none
Vista Business 64bit: Remote Desktop issue RRS feed

  • Question

  • I have a user with a brand new Dell Precision T5400 desktop PC (2.66GHz Xeon Quad core, 8GB ram, raptor HDD, (2) nVidia Quadro FX570 video cards). The system is on the domain in the correct OU; The system is running smoothly on the Dell-bundled Vista biz 64bit OS however, when I try to Remote-in from another system on the domain I get the message: Remote Desktop is disconnected . I've seen it before, no big deal. The catch is that the Vista 64bit system gets this message: Windows has encountered a critical problem and will restart automatically in one minute. This message appears anytime I try remoting-in from a domain PC. I tried connecting from home using VPN and Remote Desktop (on my MacBook!) and it connected just fine for hours at a time with no interruption of service. Before I linked the "windows has encountered a critical problem and will restart automatically in one minute" error message with Remote Desktop activity I rebuilt the system thinking that it was a botched install. I checked all network settings, RPC, TS, etc. is started (automatically).

    Anyone have any experience with this phenomenon?
    Monday, May 11, 2009 4:47 PM

Answers

  • Lookie what I found:

    Thanks for the update with the event log which shows that the crash occurred due to an access violation exception generated in ncrypt.dll.  Also, I'd like to inform you that this should be a disk based corruption of the dll.

     

    To fix the issue, we can replace the file with a good copy by following these steps:

    1. At an elevated command prompt, type the following command, and then press ENTER:

    takeown /f c:\windows\system32\ncrypt.dll


    2. Type the following command, and then press ENTER to grant administrators full access to the file:


    icacls c:\windows\system32\ncrypt.dll /grant administrators:F


    3. Type the following command to replace the file with a known good copy of the file (from a retail build of windows):

    copy c:\temp\ncrypt.dll c:\windows\system32\ncrypt.dll

     

     

    Hope this helps!


    Sean Zhu - MSFT



    **I will try this first thing tomorrow morning and post my results. But it sure does sound promising.

    Source:
    http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/aa11369e-537e-4907-ab55-7a9687cdfaa7/
    Friday, May 22, 2009 4:48 AM

All replies

  • I am having the same problem. Incoming RDP connections crash my PC.  Any info on this would be great! I have found forum threads with people experiencing the same issue and it looks like everyone that is having this problem is using Vista Business 64-bit.

    Dell Precision T5400
    Xeon E5405
    8GB RAM
    Nvidia Quadro FX 570
    Vista Business 64-bit

    This is the error I am receiving in my event viewer:

    Reason Code: 0x50006

    Shutdown Type: restart

    Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255. The system will now shut down and restart.

    Monday, May 18, 2009 5:04 PM
  • OrangeBeard177, protodev,

    Do you guys have some other events in your event viewer about applications or services that crash?
    Can you post this events here?

    Kind Regards
    DFT
    Tuesday, May 19, 2009 9:16 AM
  • Log Name:      System
    Source:        USER32
    Date:          5/18/2009 2:09:49 PM
    Event ID:      1074
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          SYSTEM
    Computer:      XXXX
    Description:
    The process wininit.exe has initiated the restart of computer XXXX on behalf of user  for the following reason: No title for this reason could be found
     Reason Code: 0x50006
     Shutdown Type: restart
     Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255.  The system will now shut down and restart.




    Log Name:      System
    Source:        TermDD
    Date:          5/18/2009 1:16:42 PM
    Event ID:      50
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      XXXX
    Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.




    Log Name:      System
    Source:        LsaSrv
    Date:          5/18/2009 1:16:39 PM
    Event ID:      5000
    Task Category: (1)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      XXXX
    Description:
    The security package Schannel generated an exception. The exception information is the data.



    Log Name:      System
    Source:        Microsoft-Windows-Bits-Client
    Date:          5/11/2009 12:35:06 PM
    Event ID:      16392
    Task Category: None
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      XXXX
    Description:
    The BITS service failed to start.  Error 2147943515.



     

    Tuesday, May 19, 2009 1:20 PM
  • protodev,

    The following procedure helped some people to resolve the "The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client." problem.

    1. Use Regedit to navigate to:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermServices\Parameters.
    2. Use the Registry menu to Export Registry File to a TSParameters.reg file, incase you have to restore the entries that you delete in step 3.
    3. Right-click each of the following and press Delete and Yes to confirm:
    Certificate
    X509 Certificate (if exists)
    X509 Certificate ID
    (if exists)
    4. Exit Regedit.
    5. Reboot your machine.


    IF this doesn't help you do you have any Single Sign On (SSO) software installed? (e.g.: HP Protect Tools, ...)
    What is the result of  this command: tasklist /m /fi "imagename eq lsass.exe"

    Kind Regards
    DFT

    • Proposed as answer by daft Tuesday, May 19, 2009 2:54 PM
    Tuesday, May 19, 2009 2:54 PM
  • daft -

    None of those Certificate keys existed in the Parameters branch. 

    There are 3 keys in the Parameters branch: (Default), ServiceDll, and ServiceDllUnloadOnStop. 

    (I assume that may be a Windows XP key as my Windows XP machine has the Certificate key.) 

    I do not have any SSO software installed. This problem occurs on a fresh install of Vista Business x64. 

    I ran the tasklist command and these are the results: 


    H:\>tasklist /m /fi "imagename eq lsass.exe"

    Image Name                     PID Modules
    ========================= ======== ============================================
    lsass.exe                      648 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                       RPCRT4.dll, msvcrt.dll, LSASRV.dll,
                                       Secur32.dll, USER32.dll, GDI32.dll,
                                       SAMSRV.dll, cryptdll.dll, DNSAPI.dll,
                                       WS2_32.dll, NSI.dll, NETAPI32.dll,
                                       PSAPI.DLL, SAMLIB.dll, MSASN1.dll,
                                       NTDSAPI.dll, WLDAP32.dll, FeClient.dll,
                                       MPR.dll, USERENV.dll, CRYPT32.dll, slc.dll,
                                       SYSNTFY.dll, wevtapi.dll, IPHLPAPI.DLL,
                                       dhcpcsvc.DLL, WINNSI.DLL, dhcpcsvc6.DLL,
                                       IMM32.DLL, MSCTF.dll, LPK.DLL, USP10.dll,
                                       cngaudit.dll, AUTHZ.dll, ncrypt.dll,
                                       BCRYPT.dll, credssp.dll, msprivs.dll,
                                       kerberos.dll, mswsock.dll, wship6.dll,
                                       msv1_0.dll, netlogon.dll, WINBRAND.dll,
                                       schannel.dll, wdigest.dll, rsaenh.dll,
                                       tspkg.dll, GPAPI.dll, setupapi.dll,
                                       OLEAUT32.dll, ole32.dll, scecli.dll,
                                       wshtcpip.dll, NLAapi.dll, napinsp.dll,
                                       pnrpnsp.dll, winrnr.dll, rasadhlp.dll,
                                       dssenh.dll, pstorsvc.dll, psbase.dll
    • Edited by protodev Tuesday, May 19, 2009 6:41 PM bad automatic formatting
    Tuesday, May 19, 2009 6:39 PM
  • Microsoft Windows [Version 6.0.6001]
    Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>tasklist /m /fi "imagename eq lsass.exe"

    Image Name                     PID Modules
    ========================= ======== ============================================
    lsass.exe                      612 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                       RPCRT4.dll, msvcrt.dll, LSASRV.dll,
                                       Secur32.dll, USER32.dll, GDI32.dll,
                                       SAMSRV.dll, cryptdll.dll, DNSAPI.dll,
                                       WS2_32.dll, NSI.dll, NETAPI32.dll,
                                       PSAPI.DLL, SAMLIB.dll, MSASN1.dll,
                                       NTDSAPI.dll, WLDAP32.dll, FeClient.dll,
                                       MPR.dll, USERENV.dll, CRYPT32.dll, slc.dll,
                                       SYSNTFY.dll, wevtapi.dll, IPHLPAPI.DLL,
                                       dhcpcsvc.DLL, WINNSI.DLL, dhcpcsvc6.DLL,
                                       IMM32.DLL, MSCTF.dll, LPK.DLL, USP10.dll,
                                       cngaudit.dll, AUTHZ.dll, ncrypt.dll,
                                       BCRYPT.dll, credssp.dll, msprivs.dll,
                                       kerberos.dll, mswsock.dll, wship6.dll,
                                       msv1_0.dll, netlogon.dll, WINBRAND.dll,
                                       schannel.dll, wdigest.dll, rsaenh.dll,
                                       tspkg.dll, GPAPI.dll, setupapi.dll,
                                       OLEAUT32.dll, ole32.dll, scecli.dll,
                                       wshtcpip.dll, NLAapi.dll, napinsp.dll,
                                       pnrpnsp.dll, winrnr.dll, mdnsNSP.dll,
                                       rasadhlp.dll, dssenh.dll

    C:\Windows\system32>

    Tuesday, May 19, 2009 10:47 PM
  • My error message says:
    [Yellow Exclamation!] You are about to be logged off
    Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now.
    Tuesday, May 19, 2009 10:52 PM
  • The plot thickens: I can remote in to the system just fine using Cisco VPN client 4.9.01 (0080) on my MacBook OS X 10.5.7 and Remote Desktop Connection Version 1.0.3 (040913) for OS X. I can stay connected as long as I'd like too.

    Transparent tunneling is disabled on the MacBook and all settings are mirrored on both the PC and Mac.
    Wednesday, May 20, 2009 6:20 AM
  • OrangeBeard177,

    Do you have I Tunes installed or some other apple releated product?
    Please try to uninstall that software. Reboot your machine. Do agian a tasklist /m /fi "imagename eq lsass.exe" and verify that the mdnsNSP.dll is gone. Then see if your problem is resolved.

    OrangeBeard177, protodev,

    1. Try to upgrade your video driver and Network card driver.
    2. Do you use vmware workstation on your desktop?
    3. Is there an event in your event viewer that start with this description.
      Faulting application lsass.exe, version 6.0.6000.16386, time stamp 0x4549afbe, faulting module
      If there, is can you post it back? I think it is writen to the event viewer before the "'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255. " event.

    Kind Regards
    DFT

    Wednesday, May 20, 2009 1:02 PM
  • Daft,

    1. I have tried several different video cards with updated drivers (ATI and Nvidia) all with the same crashing result everytime. I have also tried several PCI and PCI-e network cards with updated drivers and nothing works.

    2. No VMware on this PC, this happens on a fresh install of Vista Business 64-bit.

    3. There is no "Faulting application lsass.exe, version 6.0.6000.16386, time stamp 0x4549afbe, faulting module "  The only event that I have that mentions lsass.exe is the "'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255. " event.


    I appreciate your replies and helping with troubleshooting this strange, strange problem.
    Wednesday, May 20, 2009 3:57 PM
  • I uninstalled iTunes and Bonjour and still get the crashing.

    Most recently I received this error in the event log:


    Faulting application lsass.exe, version 6.0.6001.18000, time stamp 0x479195b7, faulting module ncrypt.dll, version 6.0.6001.18000, time stamp 0x4791ad6a, exception code 0xc0000005, fault offset 0x0000000000010f7f, process id 0x274, application start time 0x01c9da8ead4d5c9f.

    Friday, May 22, 2009 4:35 AM
  • Lookie what I found:

    Thanks for the update with the event log which shows that the crash occurred due to an access violation exception generated in ncrypt.dll.  Also, I'd like to inform you that this should be a disk based corruption of the dll.

     

    To fix the issue, we can replace the file with a good copy by following these steps:

    1. At an elevated command prompt, type the following command, and then press ENTER:

    takeown /f c:\windows\system32\ncrypt.dll


    2. Type the following command, and then press ENTER to grant administrators full access to the file:


    icacls c:\windows\system32\ncrypt.dll /grant administrators:F


    3. Type the following command to replace the file with a known good copy of the file (from a retail build of windows):

    copy c:\temp\ncrypt.dll c:\windows\system32\ncrypt.dll

     

     

    Hope this helps!


    Sean Zhu - MSFT



    **I will try this first thing tomorrow morning and post my results. But it sure does sound promising.

    Source:
    http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/aa11369e-537e-4907-ab55-7a9687cdfaa7/
    Friday, May 22, 2009 4:48 AM
  • Verified to correct the Remote Desktop issue!
    I booted of the Vista 64 SP1 install disc and used the Repair option to get to a Command prompt. I replaced the file directly from the CD using copy x:\windows\system32\ncrypt.dll c:\windows\system32\ncrypt.dll
    Rebooted and tested Remoting-in from another PC and it worked without incident; no more crashing; no more unable to connect messages.

    Best,
    OrangeBeard177
    • Proposed as answer by protodev Tuesday, May 26, 2009 2:30 PM
    Friday, May 22, 2009 6:53 PM
  • OrangeBeard, Daft, & Protodev

    This solution worked for me too. I'm runnning Vista Business 64bit on a Dell Optiplex 960. Even a fresh reinstall of the OS didn't fix the issue. All is fine now though. Thanks for the solution.
    Sunday, May 24, 2009 3:55 PM
  • Brilliant!

    Nice find dude!

    This solution worked perfectly.

    Thanks again.
    Tuesday, May 26, 2009 2:31 PM
  • I don't get it. What solution are you talking about?
    Saturday, July 4, 2009 5:21 AM