The Curious Case of Event ID: 56 with Source TermDD

The Curious Case of Event ID: 56 with Source TermDD

  • Comments 5
  • Likes

Hi folks! It’s been a long time since I wrote the Terminal Services and Graphically Intensive Applications post. Today’s post is a short one; we will be discussing a curious case of Event ID: 56 on Windows Server 2008/R2 with the Remote Desktop Services Role. The clients were being disconnected by the server and the following error was generated:

Log Name:      System
Source:        TermDD
Event ID:      56
Level:         Error
Description:
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Event Xml:
<Event xmlns="
http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="TermDD" />
    <EventID Qualifiers="49162">56</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="" />
    <EventRecordID></EventRecordID>
    <Channel>System</Channel>
    <Computer> </Computer>
    <Security />
  </System>
  <EventData>
    <Data>\Device\Termdd</Data>
    <Data></Data> <Binary>00000400010000000000000038000AC00000000038000AC000000000000000000000000000000000840100D0</Binary>
  </EventData>
</Event>

This happened in conditions of heavy traffic to the server along with large client packets (i.e. lot of input activity on the client). As a result, the data stream gets corrupted and the TS server disconnects the client.

To track this down, I looked at the binary data attached to the event. The last DWORD is the error code is converted to an HRESULT.

For example if you have the following binary data attached to the event…

<Binary>00000400010000000000000038000AC00000000038000AC000000000000000000000000000000000840100D0</Binary>

…we first take the last 4 bytes: 840100D0.

You first have to reverse the byte order to get a readable error code. You don’t reverse the whole thing, you reverse each byte pair individually. So, D0 moves to the front, followed by 00 etc. After reversing you’ll get this: D0000184. To make it even messier, the D is actually a result of converting an NTSTATUS code into HRESULT, so we then have to replace it with C (Normally HRESULT would start with “8”). Thus, you need to replace “D” with “C”.

Finally we now have and NTSTATUS error of C0000184. You can look up this error code using something like Err.exe and and get STATUS_INVALID_DEVICE_STATE.

This most likely indicates that server was trying to send data to the client after the connection was broken. It does not tell us why the connection was broken. Additional codes might be more informative:

C00000B5 - STATUS_IO_TIMEOUT - the connection has timed out.

C000006F - STATUS_INVALID_LOGON_HOURS - The user account has time restrictions and may not be logged onto at this time.

80090330 - SEC_E_DECRYPT_FAILURE – the data on the wire got corrupted

To decipher the codes, you can download Err.exe from:

http://www.microsoft.com/downloads/details.aspx?familyid=be596899-7bb8-4208-b7fc-09e02a13696c&displaylang=en

 

113996 INFO: Mapping NT Status Error Codes to Win32 Error Codes

http://support.microsoft.com/default.aspx?scid=kb;EN-US;113996

 

Another way to troubleshoot the error is more inclined towards the driver development community, which is to use Windows Software Trace Preprocessor (WPP) to trace a driver's operation; it enhances WMI event tracing by adding conventions and mechanisms that simplify tracing a driver's operation. It is an efficient mechanism for user-mode applications and kernel-mode drivers to log real-time binary messages. The logged messages can subsequently be converted to a human-readable trace of the driver's operation.

http://msdn.microsoft.com/en-us/library/ms793164.aspx

 

For the protocol details, message syntax and code references you can review:

[MS-RDPBCGR]: Remote Desktop Protocol: Basic Connectivity and Graphics Remoting Specification

http://msdn.microsoft.com/en-us/library/cc240445(PROT.10).aspx

or in PDF format:

http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-RDPBCGR%5D.pdf

 

That’s all for now…Until next time, take care and happy reading!

Subheet Rastogi

Share this post :


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • We see this exact same error (840100D0) on our TS 2008 R2 from time to time.

    Is there a way i can prevent this error from occuring?

  • Do you have the full list of all error code?

  • I get this error when trying to remote control a session on two 2008 TS server. any ideas?

  • This error appears with an IP address... when I look up the IP address it's shown originating somewhere outside wichita, kansas.... we are in Montana.... should I be worried that data is being sent to this ip address? i.e., a hacker?

  • I get this error description. Can you help me resolve this error

    c:\Err>err C00A0006

    # for hex 0xc00a0006 / decimal -1073086458 :

     STATUS_CTX_CLOSE_PENDING                                      ntstatus.h

    # A close operation is pending on the Terminal Connection.

    # 1 matches found for "C00A0006"

    c:\Err>err C00000B5

    # for hex 0xc00000b5 / decimal -1073741643 :

     STATUS_IO_TIMEOUT                                             ntstatus.h

    # {Device Timeout}

    # The specified I/O operation on %hs was not completed before

    # the time-out period expired.

    # 1 matches found for "C00000B5"