none
Remote desktop services crashes

    Question

  • Hi!

    I first ran an upgrade of an 2016 to 2019. And after a while RDS started to crash. I cursed the upgrade god and did a clean installation. Same result. After a while running in session host mode RDS starts to crash and all sessions gets disconnected.

    In the eventlog I see: 

    Faulting application name: svchost.exe_termservice, version 10.0.17763.1

    Faulting module name: rdpbase.dll, version: 10.0.17763.1

    I see some crashes with:

    Faulting module name: ntdll.dll, version: 10.0.17763.1

    and

    Faulting module name: umb.dll, version: 10.0.17763.1

    Server is fully patched 2018-12-14

    Friday, December 14, 2018 7:48 AM

Answers

  • Hi Harmankardon,

    I stumbled across the following and it seems to have resolved the issue for my environment:

    https://techcommunity.microsoft.com/t5/Windows-10/Windows-10-Version-1809-Remote-Desktop-Connection-not-working/td-p/267135

    "

    To disable UDP on client machine:
    Open gpedit and navigate to computer configuration\Admin Templates\ Windows Components\Remote Desktop Services\ Remote Desktop Connection Client
    Enable Turn Off UDP On Client apply. REBOOT and try connecting again.

    "

    While they suggest changing the setting on the client, I made the modification on the RDS server itself.

    Disabling UDP from the server itself:
    Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections
      • Select RDP transport protocols
      • Use only TCP

    Reboot the server for the changes to take effect.

    To note, I did first test the client side disabling of UDP transport and that did work as well. But in this case, I thought making the server side change was more efficient.

    Hopefully this is able to help you!

    • Marked as answer by Harmankardon Friday, January 11, 2019 11:20 AM
    Thursday, January 10, 2019 9:34 PM

All replies

  • I advise that you collect a crash dump so they (or we) know where to look for. It's more valuable than simple WER metadata.

    Paste contents of the file below into a text file, and click file menu > 'Save As' > name it crashcatch.reg.

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\svchost.exe]
    "DumpCount"=dword:00000002
    "DumpFolder"=hex(2):63,00,3a,00,5c,00,64,00,75,00,6d,00,70,00,73,00,00,00
    "DumpType"=dword:00000001

    Locate the file where you saved said .reg file at, double-click it, and confirm to merge it into your registry.

    Now, every time the culprit process crashes, it will forcibly generate a crashdump and store it in C:/dumps.

    Let it crash again/wait for it to happen, collect the .dmp file, and upload & offer it in this thread.

    Alternatively, debug it yourself in an application like WinDbg or Visual studio, with symbols (PDB) from the MS symbol store, so that you can help them a step ahead in diagnosing the problem, by providing them a proper stack-trace of the crashing process. If you debug it yourself, also sharing the original .dmp file is still recommended.

    If opening the crash dump allows other Technet members to understand the cause isn't RDS but someting else on your systems, then aided by the details from the dump they may be able to provide instructions in how to resolve your problem.



    • Edited by Marcel S T Monday, December 17, 2018 3:51 AM
    Monday, December 17, 2018 3:49 AM
  • Hi!
    I have found a reason for the crashes. It is connected to one user. And from a specific computer. I guess it has something to do with the graphics driver on that computer. We created a new user for him but still same error.

    Windbg shows:

    The stored exception information can be accessed via .ecxr. (2910.15f8): Unknown exception - code c0000374 (first/second chance not available) For analysis of this file, run !analyze -v ntdll!NtWaitForMultipleObjects+0x14: 00007ffa`205301b4 c3 ret

    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 00007ffa2058af49 (ntdll!RtlReportFatalFailure+0x0000000000000009)
       ExceptionCode: c0000374
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 00007ffa205f27f0


    PROCESS_NAME:  svchost.exe


    ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.


    EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

    BUGCHECK_STR:  SVCHOSTGROUP_termsvcs_HEAP_CORRUPTION
    DEFAULT_BUCKET_ID:  SVCHOSTGROUP_termsvcs_HEAP_CORRUPTION
    PRIMARY_PROBLEM_CLASS:  SVCHOSTGROUP_termsvcs_HEAP_CORRUPTION

    SYMBOL_NAME:  rdpserverbase!operator new+23
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: RDPSERVERBASE
    IMAGE_NAME:  RDPSERVERBASE.dll
    DEBUG_FLR_IMAGE_TIMESTAMP:  78beef39
    STACK_COMMAND:  ~37s ; .ecxr ; kb
    BUCKET_ID:  SVCHOSTGROUP_termsvcs_HEAP_CORRUPTION_rdpserverbase!operator_new+23

    FAILURE_ID_HASH_STRING:  um:svchostgroup_termsvcs_heap_corruption_c0000374_rdpserverbase.dll!operator_new


    Wednesday, December 19, 2018 9:52 AM
  • Please use !analyze -v -f instead, and also show me the full registers (with .ecxr). Preferably upload the full dump file somewhere, so that threads and frame stacks are also reviewable. As i see you're not new to it, you could also use an application such as IDA Pro, open the loaded (involved) modules (like svchost and termsvcs) and its associated debugging symbols from the MS symbols server, and step through each address found in the exception traces to decompile it; based on what that code seems to be doing if you can make sense of the pseudocode (F5 on IDA after selecting address or associated asm line), you can get a rough idea of what it was doing exactly when it crashed because of knowing where that piece of code was responsible for.. without having source access to Microsoft components.

    Unfortunately, heap corruption is often non-specific and very hard to debug, not even neccesarily a hardware or driver issue (can also be a result of true software bugs). Anything else like your exception code isn't either a guarantee for it to be a faulty driver or anything like that.

    If you attach the crash dump, MS engineers may also be able to use it in case they think the issue not bound to you individually.

    • Edited by Marcel S T Thursday, December 20, 2018 12:54 PM
    Thursday, December 20, 2018 12:48 PM
  • We have used a workaround to solve the problem. The user got a new computer and everything works fine. Probably something that was messed up on his old computer that made Terminal services crash on the server.
    Thursday, December 20, 2018 12:52 PM
  • We have used a workaround to solve the problem. The user got a new computer and everything works fine. Probably something that was messed up on his old computer that made Terminal services crash on the server.

    Possibly, although it may also have been some system-bound factor that led a bug in the service to expose itself, as Windows is an ecosystem.

    Glad that you solved it after all

    Thursday, December 20, 2018 12:57 PM
  • We are having the same issue with Server 2019 terminal services crashing.  Have loaded all the windows updates on the server but the problem continues.  I also expect it is a particular user/computer.  Have a lot of users on the server in a remote location.  Were you able to identify the computer from a log or just by observation?
    Thursday, December 20, 2018 3:17 PM
  • We found it via observation. There were not a many users on that server so we could pinpoint the user.

    But if you check for the faulting application error in the application log and compare that timestamp with timestamps in the Log: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

    Check for the "Begin session arbitration" (eventid 41) and "Remote Desktop Services: Session logon succeeded:" (eventid 21) that happens before you get a bunch of "Session 28 has been disconnected, reason code 1067" (eventid 40) and "Remote Desktop Services: Session has been disconnected:" (eventid 24).

    Friday, December 21, 2018 8:55 AM
  • We see the same problem. Try to connect via RDP from Windows Server 2019 also W10 trought the Connection Broker and the same dlls crash's serveral. The connection "bounce" and then we see for a few seconds the logon screen an then the session tries to reconnect. We installed W2019 Terminalserverfarm, wildcard certificate, everything ist ok.. but we can't login.

    Any ideas?

    Friday, December 21, 2018 9:18 AM
  • Any ideas?

    I doubt it, because I believe all we can do is wait for the right person to notice it and forward it to Microsoft engineers. Just like we'll be waiting that for the other annoying, confirmed bug at Issue connecting to RDP (only Win10 1809 > Windows Server 2019 (check my profile, can't add links) topic.

    But I doubt that will happen any time soon, because it seems MSFT's are inactive on this subforum and so are MS personnel. There's just general inactivity, on a forum that belongs to a product that has recently launched (Server 2019) which is awkward. Users cannot resolve bugs introduced by advising eachother..


    • Edited by Marcel S T Friday, December 21, 2018 1:04 PM
    Friday, December 21, 2018 1:03 PM
  • You can provide feedback over here on uservoice.

    https://windowsserver.uservoice.com/forums/301872-remote-desktop-services

    or also ask for help in dedicated RDS forum here.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, December 21, 2018 1:29 PM
    Owner
  • Hi Harmankardon,

    I stumbled across the following and it seems to have resolved the issue for my environment:

    https://techcommunity.microsoft.com/t5/Windows-10/Windows-10-Version-1809-Remote-Desktop-Connection-not-working/td-p/267135

    "

    To disable UDP on client machine:
    Open gpedit and navigate to computer configuration\Admin Templates\ Windows Components\Remote Desktop Services\ Remote Desktop Connection Client
    Enable Turn Off UDP On Client apply. REBOOT and try connecting again.

    "

    While they suggest changing the setting on the client, I made the modification on the RDS server itself.

    Disabling UDP from the server itself:
    Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections
      • Select RDP transport protocols
      • Use only TCP

    Reboot the server for the changes to take effect.

    To note, I did first test the client side disabling of UDP transport and that did work as well. But in this case, I thought making the server side change was more efficient.

    Hopefully this is able to help you!

    • Marked as answer by Harmankardon Friday, January 11, 2019 11:20 AM
    Thursday, January 10, 2019 9:34 PM
  • Worked in our setup as well.
    Friday, January 11, 2019 11:21 AM
  • The same problem after in-place upgrade Connection Broker from 2013 to 2019 version - service  crushed after connecting to broker from Windows 10 Ent 2019 and Windows 7 SP1.

    Faulting application name: svchost.exe_TermService, version: 10.0.17763.1, time stamp: 0xb900eeff
    Faulting module name: RDPBASE.dll, version: 10.0.17763.1, time stamp: 0x2e058d64
    Exception code: 0xc0000005
    Fault offset: 0x00000000000de496
    Faulting process id: 0xf04
    Faulting application start time: 0x01d4bc40fa908148
    Faulting application path: C:\WINDOWS\System32\svchost.exe
    Faulting module path: C:\WINDOWS\system32\RDPBASE.dll
    Report Id: 045e21ce-373b-402e-bad2-aca8a3af462d
    Faulting package full name: 
    Faulting package-relative application ID: 

    Disabling UPD on Broker helps for connections from Windows 10. Connection from Windows 7 still crush service on Broker.

    Log Name:      Application
    Source:        Application Error
    Date:          04.02.2019 9:21:40
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      rdcb1
    Description:
    Faulting application name: svchost.exe_TermService, version: 10.0.17763.1, time stamp: 0xb900eeff
    Faulting module name: RDPBASE.dll, version: 10.0.17763.1, time stamp: 0x2e058d64
    Exception code: 0xc0000005
    Fault offset: 0x00000000000de496
    Faulting process id: 0xf04
    Faulting application start time: 0x01d4bc40fa908148
    Faulting application path: C:\WINDOWS\System32\svchost.exe
    Faulting module path: C:\WINDOWS\system32\RDPBASE.dll
    Report Id: 045e21ce-373b-402e-bad2-aca8a3af462d
    Faulting package full name: 
    Faulting package-relative application ID: 
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2019-02-04T04:21:40.086665100Z" />
        <EventRecordID>2864</EventRecordID>
        <Channel>Application</Channel>
        <Computer>rdcb1</Computer>
        <Security />
      </System>
      <EventData>
        <Data>svchost.exe_TermService</Data>
        <Data>10.0.17763.1</Data>
        <Data>b900eeff</Data>
        <Data>RDPBASE.dll</Data>
        <Data>10.0.17763.1</Data>
        <Data>2e058d64</Data>
        <Data>c0000005</Data>
        <Data>00000000000de496</Data>
        <Data>f04</Data>
        <Data>01d4bc40fa908148</Data>
        <Data>C:\WINDOWS\System32\svchost.exe</Data>
        <Data>C:\WINDOWS\system32\RDPBASE.dll</Data>
        <Data>045e21ce-373b-402e-bad2-aca8a3af462d</Data>
        <Data>
        </Data>
        <Data>
        </Data>
      </EventData>
    </Event>

    Log Name:      Application
    Source:        Application Error
    Date:          04.02.2019 9:48:10
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      rdcb1
    Description:
    Faulting application name: svchost.exe_TermService, version: 10.0.17763.1, time stamp: 0xb900eeff
    Faulting module name: ntdll.dll, version: 10.0.17763.1, time stamp: 0xa369e897
    Exception code: 0xc0000374
    Fault offset: 0x00000000000fb349
    Faulting process id: 0x1a64
    Faulting application start time: 0x01d4bc421689ed0b
    Faulting application path: C:\WINDOWS\System32\svchost.exe
    Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
    Report Id: 3dd20b15-d2e1-48b5-ab57-cf1cb821eb1b
    Faulting package full name: 
    Faulting package-relative application ID: 
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2019-02-04T04:48:10.524513800Z" />
        <EventRecordID>3268</EventRecordID>
        <Channel>Application</Channel>
        <Computer>rdcb1</Computer>
        <Security />
      </System>
      <EventData>
        <Data>svchost.exe_TermService</Data>
        <Data>10.0.17763.1</Data>
        <Data>b900eeff</Data>
        <Data>ntdll.dll</Data>
        <Data>10.0.17763.1</Data>
        <Data>a369e897</Data>
        <Data>c0000374</Data>
        <Data>00000000000fb349</Data>
        <Data>1a64</Data>
        <Data>01d4bc421689ed0b</Data>
        <Data>C:\WINDOWS\System32\svchost.exe</Data>
        <Data>C:\WINDOWS\SYSTEM32\ntdll.dll</Data>
        <Data>3dd20b15-d2e1-48b5-ab57-cf1cb821eb1b</Data>
        <Data>
        </Data>
        <Data>
        </Data>
      </EventData>
    </Event>


    Сазонов Илья

    https://isazonov.wordpress.com/





    Monday, February 4, 2019 4:47 AM