A201A8 TERMSRV: WSTAPI: Creating View memory
20:25:46.562 89682D5C.E1A201A8 TERMSRV: WSTAPI: Calling AcceptConnectPort, Accept 1
20:25:46.562 89682D5C.E1A201A8 TERMSRV: pContext 000D5620, ConnectionRequest 0244FEAC, info 0244FEC4
20:25:46.562 89682D5C.E1A201A8 TERMSRV: ViewBase 00FD0000, ViewSize 0x2000, ViewRemoteBase 00750000
20:25:46.562 89682D5C.E1A201A8 TERMSRV: WSTAPI: Calling CompleteConnect port 000002F0
20:25:46.562 89682D5C.E1A201A8 TERMSRV: WinStation LPC Connection Accepted, Logonid 4 pContext 000D5620 Status 0x0
20:25:46.562 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got a message
20:25:46.562 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:25:46.562 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4
20:25:46.562 892311FC.E1411830 TERMSRV: WinStationGetSMCommand queue empty port 000002F0
20:25:46.578 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:46.578 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:46.578 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:46.578 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:46.578 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:46.578 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:46.578 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:46.578 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:46.578 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:46.578 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:46.578 89A751FC.E1910828 TERMSRV: WinStationWaitForConnect, LogonId=4
20:25:46.578 89A751FC.E1910828 TERMSRV: WaitForConnectWorker, LogonId=4
20:25:46.578 89681CF4.E16F7938 TERMSRV: WinStationStart Subsys PID=1948 InitialProg PID=2004, Status=0x0
20:25:46.578 89681CF4.E16F7938 TERMSRV: WinStationCreateComplete, (LogonId=4)
20:25:46.578 89681CF4.E16F7938 TERMSRV: WinStationCreateComplete, (LogonId=4) Status = 0x0
20:25:46.578 892F067C.E1421168 TERMSRV: TerminateThread, WaitForMultipleObjects, rc=0
20:25:46.578 892F067C.E1421168 TERMSRV: TerminateThread, Waiting for initial command exit (ArraySize=9)
Breakpoint 0 hit
ICAAPI!IcaChannelOpen:
001b:74463844 55 push ebp
1: kd> kc
ICAAPI!IcaChannelOpen
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> dv
hIca = 0x000004c0
Channel = Channel_Beep (0n3)
pVirtualName = 0x00000000 ""
phChannel = 0x000fba5c
TypeInfo = union _ICA_TYPE_INFO
1: kd> g
Breakpoint 1 hit
termdd!IcaCreateChannel:
ba805400 55 push ebp
1: kd> kc
termdd!IcaCreateChannel
termdd!IcaCreate
termdd!IcaDispatch
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtCreateFile
nt!_KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwCreateFile
ICAAPI!_IcaOpen
ICAAPI!_IcaStackOpen
ICAAPI!IcaChannelOpen
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> g
Breakpoint 0 hit
ICAAPI!IcaChannelOpen:
001b:74463844 55 push ebp
1: kd> kc
ICAAPI!IcaChannelOpen
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> dv
hIca = 0x000004c0
Channel = Channel_Virtual (0n5)
pVirtualName = 0x74872bec "CTXTW "
phChannel = 0x000fba60
TypeInfo = union _ICA_TYPE_INFO
1: kd> g
Breakpoint 1 hit
termdd!IcaCreateChannel:
ba805400 55 push ebp
1: kd> kc
termdd!IcaCreateChannel
termdd!IcaCreate
termdd!IcaDispatch
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtCreateFile
nt!_KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwCreateFile
ICAAPI!_IcaOpen
ICAAPI!_IcaStackOpen
ICAAPI!IcaChannelOpen
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> g
Breakpoint 0 hit
ICAAPI!IcaChannelOpen:
001b:74463844 55 push ebp
1: kd> kc
ICAAPI!IcaChannelOpen
termsrv!WinStationOpenChannel
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> dv
hIca = 0x000004c0
Channel = Channel_Video (0n2)
pVirtualName = 0x00000000 ""
phChannel = 0x00fcf490
TypeInfo = union _ICA_TYPE_INFO
1: kd> g
Breakpoint 1 hit
termdd!IcaCreateChannel:
ba805400 55 push ebp
1: kd> kc
termdd!IcaCreateChannel
termdd!IcaCreate
termdd!IcaDispatch
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtCreateFile
nt!_KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwCreateFile
ICAAPI!_IcaOpen
ICAAPI!_IcaStackOpen
ICAAPI!IcaChannelOpen
termsrv!WinStationOpenChannel
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> dv
pConnect = 0x8935ceb0
openPacket = 0x892f3773
Irp = 0x89647a08
IrpSp = 0x89647a78
1: kd> g
20:25:46.640 89A751FC.E1910828 TERMSRV: WinStationOpenChannel status 0x0
Breakpoint 0 hit
ICAAPI!IcaChannelOpen:
001b:74463844 55 push ebp
1: kd> kc
ICAAPI!IcaChannelOpen
termsrv!WinStationOpenChannel
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> dv
hIca = 0x000004c0
Channel = Channel_Keyboard (0n0)
pVirtualName = 0x00000000 ""
phChannel = 0x00fcf490
TypeInfo = union _ICA_TYPE_INFO
1: kd> g
Breakpoint 1 hit
termdd!IcaCreateChannel:
ba805400 55 push ebp
1: kd> kc
termdd!IcaCreateChannel
termdd!IcaCreate
termdd!IcaDispatch
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtCreateFile
nt!_KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwCreateFile
ICAAPI!_IcaOpen
ICAAPI!_IcaStackOpen
ICAAPI!IcaChannelOpen
termsrv!WinStationOpenChannel
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> dv
pConnect = 0x8935ceb0
openPacket = 0x892f3773
Irp = 0x89647a08
IrpSp = 0x89647a78
1: kd> g
20:25:46.656 89A751FC.E1910828 TERMSRV: WinStationOpenChannel status 0x0
Breakpoint 0 hit
ICAAPI!IcaChannelOpen:
001b:74463844 55 push ebp
1: kd> kc
ICAAPI!IcaChannelOpen
termsrv!WinStationOpenChannel
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> dv
hIca = 0x000004c0
Channel = Channel_Mouse (0n1)
pVirtualName = 0x00000000 ""
phChannel = 0x00fcf490
TypeInfo = union _ICA_TYPE_INFO
1: kd> g
Breakpoint 1 hit
termdd!IcaCreateChannel:
ba805400 55 push ebp
1: kd> kc
termdd!IcaCreateChannel
termdd!IcaCreate
termdd!IcaDispatch
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtCreateFile
nt!_KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwCreateFile
ICAAPI!_IcaOpen
ICAAPI!_IcaStackOpen
ICAAPI!IcaChannelOpen
termsrv!WinStationOpenChannel
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> dv
pConnect = 0x8935ceb0
openPacket = 0x892f3773
Irp = 0x89647a08
IrpSp = 0x89647a78
1: kd> g
20:25:46.671 89A751FC.E1910828 TERMSRV: WinStationOpenChannel status 0x0
Breakpoint 0 hit
ICAAPI!IcaChannelOpen:
001b:74463844 55 push ebp
1: kd> kc
ICAAPI!IcaChannelOpen
termsrv!WinStationOpenChannel
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> dv
hIca = 0x000004c0
Channel = Channel_Command (0n4)
pVirtualName = 0x00000000 ""
phChannel = 0x00fcf490
TypeInfo = union _ICA_TYPE_INFO
1: kd> g
Breakpoint 1 hit
termdd!IcaCreateChannel:
ba805400 55 push ebp
1: kd> kc
termdd!IcaCreateChannel
termdd!IcaCreate
termdd!IcaDispatch
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtCreateFile
nt!_KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwCreateFile
ICAAPI!_IcaOpen
ICAAPI!_IcaStackOpen
ICAAPI!IcaChannelOpen
termsrv!WinStationOpenChannel
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> dv
pConnect = 0x8935ceb0
openPacket = 0x892f3773
Irp = 0x89647a08
IrpSp = 0x89647a78
1: kd> g
20:25:46.703 89A751FC.E1910828 TERMSRV: WinStationOpenChannel status 0x0
20:25:46.703 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationDoConnect, Timeout=600
20:25:46.703 89A751FC.E1910828 TERMSRV: SendWinStationCommand pCommand 00FCF464 pCommand->pMsg 00FCF5B4
20:25:46.703 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, sending cmd
20:25:46.703 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, waiting for response
W32WinStationDoConnect - Display resolution information for session 4 :
ProtocolType : 0002
HRes : 1920
VRes : 1080
ColorDepth : 0016
KeyboardType : 35
KeyboardSubType : 35
KeyboardFunctionKey : 5
GDI: DriverCapableOverride on \\.\DISPLAY1 is 0
GDI: DriverAccelerationLevel on \\.\DISPLAY1 is 0
RDPDD: FNCALL_HIST: FN[0] 1[1ac] 2[892f2df8] 3[892f2ca8] 4[bfa6f8e0]
GDI: Drv_Trace: CaptMatchDevmode: DEFAULT DEVMODE picked
RDPDD: FNCALL_HIST: FN[0] 1[1ac] 2[892f2df8] 3[892f2ca8] 4[bfa6f8e0]
RDPDD: FNCALL_HIST: FN[6] 1[1] 2[0] 3[bc640000] 4[e5c47d38]
RDPDD:+SHM_Init +0053+Allocated shared memory OK(E5C5B020 -> E5C9C20B) size(0x411ec)
RDPDD: FNCALL_HIST: FN[9] 1[0] 2[0] 3[e5c47d38] 4[e5c47d38]
GDI DDML: Device 0, position 0, 0, 1920, 1080, rotation 0
20:25:46.765 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got a message
20:25:46.765 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:25:46.765 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand, LogonId=4
20:25:46.765 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand wait for reply
20:25:46.765 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand list entry
20:25:46.765 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand, LogonId=4, Reply for Cmd WinStationDoConnect, Status=0x0
20:25:46.765 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand queue empty port 000002F0
20:25:46.765 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationDoConnect, Status=0x0
20:25:46.765 89A751FC.E1910828 TERMSRV: SMWinStationDoConnect 4 Status=0x0
Breakpoint 1 hit
termdd!IcaCreateChannel:
ba805400 55 push ebp
0: kd> kc
termdd!IcaCreateChannel
termdd!IcaCreate
termdd!IcaDispatch
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtCreateFile
nt!_KiSystemService
nt!ZwCreateFile
rdpdr!VirtualChannel::CreateTermDD
rdpdr!VirtualChannel::Create
rdpdr!DrSession::Connect
rdpdr!DrSessionManager::OnConnect
rdpdr!DrOnSessionConnect
rdpdr!DrDevFcbXXXControlFile
rdpdr!RxXXXControlFileCallthru
rdpdr!RxCommonDevFCBIoCtl
rdpdr!RxFsdCommonDispatch
rdpdr!RxFsdDispatch
rdpdr!DrPeekDispatch
nt!IofCallDriver
nt!IopSynchronousServiceTail
nt!IopXxxControlFile
nt!NtDeviceIoControlFile
nt!_KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwDeviceIoControlFile
kernel32!DeviceIoControl
rdpwsx!TSrvNotifyVC_0
rdpwsx!TSrvNotifyVC
rdpwsx!WsxConnect
termsrv!WaitForConnectWorker
termsrv!RpcWinStationWaitForConnect
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
0: kd> dv
pConnect = 0x8935ceb0
openPacket = 0x892d02a3
Irp = 0x8987b8f0
IrpSp = 0x8987b960
0: kd> g
20:25:46.781 89A751FC.E1910828 TERMSRV: CdmConnect 4 Status=0x0
20:25:46.796 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:46.796 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:46.796 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:46.796 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:46.796 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:46.796 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=1
20:25:46.796 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:46.796 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=1, Status=0x0
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn] GetRemoteKeyboardLayoutFromConfigData: The keyboard layout is 00000804
20:25:46.796 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:46.796 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:46.796 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:46.796 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:46.796 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:46.796 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:46.796 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:46.796 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn] GetKeyboardDllName: Failed to get the library name for 00000804
20:25:46.796 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:46.796 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:46.796 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:46.796 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:46.796 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:46.796 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=14
20:25:46.796 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:46.796 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:46.796 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=14, Status=0xc000007c
(s: 4 0x79c.828 csrss.exe) USRK-[Wrn] ProcessDeviceChanges: KBD pDevInfo=E71EA518 has no name!
(s: 4 0x7d4.7dc winlogon.exe) USRK-[Wrn] Waiting for grpdeskRitInput to be set ...
20:25:46.875 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:46.875 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:46.875 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:46.875 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:46.875 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:46.875 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=1
20:25:46.875 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:46.875 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=1, Status=0x0
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn] GetRemoteKeyboardLayoutFromConfigData: The keyboard layout is 00000804
20:25:46.875 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:46.875 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:46.875 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:46.875 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:46.875 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:46.875 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:46.875 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:46.875 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn] GetKeyboardDllName: Failed to get the library name for 00000804
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn] no DLL name for 00000804
20:25:46.906 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:46.906 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:46.906 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:46.906 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:46.906 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:46.937 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:46.937 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:46.937 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:46.937 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:46.937 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:46.937 892DE684.E1765A10 RPC RpcWinStationAutoReconnect for 4
20:25:46.937 892DE684.E1765A10 RpcWinStationAutoReconnect get GET_CS_AUTORECONNECT_INFO: 0x0
20:25:46.937 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:46.937 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:46.937 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:46.937 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:46.937 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:46.937 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:46.937 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:46.937 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
AutoAdminLogon = 1
WINMM(p2004:t2012): Remote session protocol RDP
WINMM(p2004:t2012): Remote audio driver name rdpsnd
EXECSERVERSYSTEM: Starting ExecServerThread
00004:Ageint(1):Couldn't turn CSC ON!!!!!!!!!
20:25:47.015 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:47.031 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:47.031 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:47.031 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:47.031 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:47.046 892DE684.E1765A10 TERMSRV: WinStationSetInformation LogonId=4, Class=34
20:25:47.046 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:47.046 892DE684.E1765A10 TERMSRV: WinStationSetInformation LogonId=4, Class=34, Status=0x0
20:25:47.046 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:47.046 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:47.062 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:47.062 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:47.062 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=8
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Timeout=5
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: SendWinStationCommand pCommand 00E3F76C pCommand->pMsg 00E3F7E0
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: SendWinStationCommand, LogonId=4, sending cmd
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: SendWinStationCommand, LogonId=4, waiting for response
20:25:47.062 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got a message
20:25:47.062 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:25:47.062 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4
20:25:47.062 892311FC.E1411830 TERMSRV: WinStationGetSMCommand wait for reply
20:25:47.062 892311FC.E1411830 TERMSRV: WinStationGetSMCommand list entry
20:25:47.062 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4, Reply for Cmd WinStationThinwireStats, Status=0x0
20:25:47.062 892311FC.E1411830 TERMSRV: WinStationGetSMCommand queue empty port 000002F0
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Status=0x0
20:25:47.062 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=8, Status=0x0
20:25:47.109 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:47.109 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:47.109 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:47.109 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:47.109 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:47.109 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:47.109 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:47.109 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
20:25:47.109 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:47.109 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:47.109 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:47.109 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:47.109 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:47.109 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:47.125 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:47.125 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:47.125 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:47.125 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:47.125 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:47.125 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:47.125 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
AutoAdminLogon = 0, IgnoreAutoAdminLogon = 0, bAutoLogon = 0
20:25:48.125 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:48.125 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:48.125 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:48.125 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:48.125 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:48.125 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:48.125 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:48.125 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
20:25:48.125 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:48.125 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:48.125 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:48.125 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:48.125 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.156 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.156 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.156 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.156 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.156 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.156 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=29
20:25:55.156 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.156 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=29, Status=0x0
524.636> Kerb-Error: LogonUser returned c000005e, 0
20:25:55.156 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.156 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.156 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.156 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.156 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.156 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:55.156 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.156 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn=1400] HMValidateHandle: Invalid:00000000 Type:0x1
RegSAMUserConfig: SamQueryInformationUser returned NTSTATUS = 0x0
RegSAMUserConfig: UserParmInfo 0
UsrPropQueryUserConfig: UsrPropGetValue returned NTSTATUS = 0xc0000034
RegSAMUserConfig: RegGetUserConfigFromUserParameters returned NTSTATUS = 0xc0000034
20:25:55.171 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.171 892DE684.E1765A10 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:25:55.171 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.171 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.171 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.171 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=1
20:25:55.171 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.187 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=1, Status=0x0
20:25:55.187 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.187 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.187 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.187 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.187 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.187 892C5D9C.E170C0E8 TERMSRV: WinStationUpdateClientCachedCredentialsWorker, LogonId=4
20:25:55.187 892C5D9C.E170C0E8 TERMSRV: WinStationUpdateClientCachedCredentialsWorker, Status=0x0
2004.2012> GINA-Error: pTSData->HomeDir =
20:25:55.187 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.187 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.187 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.187 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.187 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.187 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=1
20:25:55.187 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.187 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=1, Status=0x0
20:25:55.203 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.203 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.203 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.203 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.203 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.203 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:55.203 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.203 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
20:25:55.203 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.203 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.203 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.203 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.203 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.203 89A751FC.E1910828 TERMSRV: WinStationSetInformation LogonId=4, Class=11
20:25:55.203 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.203 89A751FC.E1910828 TERMSRV: WinStationSetInformation LogonId=4, Class=11, Status=0x0
20:25:55.218 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.218 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.218 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.218 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.218 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.218 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=24
20:25:55.218 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.218 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=24, Status=0x0
20:25:55.218 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.218 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.218 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.218 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.218 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.218 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:55.234 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.234 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
EnumerateMatchingUsers: UserName Administrator, Domain CH-A0QHE6XJ89WE
20:25:55.234 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.234 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.234 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.234 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.234 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.234 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.234 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.234 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.234 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.234 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.234 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error
20:25:55.234 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.234 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.234 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.234 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.234 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.234 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(65536) returned no error
20:25:55.234 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.234 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.234 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.234 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.234 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.234 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error
20:25:55.234 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.250 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.250 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.250 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.250 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.250 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(2) returned no error
20:25:55.250 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.250 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.250 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.250 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.250 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.250 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(3) returned no error
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.250 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.250 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.250 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.250 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.250 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
ConnectDlgProc: ConnectDlgInit failed
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: WinStationNotifyLogon, LogonId=4
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: WinStationNotifyLogon, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.250 892C5D9C.E170C0E8 TERMSRV: WinStationNotifyLogon, Status=0x0
20:25:55.250 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.250 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.250 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.250 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.250 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.250 892DE684.E1765A10 TERMSRV: WinStationSetInformation LogonId=4, Class=21
20:25:55.250 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.250 892DE684.E1765A10 TERMSRV: WinStationSetInformation LogonId=4, Class=21, Status=0x0
20:25:55.265 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.265 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.265 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.265 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.265 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.265 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=14
20:25:55.265 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.265 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.265 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=14, Status=0x0
20:25:55.281 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.281 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.281 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.281 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.296 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.296 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.312 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.312 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.312 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.312 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.312 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.312 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:55.312 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.312 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
20:25:55.328 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.328 892C5D9C.E170C0E8 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:25:55.328 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.328 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.328 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.328 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=1
20:25:55.328 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.328 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=1, Status=0x0
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn] GetRemoteKeyboardLayoutFromConfigData: The keyboard layout is 00000804
20:25:55.359 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.359 89A751FC.E1910828 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:25:55.359 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.359 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.359 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.359 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:55.359 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.359 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn] GetKeyboardDllName: Failed to get the library name for 00000804
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn] no DLL name for 00000804
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn=1400] HMValidateHandle: Invalid:00000000 Type:0x1
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn=1400] HMValidateHandle: Invalid:00000000 Type:0x1
NLSAPI: Could NOT Open HKEY_CURRENT_USER - c00000a5.
NLSAPI: Could NOT Open HKEY_CURRENT_USER - c00000a5.
2004.2148> AUTOENRL: RegisterAutoEnrollmentProcessing exiting with error: (0x80004004)
20:25:55.546 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.546 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.546 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.546 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.546 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.546 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.562 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.562 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.562 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.562 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.562 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.562 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=8
20:25:55.562 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.562 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Timeout=5
20:25:55.562 89A751FC.E1910828 TERMSRV: SendWinStationCommand pCommand 00FCF76C pCommand->pMsg 00FCF7E0
20:25:55.562 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, sending cmd
20:25:55.562 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, waiting for response
20:25:55.562 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.562 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.562 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.562 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.562 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=3
20:25:55.562 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.562 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=3, Status=0x0
20:25:55.562 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got a message
20:25:55.562 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:25:55.578 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand, LogonId=4
20:25:55.578 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand wait for reply
20:25:55.578 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand list entry
20:25:55.578 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand, LogonId=4, Reply for Cmd WinStationThinwireStats, Status=0x0
20:25:55.578 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand queue empty port 000002F0
20:25:55.578 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Status=0x0
20:25:55.578 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=8, Status=0x0
20:25:55.593 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.593 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.593 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.593 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.593 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.593 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=8
20:25:55.593 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.593 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Timeout=5
20:25:55.593 89A751FC.E1910828 TERMSRV: SendWinStationCommand pCommand 00FCF76C pCommand->pMsg 00FCF7E0
20:25:55.593 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, sending cmd
20:25:55.593 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, waiting for response
20:25:55.593 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got a message
20:25:55.593 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:25:55.593 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4
20:25:55.593 892311FC.E1411830 TERMSRV: WinStationGetSMCommand wait for reply
20:25:55.593 892311FC.E1411830 TERMSRV: WinStationGetSMCommand list entry
20:25:55.593 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4, Reply for Cmd WinStationThinwireStats, Status=0x0
20:25:55.593 892311FC.E1411830 TERMSRV: WinStationGetSMCommand queue empty port 000002F0
20:25:55.593 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Status=0x0
20:25:55.593 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=8, Status=0x0
[Wlballoon] - Info: Logoff event name = Local\WlballoonLogoffNotification.
WINMM(p2004:t2012): Session state changed: SESSION
WINMM(p2004:t2012): Remote session protocol RDP
WINMM(p2004:t2012): Remote audio driver name rdpsnd
20:25:55.625 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.625 892DE684.E1765A10 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:25:55.625 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.625 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.625 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.625 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=1
20:25:55.625 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.625 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=1, Status=0x0
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: WinStationUpdateUserConfig, LogonId=4
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: RpcWinStationUpdateUserConfig, Status=0x0
CreateDirectory(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4) successful.
entering SetFileTree(pRoot=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4,pAvoidDir=(null))
20:25:55.640 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.640 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.640 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.640 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.640 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.640 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=8
20:25:55.640 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.640 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Timeout=5
20:25:55.640 89A751FC.E1910828 TERMSRV: SendWinStationCommand pCommand 00FCF76C pCommand->pMsg 00FCF7E0
20:25:55.640 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, sending cmd
20:25:55.640 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, waiting for response
20:25:55.640 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got a message
20:25:55.640 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:25:55.640 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand, LogonId=4
20:25:55.640 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand wait for reply
20:25:55.640 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand list entry
20:25:55.640 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand, LogonId=4, Reply for Cmd WinStationThinwireStats, Status=0x0
20:25:55.640 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand queue empty port 000002F0
20:25:55.640 89A751FC.E1910828 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Status=0x0
20:25:55.640 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=8, Status=0x0
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=8
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Timeout=5
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: SendWinStationCommand pCommand 00E3F76C pCommand->pMsg 00E3F7E0
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: SendWinStationCommand, LogonId=4, sending cmd
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: SendWinStationCommand, LogonId=4, waiting for response
20:25:55.640 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got a message
20:25:55.640 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:25:55.640 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4
20:25:55.640 892311FC.E1411830 TERMSRV: WinStationGetSMCommand wait for reply
20:25:55.640 892311FC.E1411830 TERMSRV: WinStationGetSMCommand list entry
20:25:55.640 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4, Reply for Cmd WinStationThinwireStats, Status=0x0
20:25:55.640 892311FC.E1411830 TERMSRV: WinStationGetSMCommand queue empty port 000002F0
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Status=0x0
20:25:55.640 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=8, Status=0x0
looking up account CH-A0QHE6XJ89WE\Administrator
leaving xxxLookupAccountName(); pSid is okay, returning TRUE.
processing file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4\
entering EnumerateDirectory(pRoot=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4,Level=0,pProc=NodeEnumProc)
FindFirstFileW: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4\*
leaving EnumerateDirectory(), return=TRUE
leaving SetFileTree()
entering SetFileTree(pRoot=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4,pAvoidDir=(null))
processing file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4\
entering EnumerateDirectory(pRoot=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4,Level=0,pProc=NodeEnumProc)
FindFirstFileW: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4\*
leaving EnumerateDirectory(), return=TRUE
leaving SetFileTree()
WINMM(p2200:t2204): Remote session protocol RDP
WINMM(p2200:t2204): Remote audio driver name rdpsnd
20:25:55.671 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
### Trace initialized (0898:089c) at 20:25:55.67 26/10/2025 ###
### Loading symbols (0898:089c) at 20:25:55.67 26/10/2025 ###
### Symbols loaded (0898:089c) at 20:25:55.67 26/10/2025 ###
### Process attached (0898:089c) at 20:25:55.67 26/10/2025 ###
20:25:55.687 892C5D9C.E170C0E8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.687 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.687 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.687 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.687 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=1
20:25:55.687 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.687 892C5D9C.E170C0E8 TERMSRV: WinStationQueryInformation LogonId=4, Class=1, Status=0x0
20:25:55.687 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.703 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.703 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.703 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.703 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.703 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=6
20:25:55.718 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.718 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=6, Status=0x0
20:25:55.718 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.718 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.718 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.718 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.718 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.718 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.718 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.718 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.718 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.718 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.718 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=1
20:25:55.718 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.718 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=1, Status=0x0
20:25:55.718 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.718 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:25:55.718 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.718 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.718 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.718 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.750 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.750 892DE684.E1765A10 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:25:55.750 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.750 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.750 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.750 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.750 89A751FC.E1910828 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:25:55.750 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.750 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.750 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.750 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=1
20:25:55.750 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.750 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=1, Status=0x0
20:25:55.750 892C5D9C.E170C0E8 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:25:55.750 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.750 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.750 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.750 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.750 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.750 892DE684.E1765A10 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:25:55.750 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.750 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.750 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:25:55.750 89A751FC.E1910828 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:25:55.750 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.750 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.750 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:25:55.750 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=1
20:25:55.750 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:25:55.750 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=4, Class=1, Status=0x0
20:25:55.750 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.750 892C5D9C.E170C0E8 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:25:55.750 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:25:55.750 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:25:55.750 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:25:55.750 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
Breakpoint 0 hit
ICAAPI!IcaChannelOpen:
001b:74463844 55 push ebp
1: kd> kc
ICAAPI!IcaChannelOpen
termsrv!RpcWinStationVirtualOpen
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> dv
hIca = 0x000004c0
Channel = Channel_Virtual (0n5)
pVirtualName = 0x006c61c0 "CLIPRDR"
phChannel = 0x00e3f8e8
TypeInfo = union _ICA_TYPE_INFO
1: kd> g
Breakpoint 1 hit
termdd!IcaCreateChannel:
ba805400 55 push ebp
1: kd> kc
termdd!IcaCreateChannel
termdd!IcaCreate
termdd!IcaDispatch
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtCreateFile
nt!_KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwCreateFile
ICAAPI!_IcaOpen
ICAAPI!_IcaStackOpen
ICAAPI!IcaChannelOpen
termsrv!RpcWinStationVirtualOpen
RPCRT4!Invoke
RPCRT4!NdrStubCall2
RPCRT4!NdrServerCall2
RPCRT4!DispatchToStubInCNoAvrf
RPCRT4!RPC_INTERFACE::DispatchToStubWorker
RPCRT4!RPC_INTERFACE::DispatchToStub
RPCRT4!LRPC_SCALL::DealWithRequestMessage
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls
RPCRT4!RecvLotsaCallsWrapper
RPCRT4!BaseCachedThreadRoutine
RPCRT4!ThreadStartRoutine
kernel32!BaseThreadStart
1: kd> g
20:25:55.765 89A751FC.E1910828 TERMSRV: Context rundown, 000D5400
(s: 4 0x8dc.8f0 Explorer.EXE) USER-[Wrn=1400] HMValidateHandle: Invalid:00000000 Type:0x1
(s: 4 0x8dc.8f0 Explorer.EXE) USER-[Wrn=1400] HMValidateHandle: Invalid:00000000 Type:0x1
(s: 4 0x8dc.8f0 Explorer.EXE) USER-[Wrn=1400] HMValidateHandle: Invalid:00000000 Type:0x1
(s: 4 0x8dc.8f0 Explorer.EXE) USER-[Wrn=1400] HMValidateHandle: Invalid:00000000 Type:0x1
(s: 4 0x8dc.8f0 explorer.exe) USRK-[Wrn] ZOrderByOwner: Topmost change while using SWP_NOOWNERZORDER. pwndRoot:BCA7705C pwndOriginal:BCA7705C
(s: 4 0x8dc.8f0 Explorer.EXE) USER-[Wrn=1400] HMValidateHandle: Invalid:00000000 Type:0x1
(s: 4 0x8dc.8f0 Explorer.EXE) USER-[Wrn=1400] HMValidateHandle: Invalid:00000000 Type:0x1
20:25:59.781 892556BC.E18A7328 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:25:59.781 892556BC.E18A7328 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
DeviceCancelIo [8923C6E0]: Endpoint 0x892C7EA0
_TdCancelReceiveQueue [8923C6E0]: Endpoint 0x892C7EA0
20:25:59.781 892556BC.E18A7328 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:25:59.781 892556BC.E18A7328 TERMSRV: Enter WsxIcaIoControl, IoControlCode=37
20:25:59.781 892556BC.E18A7328 TERMSRV: IcaStackConnectionAccept, Status=0xc00000b5
20:25:59.781 892556BC.E18A7328 TERMSRV: Connection attempt failed, Status [c00000b5], rc [1]
20:25:59.781 892556BC.E18A7328 TERMSRV: Closing Endpoint [0x000D5678], winsta = 0x000DBE18, Accepted = 0
20:25:59.781 892556BC.E18A7328 TERMSRV: _CloseEndpoint [000D5678] on Temporary stack
_TdiTcpSetInformation: Error 0xc0000120
_TcpSetNagle: Flag 0x0, Result 0xc0000120
TdiDeviceOpenEndpoint: SetNagle 0x0 Result 0xc0000120
TdInBufAlloc: pInBuf=0x892329c0
DeviceCancelIo [8929E880]: Endpoint 0x892C7EA0
_TdCancelReceiveQueue [8929E880]: Endpoint 0x892C7EA0
DeviceCancelIo [8929E880]: Endpoint 0x892C7EA0
_TdCancelReceiveQueue [8929E880]: Endpoint 0x892C7EA0
DeviceCancelIo [8929E880]: Endpoint 0x892C7EA0
_TdCancelReceiveQueue [8929E880]: Endpoint 0x892C7EA0
_TdCancelReceiveQueue [8929E880]: Endpoint 0x892C7EA0
_TdCloseEndpoint [8929E880]: 0x892C7EA0
DeviceCancelIo [0x8929E880]: Endpoint is NULL
20:25:59.781 892556BC.E18A7328 TERMSRV: WinStationTerminate, (LogonId=-1)
20:25:59.781 892F067C.E1421168 TERMSRV: TerminateThread, WaitForMultipleObjects, rc=0
20:25:59.781 892556BC.E18A7328 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:25:59.781 892F067C.E1421168 TERMSRV: TerminateThread, Waiting for initial command exit (ArraySize=9)
20:25:59.781 892556BC.E18A7328 TERMSRV: Enter WsxIcaIoControl, IoControlCode=37
20:25:59.781 892556BC.E18A7328 TERMSRV: WinStationDeleteWorker, (LogonId=-1)
20:25:59.781 892556BC.E18A7328 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:25:59.781 892556BC.E18A7328 TERMSRV: Enter WsxIcaIoControl, IoControlCode=37
20:25:59.781 892556BC.E18A7328 TERMSRV: SmStopCsr on CSRSS for Session=-1 returned Status=0
20:26:01.234 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:26:01.234 89A751FC.E1910828 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:26:01.234 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:26:01.234 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:26:01.234 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:26:01.234 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:26:01.234 892C5D9C.E170C0E8 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:26:01.234 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:26:01.234 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:26:01.234 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:26:01.296 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:26:01.296 892DE684.E1765A10 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:26:01.296 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:26:01.296 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:26:01.296 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
740.1896p> Cairole: StartService ImapiService failed, error = 0x422
20:26:02.656 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:26:02.656 89A751FC.E1910828 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:26:02.656 89A751FC.E1910828 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:26:02.656 89A751FC.E1910828 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:26:02.656 89A751FC.E1910828 TERMSRV: -|--------------------------------------------|-
20:26:02.656 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=0, Class=14
20:26:02.656 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error
20:26:02.656 89A751FC.E1910828 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error
20:26:02.671 89A751FC.E1910828 TERMSRV: WinStationQueryInformation LogonId=0, Class=14, Status=0x0
(s: 4 0x8dc.8f0 explorer.exe) USRK-[Wrn] ZOrderByOwner: Topmost change while using SWP_NOOWNERZORDER. pwndRoot:BCA79FEC pwndOriginal:BCA79FEC
20:26:13.062 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:26:13.078 892C5D9C.E170C0E8 TERMSRV: Client SPN: CH-A0QHE6XJ89WE\Administrator
20:26:13.078 892C5D9C.E170C0E8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:26:13.078 892C5D9C.E170C0E8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:26:13.078 892C5D9C.E170C0E8 TERMSRV: -|--------------------------------------------|-
20:26:13.078 892C5D9C.E170C0E8 TERMSRV: WinStationDisconnect, LogonId=4
20:26:13.078 892C5D9C.E170C0E8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:26:13.078 892C5D9C.E170C0E8 TERMSRV: QueueWinStationDisconnect: 4
20:26:13.078 892C5D9C.E170C0E8 TERMSRV: WinStationDisconnect, Status=0x0
20:26:13.078 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got a message
20:26:13.078 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got WinStationInternalDisconnect message
20:26:13.078 89682D5C.E1A201A8 TERMSRV: WinStationDisconnect, LogonId=4
20:26:13.078 89682D5C.E1A201A8 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationDoDisconnect, Timeout=600
20:26:13.078 89682D5C.E1A201A8 TERMSRV: SendWinStationCommand pCommand 0244FBE4 pCommand->pMsg 0244FCB8
20:26:13.093 89682D5C.E1A201A8 TERMSRV: SendWinStationCommand, LogonId=4, sending cmd
20:26:13.093 89682D5C.E1A201A8 TERMSRV: SendWinStationCommand, LogonId=4, waiting for response
RDPDD: FNCALL_HIST: FN[1] 1[1ac] 2[892f2df8] 3[1] 4[0]
20:26:13.093 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got a message
20:26:13.093 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:26:13.093 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4
20:26:13.093 892311FC.E1411830 TERMSRV: WinStationGetSMCommand wait for reply
20:26:13.093 892311FC.E1411830 TERMSRV: WinStationGetSMCommand list entry
20:26:13.093 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4, Reply for Cmd WinStationDoDisconnect, Status=0x0
20:26:13.093 892311FC.E1411830 TERMSRV: WinStationGetSMCommand queue empty port 000002F0
20:26:13.093 89682D5C.E1A201A8 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationDoDisconnect, Status=0x0
20:26:13.109 89682D5C.E1A201A8 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=SMWinStationNotify, Timeout=10
20:26:13.109 89682D5C.E1A201A8 TERMSRV: SendWinStationCommand pCommand 0244FBE4 pCommand->pMsg 0244FCB8
20:26:13.109 89682D5C.E1A201A8 TERMSRV: SendWinStationCommand, LogonId=4, sending cmd
20:26:13.109 89682D5C.E1A201A8 TERMSRV: SendWinStationCommand, LogonId=4, waiting for response
20:26:13.109 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got a message
20:26:13.109 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:26:13.109 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4
20:26:13.109 892311FC.E1411830 TERMSRV: WinStationGetSMCommand wait for reply
20:26:13.109 892311FC.E1411830 TERMSRV: WinStationGetSMCommand list entry
20:26:13.109 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4, Reply for Cmd SMWinStationNotify, Status=0x0
20:26:13.109 892311FC.E1411830 TERMSRV: WinStationGetSMCommand queue empty port 000002F0
20:26:13.109 89682D5C.E1A201A8 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=SMWinStationNotify, Status=0x0
12:26:13.109+89dd5240:0000+DrSession::ReadCompletio+1147+Channel read failed 0xC0000120
12:26:13.109*89dd5240:0000*DrSession::ReadCompletio*1164*Error detected in ReadCompletion c0000120
20:26:13.109 89682D5C.E1A201A8 TERMSRV: Disconnecting - grabbing SC autoreconnect from stack
20:26:13.109 89682D5C.E1A201A8 TERMSRV: Disconnecting - got SC ARC from stack
_TdCancelReceiveQueue [00000000]: Endpoint 0x89620008
DeviceCancelIo [89284370]: Endpoint 0x89620008
_TdCancelReceiveQueue [89284370]: Endpoint 0x89620008
DeviceCancelIo [89284370]: Endpoint 0x89620008
_TdCancelReceiveQueue [89284370]: Endpoint 0x89620008
20:26:13.109 89682D5C.E1A201A8 TERMSRV: Enter WsxIcaIoControl, IoControlCode=15
20:26:13.109 8929F1FC.E1962820 TERMSRV: WinStation LPC Service Thread got a message
DeviceCancelIo [89284370]: Endpoint 0x89620008
_TdCancelReceiveQueue [89284370]: Endpoint 0x89620008
_TdCancelReceiveQueue [89284370]: Endpoint 0x89620008
_TdCloseEndpoint [89284370]: 0x89620008
20:26:13.109 89682D5C.E1A201A8 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
RDPWD: Delete: Free memory at E5B468E8
20:26:13.109 8929F1FC.E1962820 TERMSRV: WinStation LPC Service Thread got connection message
20:26:13.109 8929F1FC.E1962820 TERMSRV: WinStationLpcHandleConnectionRequest called
20:26:13.109 8929F1FC.E1962820 TERMSRV: WSTAPI: Creating View memory
20:26:13.109 8929F1FC.E1962820 TERMSRV: WSTAPI: Calling AcceptConnectPort, Accept 1
20:26:13.109 8929F1FC.E1962820 TERMSRV: pContext 000DBE18, ConnectionRequest 00E7FEAC, info 00E7FEC4
20:26:13.109 8929F1FC.E1962820 TERMSRV: ViewBase 00ED0000, ViewSize 0x2000, ViewRemoteBase 00E50000
20:26:13.109 89682D5C.E1A201A8 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:26:13.109 8929F1FC.E1962820 TERMSRV: WSTAPI: Calling CompleteConnect port 000005A4
20:26:13.109 8929F1FC.E1962820 TERMSRV: WinStation LPC Connection Accepted, Logonid 4 pContext 000DBE18 Status 0x0
20:26:13.109 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got a message
DeviceCancelIo [0x89284370]: Endpoint is NULL
20:26:13.109 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got WinStationBrokenConnection message
20:26:13.109 892311FC.E1411830 TERMSRV: WinStationBrokenConnection, LogonId=4, Reason=1
20:26:13.109 89682D5C.E1A201A8 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
2200.2204p> LE: WARNING: Caller not clipboard owner
20:26:13.109 89682D5C.E1A201A8 TERMSRV: Enter WsxIcaIoControl, IoControlCode=37
(s: 4 0x898.89c rdpclip.exe) USRK-[Wrn=1418] xxxCloseClipboard not open
20:26:13.10*0898:089c*CBMSendToCli*1764*Write failed, 0x57
20:26:13.10*0898:08d4*CBMDataThrea*0920*GetOverlappedResult failed 995
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn=1400] HMValidateHandle: Invalid:00000000 Type:0x1
(s: 4 0x7d4.7dc winlogon.exe) USER-[Wrn=1400] HMValidateHandle: Invalid:00000000 Type:0x1
20:26:13.109 89682D5C.E1A201A8 TERMSRV: WinStationDoDisconnect, rc=0x0
20:26:13.125 89682D5C.E1A201A8 TERMSRV: WinStationDisconnect, Status=0x0
20:26:13.125 89682D5C.E1A201A8 TERMSRV: WinStationDisconnect, Status=0x0
20:26:13.125 892D5E0C.E17F0BF0 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationSendWindowMessage, Timeout=0
20:26:13.125 892D5E0C.E17F0BF0 TERMSRV: SendWinStationCommand - WinStation LPC IDLE, process now
20:26:13.125 892D5E0C.E17F0BF0 TERMSRV: SendWinStationCommand, LogonId=4, sending cmd
20:26:13.125 892D5E0C.E17F0BF0 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationSendWindowMessage, Status=0x0
20:26:13.125 892D5E0C.E17F0BF0 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationSendWindowMessage, Timeout=0
20:26:13.125 892D5E0C.E17F0BF0 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationSendWindowMessage, Status=0x0
20:26:13.125 892D5E0C.E17F0BF0 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationSendWindowMessage, Timeout=0
20:26:13.125 892D5E0C.E17F0BF0 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationSendWindowMessage, Status=0x0
20:26:13.125 8929F1FC.E1962820 TERMSRV: WinStation LPC Service Thread got a message
20:26:13.125 8929F1FC.E1962820 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:26:13.125 8929F1FC.E1962820 TERMSRV: WinStationGetSMCommand, LogonId=4
20:26:13.125 8929F1FC.E1962820 TERMSRV: WinStationGetSMCommand, LogonId=4, sending next cmd
20:26:13.125 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:26:13.125 892DE684.E1765A10 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM
20:26:13.125 892DE684.E1765A10 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY
20:26:13.125 892DE684.E1765A10 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT
20:26:13.125 892DE684.E1765A10 TERMSRV: -|--------------------------------------------|-
20:26:13.125 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=8
20:26:13.125 892DE684.E1765A10 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(4) returned no error
20:26:13.125 8929EF7C.E1A343D8 TERMSRV: WinStation LPC Service Thread got a message
20:26:13.125 8929EF7C.E1A343D8 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:26:13.125 8929EF7C.E1A343D8 TERMSRV: WinStationGetSMCommand, LogonId=4
20:26:13.125 892DE684.E1765A10 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Timeout=5
20:26:13.125 892DE684.E1765A10 TERMSRV: SendWinStationCommand pCommand 00C2F76C pCommand->pMsg 00C2F7E0
20:26:13.125 892DE684.E1765A10 TERMSRV: SendWinStationCommand, LogonId=4, waiting for response
20:26:13.125 8929EF7C.E1A343D8 TERMSRV: WinStationGetSMCommand, LogonId=4, sending next cmd
20:26:13.125 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got a message
20:26:13.125 89682D5C.E1A201A8 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:26:13.125 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand, LogonId=4
20:26:13.125 89682D5C.E1A201A8 TERMSRV: WinStationGetSMCommand, LogonId=4, sending next cmd
20:26:13.125 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got a message
20:26:13.125 892311FC.E1411830 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message
20:26:13.125 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4
20:26:13.125 892311FC.E1411830 TERMSRV: WinStationGetSMCommand wait for reply
20:26:13.125 892311FC.E1411830 TERMSRV: WinStationGetSMCommand list entry
20:26:13.125 892311FC.E1411830 TERMSRV: WinStationGetSMCommand, LogonId=4, Reply for Cmd WinStationThinwireStats, Status=0x0
20:26:13.125 892311FC.E1411830 TERMSRV: WinStationGetSMCommand queue empty port 000002F0
20:26:13.125 892DE684.E1765A10 TERMSRV: SendWinStationCommand, LogonId=4, Cmd=WinStationThinwireStats, Status=0x0
20:26:13.125 892DE684.E1765A10 TERMSRV: WinStationQueryInformation LogonId=4, Class=8, Status=0x0
20:26:14.640 89A759DC.E1893230 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:26:14.640 89A759DC.E1893230 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
DeviceCancelIo [8987C240]: Endpoint 0x892C7940
_TdCancelReceiveQueue [8987C240]: Endpoint 0x892C7940
20:26:14.640 89A759DC.E1893230 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:26:14.640 89A759DC.E1893230 TERMSRV: Enter WsxIcaIoControl, IoControlCode=37
20:26:14.640 89A759DC.E1893230 TERMSRV: IcaStackConnectionAccept, Status=0xc00000b5
20:26:14.640 89A759DC.E1893230 TERMSRV: Connection attempt failed, Status [c00000b5], rc [1]
20:26:14.640 89A759DC.E1893230 TERMSRV: Closing Endpoint [0x000E12A8], winsta = 0x000E78C8, Accepted = 0
20:26:14.640 89A759DC.E1893230 TERMSRV: _CloseEndpoint [000E12A8] on Temporary stack
_TdiTcpSetInformation: Error 0xc0000120
_TcpSetNagle: Flag 0x0, Result 0xc0000120
TdiDeviceOpenEndpoint: SetNagle 0x0 Result 0xc0000120
TdInBufAlloc: pInBuf=0x895f5378
DeviceCancelIo [89232008]: Endpoint 0x892C7940
_TdCancelReceiveQueue [89232008]: Endpoint 0x892C7940
DeviceCancelIo [89232008]: Endpoint 0x892C7940
_TdCancelReceiveQueue [89232008]: Endpoint 0x892C7940
DeviceCancelIo [89232008]: Endpoint 0x892C7940
_TdCancelReceiveQueue [89232008]: Endpoint 0x892C7940
_TdCancelReceiveQueue [89232008]: Endpoint 0x892C7940
_TdCloseEndpoint [89232008]: 0x892C7940
DeviceCancelIo [0x89232008]: Endpoint is NULL
20:26:14.640 89A759DC.E1893230 TERMSRV: WinStationTerminate, (LogonId=-1)
20:26:14.640 892F067C.E1421168 TERMSRV: TerminateThread, WaitForMultipleObjects, rc=0
20:26:14.640 89A759DC.E1893230 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:26:14.640 892F067C.E1421168 TERMSRV: TerminateThread, Waiting for initial command exit (ArraySize=9)
20:26:14.640 89A759DC.E1893230 TERMSRV: Enter WsxIcaIoControl, IoControlCode=37
20:26:14.640 89A759DC.E1893230 TERMSRV: WinStationDeleteWorker, (LogonId=-1)
20:26:14.640 89A759DC.E1893230 TERMSRV: Enter WsxIcaIoControl, IoControlCode=11
20:26:14.640 89A759DC.E1893230 TERMSRV: Enter WsxIcaIoControl, IoControlCode=37
20:26:14.640 89A759DC.E1893230 TERMSRV: SmStopCsr on CSRSS for Session=-1 returned Status=0
Break instruction exception - code 80000003 (first chance)