RDPWD!TRC_TraceLine打开调试选项后调试记录更详细--重要--没有3389登录连接后直接退出了

1: kd> p

eax=b9cf823c ebx=00000001 ecx=b9cf81f8 edx=b9cf826e esi=895d2f10 edi=00000008

eip=bac4bcf5 esp=b9cf8220 ebp=b9cf8340 iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286

termdd!IcaStackTrace+0x5d:

bac4bcf5 e8f2f9ffff call termdd!IcaTraceFormat (bac4b6ec)

1: kd> t

eax=b9cf823c ebx=00000001 ecx=b9cf81f8 edx=b9cf826e esi=895d2f10 edi=00000008

eip=bac4b6ec esp=b9cf821c ebp=b9cf8340 iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286

termdd!IcaTraceFormat:

bac4b6ec 55 push ebp

1: kd> kc 12

00 termdd!IcaTraceFormat

01 termdd!IcaStackTrace

02 RDPWD!TRC_TraceLine

03 RDPWD!WDWSetConfigData

04 RDPWD!WD_Ioctl

05 termdd!_IcaCallSd

06 termdd!_IcaCallStack

07 termdd!IcaDeviceControlStack

08 termdd!IcaDeviceControl

09 termdd!IcaDispatch

0a nt!IofCallDriver

0b nt!IopSynchronousServiceTail

0c nt!IopXxxControlFile

0d nt!NtDeviceIoControlFile

0e nt!_KiSystemService

0f SharedUserData!SystemCallStub

10 ntdll!NtDeviceIoControlFile

11 ICAAPI!IcaIoControl

1: kd> t

eax=b9cf8114 ebx=895d2f10 ecx=b9cf80d0 edx=b9cf8158 esi=000000ee edi=b9cf8114

eip=bac4b496 esp=b9cf80f8 ebp=b9cf8218 iopl=0 nv up ei ng nz ac po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000292

termdd!_IcaTraceWrite:

bac4b496 55 push ebp

1: kd> dv

pTraceInfo = 0x895d2f10

Buffer = 0xb9cf8114

1: kd> dx -id 0,0,89819020 -r1 ((termdd!_ICA_TRACE_INFO *)0x895d2f10)

((termdd!_ICA_TRACE_INFO *)0x895d2f10) : 0x895d2f10 [Type: _ICA_TRACE_INFO *]

+0x000\] TraceClass : 0xffffffff \[Type: unsigned long

+0x004\] TraceEnable : 0xffffffff \[Type: unsigned long

+0x008\] fTraceDebugger : 0x1 \[Type: unsigned char

+0x009\] fTraceTimestamp : 0x0 \[Type: unsigned char

+0x00c\] pTraceFileName : 0x0 \[Type: unsigned short \*

+0x010\] pTraceFileObject : 0x0 \[Type: _FILE_OBJECT \*

+0x014\] pDeferredTrace : 0x0 \[Type: _DEFERRED_TRACE \*

1: kd> x termdd!G_TraceInfo

bac4f1c0 termdd!G_TraceInfo = struct _ICA_TRACE_INFO

1: kd> dx -id 0,0,89819020 -r1 (*((termdd!_ICA_TRACE_INFO *)0xbac4f1c0))

(*((termdd!_ICA_TRACE_INFO *)0xbac4f1c0)) [Type: _ICA_TRACE_INFO]

+0x000\] TraceClass : 0xffffffff \[Type: unsigned long

+0x004\] TraceEnable : 0xffffffff \[Type: unsigned long

+0x008\] fTraceDebugger : 0x1 \[Type: unsigned char

+0x009\] fTraceTimestamp : 0x1 \[Type: unsigned char

+0x00c\] pTraceFileName : 0x89851cf8 : 0x5c \[Type: unsigned short \*

+0x010\] pTraceFileObject : 0x8960a290 \[Type: _FILE_OBJECT \*

+0x014\] pDeferredTrace : 0x0 \[Type: _DEFERRED_TRACE \*

1: kd> dx -id 0,0,89819020 -r1 ((termdd!unsigned short *)0x89851cf8)

((termdd!unsigned short *)0x89851cf8) : 0x89851cf8 : 0x5c [Type: unsigned short *]

0x5c [Type: unsigned short]

1: kd> db 0x89851cf8

89851cf8 5c 00 44 00 6f 00 73 00-44 00 65 00 76 00 69 00 \.D.o.s.D.e.v.i.

89851d08 63 00 65 00 73 00 5c 00-43 00 3a 00 5c 00 57 00 c.e.s.\.C.:.\.W.

89851d18 49 00 4e 00 44 00 4f 00-57 00 53 00 5c 00 49 00 I.N.D.O.W.S.\.I.

89851d28 43 00 41 00 44 00 44 00-2e 00 6c 00 6f 00 67 00 C.A.D.D...l.o.g.

89851d38 00 00 52 00 4f 00 55 00-48 00 00 00 f8 d9 49 44 ..R.O.U.H.....ID

89851d48 0e 00 13 0a 46 69 6c e5-40 67 5d 89 01 00 00 00 ....Fil.@g].....

89851d58 02 00 00 00 01 00 00 00-10 77 98 89 00 08 00 40 .........w.....@

89851d68 40 44 bf 80 00 00 00 00-05 00 70 00 68 d3 80 89 @D........p.h...

1: kd> dx -id 0,0,89819020 -r1 ((termdd!_FILE_OBJECT *)0x8960a290)

((termdd!_FILE_OBJECT *)0x8960a290) : 0x8960a290 [Type: _FILE_OBJECT *]

+0x000\] Type : 5 \[Type: short

+0x002\] Size : 112 \[Type: short

+0x004\] DeviceObject : 0x89543580 : Device for "\\Driver\\Ftdisk" \[Type: _DEVICE_OBJECT \*

+0x008\] Vpb : 0x899ab918 \[Type: _VPB \*

+0x00c\] FsContext : 0xe174bba8 \[Type: void \*

+0x010\] FsContext2 : 0xe174bcf8 \[Type: void \*

+0x014\] SectionObjectPointer : 0x898b41bc \[Type: _SECTION_OBJECT_POINTERS \*

+0x018\] PrivateCacheMap : 0x0 \[Type: void \*

+0x01c\] FinalStatus : 0 \[Type: long

+0x020\] RelatedFileObject : 0x0 \[Type: _FILE_OBJECT \*

+0x024\] LockOperation : 0x0 \[Type: unsigned char

+0x025\] DeletePending : 0x0 \[Type: unsigned char

+0x026\] ReadAccess : 0x1 \[Type: unsigned char

+0x027\] WriteAccess : 0x1 \[Type: unsigned char

+0x028\] DeleteAccess : 0x0 \[Type: unsigned char

+0x029\] SharedRead : 0x1 \[Type: unsigned char

+0x02a\] SharedWrite : 0x1 \[Type: unsigned char

+0x02b\] SharedDelete : 0x0 \[Type: unsigned char

+0x02c\] Flags : 0x44040 \[Type: unsigned long

+0x030\] FileName : "\\WINDOWS\\ICADD.log" \[Type: _UNICODE_STRING

+0x038\] CurrentByteOffset : {0} \[Type: _LARGE_INTEGER

+0x040\] Waiters : 0x0 \[Type: unsigned long

+0x044\] Busy : 0x0 \[Type: unsigned long

+0x048\] LastLock : 0x0 \[Type: void \*

+0x04c\] Lock \[Type: _KEVENT

+0x05c\] Event \[Type: _KEVENT

+0x06c\] CompletionContext : 0x0 \[Type: _IO_COMPLETION_CONTEXT \*

1: kd> dd 0xbac4f1c0

bac4f1c0 ffffffff ffffffff 00000101 89851cf8

bac4f1d0 8960a290 00000000 00000000 00000000

bac4f1e0 8cc88888 8979b4b8 89523280 898fff78

bac4f1f0 006e006c 89850ba8 00000001 00000001

bac4f200 00000002 00000000 00000001 8999c021

bac4f210 00000000 00040001 00000000 bac4f21c

bac4f220 bac4f21c 00000000 00000000 00000000

bac4f230 00000000 00000000 00000000 00000000

1: kd> kc

00 termdd!_IcaTraceWrite

01 termdd!IcaTraceFormat

02 termdd!IcaStackTrace

03 RDPWD!TRC_TraceLine

04 RDPWD!WDWSetConfigData

05 RDPWD!WD_Ioctl

06 termdd!_IcaCallSd

07 termdd!_IcaCallStack

08 termdd!IcaDeviceControlStack

09 termdd!IcaDeviceControl

0a termdd!IcaDispatch

0b nt!IofCallDriver

0c nt!IopSynchronousServiceTail

0d nt!IopXxxControlFile

0e nt!NtDeviceIoControlFile

0f nt!_KiSystemService

10 SharedUserData!SystemCallStub

11 ntdll!NtDeviceIoControlFile

12 ICAAPI!IcaIoControl

13 ICAAPI!_IcaStackIoControlWorker

14 ICAAPI!IcaStackIoControl

15 rdpwsx!WsxIcaStackIoControl

16 termsrv!WsxStackIoControl

17 ICAAPI!_IcaStackIoControl

18 ICAAPI!IcaStackConnectionAccept

19 termsrv!TransferConnectionToIdleWinStation

1a termsrv!WinStationTransferThread

1b kernel32!BaseThreadStart

1: kd> dv

pTraceInfo = 0x895d2f10

Buffer = 0xb9cf8114

1: kd> dx -id 0,0,89819020 -r1 ((termdd!_ICA_TRACE_INFO *)0x895d2f10)

((termdd!_ICA_TRACE_INFO *)0x895d2f10) : 0x895d2f10 [Type: _ICA_TRACE_INFO *]

+0x000\] TraceClass : 0xffffffff \[Type: unsigned long

+0x004\] TraceEnable : 0xffffffff \[Type: unsigned long

+0x008\] fTraceDebugger : 0x1 \[Type: unsigned char

+0x009\] fTraceTimestamp : 0x0 \[Type: unsigned char

+0x00c\] pTraceFileName : 0x0 \[Type: unsigned short \*

+0x010\] pTraceFileObject : 0x0 \[Type: _FILE_OBJECT \*

+0x014\] pDeferredTrace : 0x0 \[Type: _DEFERRED_TRACE \*

1: kd> ed 0x895d2f10+10 0x8960a290

1: kd> ed 0x895d2f10+c 89851cf8

1: kd> dx -id 0,0,89819020 -r1 ((termdd!_ICA_TRACE_INFO *)0x895d2f10)

((termdd!_ICA_TRACE_INFO *)0x895d2f10) : 0x895d2f10 [Type: _ICA_TRACE_INFO *]

+0x000\] TraceClass : 0xffffffff \[Type: unsigned long

+0x004\] TraceEnable : 0xffffffff \[Type: unsigned long

+0x008\] fTraceDebugger : 0x1 \[Type: unsigned char

+0x009\] fTraceTimestamp : 0x0 \[Type: unsigned char

+0x00c\] pTraceFileName : 0x89851cf8 : 0x5c \[Type: unsigned short \*

+0x010\] pTraceFileObject : 0x8960a290 \[Type: _FILE_OBJECT \*

+0x014\] pDeferredTrace : 0x0 \[Type: _DEFERRED_TRACE \*

1: kd> g

89809F7C.E17AF1F0 RDP E1899010 WDWSetConfig 3620 Encryption level: 2

Breakpoint 2 hit

eax=e1899010 ebx=89851a70 ecx=8987e3c4 edx=00000008 esi=8987e3b0 edi=b9e626b0

eip=bac4bc98 esp=b9cf8344 ebp=b9cf8460 iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

termdd!IcaStackTrace:

bac4bc98 55 push ebp

1: kd> g

89809F7C.E17AF1F0 RDP E1899010 WDWSetConfig 3623 AutoReconnect disabled: 0

89809F7C.E17AF1F0 TermDD: IcaUnlockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaLockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaDeviceControlStack, fc 49, 0x0

89809F7C.E17AF1F0 TermDD: IcaUnlockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 LOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 UNLOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 LOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 UNLOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

Breakpoint 0 hit

eax=00000000 ebx=00010000 ecx=7ffa8000 edx=000b4c48 esi=000b4c48 edi=77e662fd

eip=7489fb4f esp=00e7e9e0 ebp=00e7ea10 iopl=0 nv up ei ng nz ac pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000296

termsrv!WsxStackIoControl:

001b:7489fb4f 55 push ebp

1: kd> bd 0

1: kd> h

^ Syntax error in 'h'

1: kd> g

23:04:16.828 89809F7C.E17AF1F0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=18

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 LOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 UNLOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaDeviceControlStack, fc 18 (enter)

89809F7C.E17AF1F0 TermDD: IcaUnlockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaLockStack: 0x895de6c8

Breakpoint 2 hit

eax=e1899010 ebx=89851a70 ecx=8987e3c4 edx=00000008 esi=8987e3b0 edi=b9e626b0

eip=bac4bc98 esp=b9cf8360 ebp=b9cf847c iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286

termdd!IcaStackTrace:

bac4bc98 55 push ebp

1: kd> bd 2

1: kd> g

89809F7C.E17AF1F0 RDP E1899010 WD_Ioctl 0489 IOCTL_ICA_STACK_WAIT_FOR_ICA (18)

89809F7C.E17AF1F0 RDP E1899010 WD_Ioctl 0785 Stack wait for ICA

89809F7C.E17AF1F0 TermDD: IcaUnlockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockStack: 0x895de6c8

89809F7C.E17AF1F0 RDP E1899010 WD_Ioctl 0489 IOCTL_ICA_VIRTUAL_QUERY_BINDINGS (68)

89809F7C.E17AF1F0 RDP E1899010 WD_Ioctl 1308 2 Virtual Channels (first time)

89809F7C.E17AF1F0 TermDD: IcaUnlockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaBindVirtualChannels: MS_T120 -> 31 Flags=0

89809F7C.E17AF1F0 TermDD: _IcaFindVcBind: vn MS_T120 (not found)

89809F7C.E17AF1F0 TermDD: _IcaRegisterVcBind: MS_T120 -> 31

89809F7C.E17AF1F0 TermDD: IcaFindChannelByName: vn MS_T120 (not found)

89809F7C.E17AF1F0 TermDD: IcaBindVirtualChannels: CTXTW -> 7 Flags=27

89809F7C.E17AF1F0 TermDD: _IcaFindVcBind: vn CTXTW (not found)

89809F7C.E17AF1F0 TermDD: _IcaRegisterVcBind: CTXTW -> 7

89809F7C.E17AF1F0 TermDD: IcaFindChannelByName: vn CTXTW (not found)

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaDeviceControlStack, fc 18, 0x0

89809F7C.E17AF1F0 TermDD: IcaUnlockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 LOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 UNLOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaCreateChannel: cc 5, vn MS_T120

89809F7C.E17AF1F0 TermDD: IcaFindChannelByName: vn MS_T120 (not found)

89809F7C.E17AF1F0 TermDD: _IcaAllocateChannel: cc 5, vn MS_T120, 8988d978

89809F7C.E17AF1F0 TermDD: IcaLockChannel: cc 0, vc 0

89809F7C.E17AF1F0 TermDD: IcaReferenceChannel: cc 0, vc 0, ref 1

89809F7C.E17AF1F0 TermDD: _IcaFindVcBind: vn MS_T120 -> vc 31

89809F7C.E17AF1F0 TermDD: _IcaBindChannel: cc 5, vn MS_T120 vc 31

89809F7C.E17AF1F0 TermDD: IcaUnlockChannel: cc 5, vc 31

89809F7C.E17AF1F0 TermDD: IcaDefeferenceChannel: cc 5, vc 31, ref 2

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TSAPI: IcaChannelOpen, 5/MS_T120, 440, success

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 LOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 UNLOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaDeviceControlStack, fc 1280 (enter)

89809F7C.E17AF1F0 TermDD: IcaUnlockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaLockStack: 0x895de6c8

89809F7C.E17AF1F0 RDP E1899010 WD_Ioctl 0489 IOCTL_T120_REQUEST (1280)

89809F7C.E17AF1F0 MCS: T120StartFunc(): Sending X.224 response

89809F7C.E17AF1F0 TermDD: IcaBufferAlloc: 0x8968b4d8, Status=0x0

89809F7C.E17AF1F0 TermDD: IcaCallNextDriver, ProcIndex=2 (enter)

89809F7C.E17AF1F0 TdRawWrite 0011, 8968b4d8

03 00 00 0B 06 D0 00 00 12 34 00 .........4.

89809F7C.E17AF1F0 TermDD: IcaUnlockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaLockStack: 0x895de6c8

_TdCancelReceiveQueue [00000000]: Endpoint 0x8952E228

89809F7C.E17AF1F0 TermDD: IcaDeviceControlStack, fc 1280, 0x0

89809F7C.E17AF1F0 TermDD: IcaUnlockStack: 0x895de6c8

8999EF7C.00000000 TermDD: IcaLockStack: 0x895de6c8

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

8999EF7C.00000000 _TdWriteCompleteWorker: 8968b4d8

8999EF7C.00000000 TermDD: IcaBufferError: 0x8968b4d8

8999EF7C.00000000 TermDD: IcaUnlockStack: 0x895de6c8

898FDF7C.00000000 TermDD: IcaLockStack: 0x895de6c8

898FDF7C.00000000 TdInputThread: IRP Status=0xc000013c

898FDF7C.00000000 TD: StackCancelIo (enter)

DeviceCancelIo [8944FD20]: Endpoint 0x8952E228

_TdCancelReceiveQueue [8944FD20]: Endpoint 0x8952E228

898FDF7C.00000000 TdSyncWrite (enter)

898FDF7C.00000000 TD: StackCancelIo, 0 (exit)

898FDF7C.00000000 TermDD: IcaWaitForSingleObject, -1 (enter)

898FDF7C.00000000 TermDD: IcaUnlockStack: 0x895de6c8

898FDF7C.00000000 TermDD: IcaLockStack: 0x895de6c8

898FDF7C.00000000 TermDD: IcaChannelInput, bc=2056 (enter)

898FDF7C.00000000 MCS: Primary: ChannelInput(): broken connection received

898FDF7C.00000000 TermDD: IcaChannelInput, bc=2056 (enter)

898FDF7C.00000000 TermDD: IcaChannelInputInternal: cc 4, vc 0, bc 2056

898FDF7C.00000000 TermDD: IcaChannelInputInternal, Broken Connection

898FDF7C.00000000 RDP E1899010 WD_Ioctl 0489 IOCTL_ICA_STACK_CANCEL_IO (31)

898FDF7C.00000000 MCS: Received STACK_CANCEL_IO

898FDF7C.00000000 RDP E1899010 WD_Ioctl 2393 CancelIO - set WD dead

898FDF7C.00000000 TermDD: IcaCallNextDriver, ProcIndex=5 (enter)

898FDF7C.00000000 TD: StackCancelIo (enter)

DeviceCancelIo [8944FD20]: Endpoint 0x8952E228

_TdCancelReceiveQueue [8944FD20]: Endpoint 0x8952E228

898FDF7C.00000000 TdSyncWrite (enter)

898FDF7C.00000000 TD: StackCancelIo, 0 (exit)

898FDF7C.00000000 TdIoctl(0x0038007f): Status=0x00000000

898FDF7C.00000000 RDP E1899010 WD_Ioctl 2422 Chaining on IOCtl 0x38007f (function 31): status 0

898FDF7C.00000000 TermDD: IcaFindChannel, cc 4, vc 0 (not found)

898FDF7C.00000000 TermDD: IcaChannelInputInternal: channel not found

898FDF7C.00000000 TdInputThread (exit), Status=0xc000013c

898FDF7C.00000000 TermDD: IcaUnlockStack: 0x895de6c8

89809F7C.E17AF1F0 LOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

89809F7C.E17AF1F0 TermDD: IcaLockConnection: 0x895d2ebc

89809F7C.E17AF1F0 UNLOCK: &pStack->CritSec

89809F7C.E17AF1F0 TermDD: IcaUnlockConnection: 0x895d2ebc

896ACEC4.E17F55A8 TermDD: IcaLockChannel: cc 5, vc 31

896ACEC4.E17F55A8 TermDD: IcaReferenceChannel: cc 5, vc 31, ref 1

896ACEC4.E17F55A8 TermDD: _IcaQueueReadChannelRequest, cc 5, vc 31 (pending)

896ACEC4.E17F55A8 TermDD: IcaUnlockChannel: cc 5, vc 31

896ACEC4.E17F55A8 TermDD: IcaDefeferenceChannel: cc 5, vc 31, ref 2

23:04:27.609 895BC9EC.E1757868 TERMSRV: Enter WsxIcaIoControl, IoControlCode=17

23:04:27.609 89809AB4.E1664278 TERMSRV: FindIdleWinStation: (none found)

23:04:27.609 89809AB4.E1664278 TERMSRV: Creating IDLE WinStation

23:04:27.609 89809AB4.E1664278 TERMSRV: StartWinStationDeviceAndStack, (LogonId=-1)

23:04:27.609 89809AB4.E1664278 TERMSRV: StartWinStationDeviceAndStack, Status = 0x0

23:04:27.609 89809AB4.E1664278 TERMSRV: CountWinstationType 1

23:04:27.609 89809AB4.E1664278 TERMSRV: Count 1

23:04:27.609 89809AB4.E1664278 TERMSRV: MaxInstanceCount -1

23:04:27.609 89809AB4.E1664278 TERMSRV: Enter WsxIcaIoControl, IoControlCode=10

23:04:27.609 89809AB4.E1664278 TERMSRV: Enter WsxIcaIoControl, IoControlCode=10

23:04:27.625 89809AB4.E1664278 TERMSRV: Enter WsxIcaIoControl, IoControlCode=14

_TcpSetNagle: Flag 0x0, Result 0x0

TdiDeviceOpenEndpoint: SetNagle 0x0 Result 0x0

TdInBufAlloc: pInBuf=0x8982f978

RDPWD: New trace config for E189B010:

RDPWD: Class: 0

RDPWD: Enable: 0

RDPWD: Prefix info:

RDPWD: None

23:04:27.640 89809AB4.E1664278 TERMSRV: Enter WsxIcaIoControl, IoControlCode=49

Breakpoint 1 hit

eax=00000000 ebx=89572cc8 ecx=00ebf5f4 edx=e189b010 esi=8943dba8 edi=b9e626b0

eip=b9e8e070 esp=b9cd8498 ebp=b9cd8678 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

RDPWD!WDWSetConfigData:

b9e8e070 55 push ebp

1: kd> bd 1

1: kd> g

23:04:27.640 89809AB4.E1664278 TERMSRV: Enter WsxIcaIoControl, IoControlCode=18

_TdCancelReceiveQueue [00000000]: Endpoint 0x8987EAF8

DeviceCancelIo [8944F388]: Endpoint 0x8987EAF8

_TdCancelReceiveQueue [8944F388]: Endpoint 0x8987EAF8

DeviceCancelIo [8944F388]: Endpoint 0x8987EAF8

_TdCancelReceiveQueue [8944F388]: Endpoint 0x8987EAF8

66c: WORK_QUEUE: no work for 180000 ms: committing suicide...

66c: WORK_QUEUE: worker thread exiting

23:04:31.843 895BC9EC.E1757868 TERMSRV: Enter WsxIcaIoControl, IoControlCode=17

23:04:31.843 8944FAB4.E18031A0 TERMSRV: FindIdleWinStation: (none found)

23:04:31.843 8944FAB4.E18031A0 TERMSRV: Creating IDLE WinStation

23:04:31.843 8944FAB4.E18031A0 TERMSRV: StartWinStationDeviceAndStack, (LogonId=-1)

23:04:31.843 8944FAB4.E18031A0 TERMSRV: StartWinStationDeviceAndStack, Status = 0x0

23:04:31.843 8944FAB4.E18031A0 TERMSRV: CountWinstationType 2

23:04:31.859 8944FAB4.E18031A0 TERMSRV: Count 2

23:04:31.859 8944FAB4.E18031A0 TERMSRV: MaxInstanceCount -1

23:04:31.859 8944FAB4.E18031A0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=10

23:04:31.859 8944FAB4.E18031A0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=10

23:04:31.859 8944FAB4.E18031A0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=14

_TcpSetNagle: Flag 0x0, Result 0x0

TdiDeviceOpenEndpoint: SetNagle 0x0 Result 0x0

TdInBufAlloc: pInBuf=0x89552ca0

RDPWD: New trace config for E189D010:

RDPWD: Class: 0

RDPWD: Enable: 0

RDPWD: Prefix info:

RDPWD: None

23:04:31.875 8944FAB4.E18031A0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=49

23:04:31.875 8944FAB4.E18031A0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=18

RDPWD: New: ShareClass at E1890A90, size=1392

23:04:31.906 8944FAB4.E18031A0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=19

23:04:31.906 8944FAB4.E18031A0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=20

23:04:31.906 8944FAB4.E18031A0 TERMSRV: IcaStackConnectionAccept, Status=0x0

23:04:31.906 8944FAB4.E18031A0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=75

23:04:31.906 8944FAB4.E18031A0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=69

23:04:31.906 8944FAB4.E18031A0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=71

23:04:31.921 8944FAB4.E18031A0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=72

23:04:31.921 8944FAB4.E18031A0 TERMSRV: LCProcessConnectionProtocol, LogonId=-1, Status=0x0

23:04:31.921 8944FAB4.E18031A0 TERMSRV: WinStationStart, (LogonId=-1)

GDI: VerifierInitialization: failed to get info from ntoskrnl

(s: 0 0x180.18c smss.exe) USRK-[Wrn] *** win32k: DBCS:[0] IME:[0] MiddleEast:[0] CTFIME:[0]

Installed

Installed

23:04:31.921 895FAAC4.E1756150 TERMSRV: WinStation LPC Service Thread got a message

23:04:31.921 895FAAC4.E1756150 TERMSRV: WinStation LPC Service Thread got connection message

23:04:31.921 895FAAC4.E1756150 TERMSRV: WinStationLpcHandleConnectionRequest called

23:04:31.921 895FAAC4.E1756150 TERMSRV: WSTAPI: Creating View memory

23:04:31.921 895FAAC4.E1756150 TERMSRV: WSTAPI: Calling AcceptConnectPort, Accept 1

23:04:31.921 895FAAC4.E1756150 TERMSRV: pContext 000E15E0, ConnectionRequest 00B0FEAC, info 00B0FEC4

23:04:31.921 895FAAC4.E1756150 TERMSRV: ViewBase 00F00000, ViewSize 0x2000, ViewRemoteBase 00640000

23:04:31.921 895FAAC4.E1756150 TERMSRV: WSTAPI: Calling CompleteConnect port 000002D4

23:04:31.921 895FAAC4.E1756150 TERMSRV: WinStation LPC Connection Accepted, Logonid 1 pContext 000E15E0 Status 0x0

23:04:31.921 89516504.E17581A8 TERMSRV: WinStation LPC Service Thread got a message

23:04:31.921 89516504.E17581A8 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message

23:04:31.921 89516504.E17581A8 TERMSRV: WinStationGetSMCommand, LogonId=1

23:04:31.921 89516504.E17581A8 TERMSRV: WinStationGetSMCommand queue empty port 000002D4

23:04:31.937 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:31.937 896075D4.E17D18F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:31.937 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:31.937 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:31.937 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:31.953 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:31.953 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:31.953 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:31.953 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:31.953 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:31.953 89433C9C.E174E6F8 TERMSRV: WinStationWaitForConnect, LogonId=1

23:04:31.953 89433C9C.E174E6F8 TERMSRV: WaitForConnectWorker, LogonId=1

23:04:31.953 8944FAB4.E18031A0 TERMSRV: WinStationStart Subsys PID=1912 InitialProg PID=1940, Status=0x0

23:04:31.953 8944FAB4.E18031A0 TERMSRV: WinStationCreateComplete, (LogonId=1)

23:04:31.953 8944FAB4.E18031A0 TERMSRV: WinStationCreateComplete, (LogonId=1) Status = 0x0

23:04:31.953 89433F7C.E167D988 TERMSRV: TerminateThread, WaitForMultipleObjects, rc=0

23:04:31.968 89433F7C.E167D988 TERMSRV: TerminateThread, Waiting for initial command exit (ArraySize=3)

23:04:31.968 89433C9C.E174E6F8 TERMSRV: WinStationOpenChannel status 0x0

23:04:31.968 89433C9C.E174E6F8 TERMSRV: WinStationOpenChannel status 0x0

23:04:31.968 89433C9C.E174E6F8 TERMSRV: WinStationOpenChannel status 0x0

23:04:31.968 89433C9C.E174E6F8 TERMSRV: WinStationOpenChannel status 0x0

23:04:31.968 89433C9C.E174E6F8 TERMSRV: SendWinStationCommand, LogonId=1, Cmd=WinStationDoConnect, Timeout=600

23:04:31.968 89433C9C.E174E6F8 TERMSRV: SendWinStationCommand pCommand 00C2F464 pCommand->pMsg 00C2F5B4

23:04:31.968 89433C9C.E174E6F8 TERMSRV: SendWinStationCommand, LogonId=1, sending cmd

23:04:31.968 89433C9C.E174E6F8 TERMSRV: SendWinStationCommand, LogonId=1, waiting for response

W32WinStationDoConnect - Display resolution information for session 1 :

ProtocolType : 0002

HRes : 1920

VRes : 1080

ColorDepth : 0016

KeyboardType : 35

KeyboardSubType : 35

KeyboardFunctionKey : 5

GDI: DriverCapableOverride on \\.\DISPLAY1 is 0

GDI: DriverAccelerationLevel on \\.\DISPLAY1 is 0

RDPDD: FNCALL_HIST: FN[0] 1[1b0] 2[898c8898] 3[8912eca0] 4[bfa6f8e0]

GDI: Drv_Trace: CaptMatchDevmode: DEFAULT DEVMODE picked

RDPDD: FNCALL_HIST: FN[0] 1[1b0] 2[898c8898] 3[8912eca0] 4[bfa6f8e0]

RDPDD: FNCALL_HIST: FN[6] 1[1] 2[0] 3[bc640000] 4[e1638da0]

RDPDD:+SHM_Init +0053+Allocated shared memory OK(E18EA020 -> E192B20B) size(0x411ec)

RDPDD: FNCALL_HIST: FN[9] 1[0] 2[0] 3[e1638da0] 4[e1638da0]

GDI DDML: Device 0, position 0, 0, 1920, 1080, rotation 0

23:04:32.062 89516784.E1758230 TERMSRV: WinStation LPC Service Thread got a message

23:04:32.062 89516784.E1758230 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message

23:04:32.062 89516784.E1758230 TERMSRV: WinStationGetSMCommand, LogonId=1

23:04:32.062 89516784.E1758230 TERMSRV: WinStationGetSMCommand wait for reply

23:04:32.062 89516784.E1758230 TERMSRV: WinStationGetSMCommand list entry

23:04:32.062 89516784.E1758230 TERMSRV: WinStationGetSMCommand, LogonId=1, Reply for Cmd WinStationDoConnect, Status=0x0

23:04:32.062 89516784.E1758230 TERMSRV: WinStationGetSMCommand queue empty port 000002D4

23:04:32.062 89433C9C.E174E6F8 TERMSRV: SendWinStationCommand, LogonId=1, Cmd=WinStationDoConnect, Status=0x0

23:04:32.062 89433C9C.E174E6F8 TERMSRV: SMWinStationDoConnect 1 Status=0x0

23:04:32.078 89433C9C.E174E6F8 TERMSRV: CdmConnect 1 Status=0x0

23:04:32.078 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:32.078 896075D4.E17D18F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.078 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.078 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.078 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:32.078 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=1

23:04:32.078 896075D4.E17D18F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:32.078 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=1, Status=0x0

(s: 1 0x794.798 winlogon.exe) USER-[Wrn] GetRemoteKeyboardLayoutFromConfigData: The keyboard layout is 00000804

23:04:32.078 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.078 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.078 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.078 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.078 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.078 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6

23:04:32.078 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:32.078 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6, Status=0x0

(s: 1 0x794.798 winlogon.exe) USER-[Wrn] GetKeyboardDllName: Failed to get the library name for 00000804

23:04:32.078 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.078 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.093 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.109 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.125 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.140 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=14

23:04:32.140 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:32.140 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:32.140 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=14, Status=0xc000007c

(s: 1 0x778.7c4 csrss.exe) USRK-[Wrn] ProcessDeviceChanges: KBD pDevInfo=E17F8018 has no name!

(s: 1 0x794.798 winlogon.exe) USRK-[Wrn] Waiting for grpdeskRitInput to be set ...

23:04:32.234 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.234 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.234 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.234 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.234 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.234 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=1

23:04:32.234 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:32.234 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=1, Status=0x0

(s: 1 0x794.798 winlogon.exe) USER-[Wrn] GetRemoteKeyboardLayoutFromConfigData: The keyboard layout is 00000804

23:04:32.234 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.234 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.234 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.234 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.234 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.234 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6

23:04:32.250 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:32.250 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6, Status=0x0

(s: 1 0x794.798 winlogon.exe) USER-[Wrn] GetKeyboardDllName: Failed to get the library name for 00000804

(s: 1 0x794.798 winlogon.exe) USER-[Wrn] no DLL name for 00000804

23:04:32.265 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.265 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.265 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.265 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.265 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.281 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:32.296 896075D4.E17D18F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.296 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.296 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.296 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:32.296 896075D4.E17D18F8 RPC RpcWinStationAutoReconnect for 1

23:04:32.296 896075D4.E17D18F8 RpcWinStationAutoReconnect get GET_CS_AUTORECONNECT_INFO: 0x0

23:04:32.312 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.328 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.328 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.328 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.328 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.328 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6

23:04:32.328 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:32.328 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6, Status=0x0

AutoAdminLogon = 1

WINMM(p1940:t1944): Remote session protocol RDP

WINMM(p1940:t1944): Remote audio driver name rdpsnd

EXECSERVERSYSTEM: Starting ExecServerThread

00001:Ageint(1):Couldn't turn CSC ON!!!!!!!!!

23:04:32.390 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.390 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.406 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.421 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.437 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.453 89433C9C.E174E6F8 TERMSRV: WinStationSetInformation LogonId=1, Class=34

23:04:32.453 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:32.453 89433C9C.E174E6F8 TERMSRV: WinStationSetInformation LogonId=1, Class=34, Status=0x0

23:04:32.453 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:32.453 896075D4.E17D18F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.453 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.453 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.453 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:32.453 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.453 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.453 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.453 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.453 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.453 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=8

23:04:32.453 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:32.453 89433C9C.E174E6F8 TERMSRV: SendWinStationCommand, LogonId=1, Cmd=WinStationThinwireStats, Timeout=5

23:04:32.453 89433C9C.E174E6F8 TERMSRV: SendWinStationCommand pCommand 00C2F76C pCommand->pMsg 00C2F7E0

23:04:32.453 89433C9C.E174E6F8 TERMSRV: SendWinStationCommand, LogonId=1, sending cmd

23:04:32.453 89433C9C.E174E6F8 TERMSRV: SendWinStationCommand, LogonId=1, waiting for response

23:04:32.453 895FAAC4.E1756150 TERMSRV: WinStation LPC Service Thread got a message

23:04:32.453 895FAAC4.E1756150 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message

23:04:32.453 895FAAC4.E1756150 TERMSRV: WinStationGetSMCommand, LogonId=1

23:04:32.453 895FAAC4.E1756150 TERMSRV: WinStationGetSMCommand wait for reply

23:04:32.453 895FAAC4.E1756150 TERMSRV: WinStationGetSMCommand list entry

23:04:32.453 895FAAC4.E1756150 TERMSRV: WinStationGetSMCommand, LogonId=1, Reply for Cmd WinStationThinwireStats, Status=0x0

23:04:32.453 895FAAC4.E1756150 TERMSRV: WinStationGetSMCommand queue empty port 000002D4

23:04:32.453 89433C9C.E174E6F8 TERMSRV: SendWinStationCommand, LogonId=1, Cmd=WinStationThinwireStats, Status=0x0

23:04:32.453 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=8, Status=0x0

23:04:32.484 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.484 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.484 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.484 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.484 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.484 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6

23:04:32.500 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:32.500 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6, Status=0x0

23:04:32.500 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.500 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.515 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.531 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.546 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:32.562 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:32.562 896075D4.E17D18F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:32.562 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:32.562 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:32.562 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:32.562 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6

23:04:32.562 896075D4.E17D18F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:32.562 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6, Status=0x0

AutoAdminLogon = 0, IgnoreAutoAdminLogon = 0, bAutoLogon = 0

23:04:33.562 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:33.578 896075D4.E17D18F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:33.593 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:33.593 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:33.593 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:33.593 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6

23:04:33.593 896075D4.E17D18F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(1) returned no error

23:04:33.593 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=1, Class=6, Status=0x0

23:04:33.593 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:33.593 896075D4.E17D18F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:33.593 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:33.593 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:33.593 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

DeviceCancelIo [895D2388]: Endpoint 0x89574F40

_TdCancelReceiveQueue [895D2388]: Endpoint 0x89574F40

DeviceCancelIo [895D2388]: Endpoint 0x89574F40

_TdCancelReceiveQueue [895D2388]: Endpoint 0x89574F40

23:04:37.234 89516504.E17581A8 TERMSRV: WinStation LPC Service Thread got a message

DeviceCancelIo [895D2388]: Endpoint 0x89574F40

_TdCancelReceiveQueue [895D2388]: Endpoint 0x89574F40

23:04:37.234 89516504.E17581A8 TERMSRV: WinStation LPC Service Thread got connection message

23:04:37.234 89516504.E17581A8 TERMSRV: WinStationLpcHandleConnectionRequest called

23:04:37.234 89516504.E17581A8 TERMSRV: WSTAPI: Creating View memory

23:04:37.234 89516504.E17581A8 TERMSRV: WSTAPI: Calling AcceptConnectPort, Accept 1

23:04:37.234 89516504.E17581A8 TERMSRV: pContext 000E0FF0, ConnectionRequest 00ACFEAC, info 00ACFEC4

23:04:37.250 89516504.E17581A8 TERMSRV: ViewBase 00EC0000, ViewSize 0x2000, ViewRemoteBase 00DA0000

23:04:37.250 89516504.E17581A8 TERMSRV: WSTAPI: Calling CompleteConnect port 000002B8

23:04:37.250 89516504.E17581A8 TERMSRV: WinStation LPC Connection Accepted, Logonid 1 pContext 000E0FF0 Status 0x0

23:04:37.250 89516784.E1758230 TERMSRV: WinStation LPC Service Thread got a message

23:04:37.250 89516784.E1758230 TERMSRV: WinStation LPC Service Thread got WinStationBrokenConnection message

23:04:37.265 89516784.E1758230 TERMSRV: WinStationBrokenConnection, LogonId=1, Reason=2

23:04:37.265 89516784.E1758230 TERMSRV: QueueWinStationReset: 1

23:04:37.265 895FAAC4.E1756150 TERMSRV: WinStation LPC Service Thread got a message

23:04:37.265 895FAAC4.E1756150 TERMSRV: WinStation LPC Service Thread got WinStationInternalReset message

23:04:37.265 89516504.E17581A8 TERMSRV: WinStation LPC Service Thread got a message

23:04:37.265 89516504.E17581A8 TERMSRV: WinStation LPC Service Thread got WinStationBrokenConnection message

23:04:37.265 89516504.E17581A8 TERMSRV: WinStationBrokenConnection, LogonId=1, Reason=1

23:04:37.265 89516504.E17581A8 TERMSRV: QueueWinStationReset: 1

23:04:37.265 895FAAC4.E1756150 TERMSRV: WinStationReset, LogonId=1

23:04:37.265 89516784.E1758230 TERMSRV: WinStation LPC Service Thread got a message

23:04:37.281 89516784.E1758230 TERMSRV: WinStation LPC Service Thread got WinStationInternalReset message

23:04:37.281 89516784.E1758230 TERMSRV: WinStationReset, LogonId=1

23:04:44.609 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:44.609 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:44.609 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:44.609 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:44.609 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:44.609 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=6

23:04:44.609 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error

23:04:44.609 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=6, Status=0x0

AutoAdminLogon = 0, IgnoreAutoAdminLogon = 0, bAutoLogon = 0

23:04:45.625 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:45.625 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:45.625 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:45.625 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:45.625 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:45.625 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=6

23:04:45.625 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error

23:04:45.625 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=6, Status=0x0

512.616> Kerb-Error: LogonUser returned c000005e, 0

23:04:50.031 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:50.046 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:50.046 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:50.046 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:50.046 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:50.046 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=6

23:04:50.046 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error

23:04:50.046 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=6, Status=0x0

RegSAMUserConfig: SamQueryInformationUser returned NTSTATUS = 0x0

RegSAMUserConfig: UserParmInfo 0

UsrPropQueryUserConfig: UsrPropGetValue returned NTSTATUS = 0xc0000034

RegSAMUserConfig: RegGetUserConfigFromUserParameters returned NTSTATUS = 0xc0000034

23:04:50.390 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:50.390 896075D4.E17D18F8 TERMSRV: Client SPN: NTDEV-QQTQSNLDX\Administrator

23:04:50.390 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:50.390 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:50.390 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:50.390 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=1

23:04:50.390 896075D4.E17D18F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error

23:04:50.390 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=1, Status=0x0

RegSAMUserConfig: SamQueryInformationUser returned NTSTATUS = 0x0

RegSAMUserConfig: UserParmInfo 0

UsrPropQueryUserConfig: UsrPropGetValue returned NTSTATUS = 0xc0000034

RegSAMUserConfig: RegGetUserConfigFromUserParameters returned NTSTATUS = 0xc0000034

23:04:50.421 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:50.421 896075D4.E17D18F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:50.421 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:50.421 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:50.421 896075D4.E17D18F8 TERMSRV: -|--------------------------------------------|-

23:04:50.421 896075D4.E17D18F8 TERMSRV: WinStationNotifyLogon, LogonId=0

23:04:50.421 896075D4.E17D18F8 TERMSRV: WaitForConnectWorker, LogonId=0

23:04:50.437 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.437 896075D4.E17D18F8 TermDD: IcaCreateChannel: cc 3, vn

23:04:50.437 896075D4.E17D18F8 TermDD: IcaFindChannel, cc 3, vc 0 (not found)

23:04:50.437 896075D4.E17D18F8 TermDD: _IcaAllocateChannel: cc 3, vn , 89769770

23:04:50.437 896075D4.E17D18F8 TermDD: IcaLockChannel: cc 0, vc 0

23:04:50.437 896075D4.E17D18F8 TermDD: IcaReferenceChannel: cc 0, vc 0, ref 1

23:04:50.437 896075D4.E17D18F8 TermDD: _IcaBindChannel: cc 3, vn vc 0

23:04:50.453 896075D4.E17D18F8 TermDD: IcaUnlockChannel: cc 3, vc 0

23:04:50.468 896075D4.E17D18F8 TermDD: IcaDefeferenceChannel: cc 3, vc 0, ref 2

23:04:50.484 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.500 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.500 896075D4.E17D18F8 TSAPI: IcaChannelOpen, 3/, 1224, success

23:04:50.500 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.500 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.500 896075D4.E17D18F8 TermDD: IcaCreateChannel: cc 5, vn CTXTW

23:04:50.500 896075D4.E17D18F8 TermDD: IcaFindChannelByName: vn CTXTW (not found)

23:04:50.500 896075D4.E17D18F8 TermDD: _IcaAllocateChannel: cc 5, vn CTXTW , 8944f820

23:04:50.500 896075D4.E17D18F8 TermDD: IcaLockChannel: cc 0, vc 0

23:04:50.500 896075D4.E17D18F8 TermDD: IcaReferenceChannel: cc 0, vc 0, ref 1

23:04:50.500 896075D4.E17D18F8 TermDD: _IcaFindVcBind: vn CTXTW (not found)

23:04:50.500 896075D4.E17D18F8 TermDD: _IcaBindChannel: cc 5, vn CTXTW vc -1

23:04:50.500 896075D4.E17D18F8 TermDD: IcaUnlockChannel: cc 5, vc -1

23:04:50.500 896075D4.E17D18F8 TermDD: IcaDefeferenceChannel: cc 5, vc -1, ref 2

23:04:50.500 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.500 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.500 896075D4.E17D18F8 TSAPI: IcaChannelOpen, 5/CTXTW , 1228, success

23:04:50.500 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.500 896075D4.E17D18F8 TermDD: IcaDeviceControlChannel, fc 51, ref 1 (enter)

23:04:50.515 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.531 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.546 896075D4.E17D18F8 TermDD: IcaDeviceControlChannel, fc 51, ref 1, 0x0

23:04:50.546 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.546 896075D4.E17D18F8 TermDD: IcaCreateChannel: cc 2, vn

23:04:50.546 896075D4.E17D18F8 TermDD: IcaFindChannel, cc 2, vc 0 (not found)

23:04:50.546 896075D4.E17D18F8 TermDD: _IcaAllocateChannel: cc 2, vn , 8954edf8

23:04:50.546 896075D4.E17D18F8 TermDD: IcaLockChannel: cc 0, vc 0

23:04:50.546 896075D4.E17D18F8 TermDD: IcaReferenceChannel: cc 0, vc 0, ref 1

23:04:50.546 896075D4.E17D18F8 TermDD: _IcaBindChannel: cc 2, vn vc 0

23:04:50.546 896075D4.E17D18F8 TermDD: IcaUnlockChannel: cc 2, vc 0

23:04:50.546 896075D4.E17D18F8 TermDD: IcaDefeferenceChannel: cc 2, vc 0, ref 2

23:04:50.546 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.546 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.546 896075D4.E17D18F8 TSAPI: IcaChannelOpen, 2/, 1236, success

23:04:50.546 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.546 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.546 896075D4.E17D18F8 TSAPI: IcaChannelClose[1236]

23:04:50.546 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.546 896075D4.E17D18F8 TERMSRV: WinStationOpenChannel status 0x0

23:04:50.546 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.546 896075D4.E17D18F8 TermDD: IcaCreateChannel: cc 0, vn

23:04:50.546 896075D4.E17D18F8 TermDD: IcaFindChannel, cc 0, vc 0 (not found)

23:04:50.546 896075D4.E17D18F8 TermDD: _IcaAllocateChannel: cc 0, vn , 8912ef68

23:04:50.546 896075D4.E17D18F8 TermDD: IcaLockChannel: cc 0, vc 0

23:04:50.546 896075D4.E17D18F8 TermDD: IcaReferenceChannel: cc 0, vc 0, ref 1

23:04:50.546 896075D4.E17D18F8 TermDD: _IcaBindChannel: cc 0, vn vc 0

23:04:50.546 896075D4.E17D18F8 TermDD: IcaUnlockChannel: cc 0, vc 0

23:04:50.546 896075D4.E17D18F8 TermDD: IcaDefeferenceChannel: cc 0, vc 0, ref 2

23:04:50.546 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.546 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.546 896075D4.E17D18F8 TSAPI: IcaChannelOpen, 0/, 1240, success

23:04:50.562 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.578 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.578 896075D4.E17D18F8 TSAPI: IcaChannelClose[1240]

23:04:50.578 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.578 896075D4.E17D18F8 TERMSRV: WinStationOpenChannel status 0x0

23:04:50.593 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.593 896075D4.E17D18F8 TermDD: IcaCreateChannel: cc 1, vn

23:04:50.593 896075D4.E17D18F8 TermDD: IcaFindChannel, cc 1, vc 0 (not found)

23:04:50.593 896075D4.E17D18F8 TermDD: _IcaAllocateChannel: cc 1, vn , 89140da8

23:04:50.593 896075D4.E17D18F8 TermDD: IcaLockChannel: cc 0, vc 0

23:04:50.593 896075D4.E17D18F8 TermDD: IcaReferenceChannel: cc 0, vc 0, ref 1

23:04:50.593 896075D4.E17D18F8 TermDD: _IcaBindChannel: cc 1, vn vc 0

23:04:50.593 896075D4.E17D18F8 TermDD: IcaUnlockChannel: cc 1, vc 0

23:04:50.609 896075D4.E17D18F8 TermDD: IcaDefeferenceChannel: cc 1, vc 0, ref 2

23:04:50.625 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.640 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.640 896075D4.E17D18F8 TSAPI: IcaChannelOpen, 1/, 1244, success

23:04:50.640 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.640 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.640 896075D4.E17D18F8 TSAPI: IcaChannelClose[1244]

23:04:50.640 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.640 896075D4.E17D18F8 TERMSRV: WinStationOpenChannel status 0x0

23:04:50.640 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.640 896075D4.E17D18F8 TermDD: IcaCreateChannel: cc 4, vn

23:04:50.640 896075D4.E17D18F8 TermDD: IcaFindChannel, cc 4, vc 0 (not found)

23:04:50.640 896075D4.E17D18F8 TermDD: _IcaAllocateChannel: cc 4, vn , 898cbf68

23:04:50.640 896075D4.E17D18F8 TermDD: IcaLockChannel: cc 0, vc 0

23:04:50.640 896075D4.E17D18F8 TermDD: IcaReferenceChannel: cc 0, vc 0, ref 1

23:04:50.640 896075D4.E17D18F8 TermDD: _IcaBindChannel: cc 4, vn vc 0

23:04:50.640 896075D4.E17D18F8 TermDD: IcaUnlockChannel: cc 4, vc 0

23:04:50.640 896075D4.E17D18F8 TermDD: IcaDefeferenceChannel: cc 4, vc 0, ref 2

23:04:50.640 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.640 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.656 896075D4.E17D18F8 TSAPI: IcaChannelOpen, 4/, 1248, success

23:04:50.671 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.687 896075D4.E17D18F8 TermDD: IcaLockConnection: 0x895fa48c

23:04:50.687 896075D4.E17D18F8 TSAPI: IcaChannelClose[1248]

23:04:50.687 896075D4.E17D18F8 TermDD: IcaUnlockConnection: 0x895fa48c

23:04:50.687 896075D4.E17D18F8 TERMSRV: WinStationOpenChannel status 0x0

23:04:50.703 896075D4.E17D18F8 TERMSRV: SendWinStationCommand, LogonId=0, Cmd=WinStationDoConnect, Timeout=600

23:04:50.703 896075D4.E17D18F8 TERMSRV: SendWinStationCommand pCommand 00D7F5D0 pCommand->pMsg 00D7F628

23:04:50.703 896075D4.E17D18F8 TERMSRV: SendWinStationCommand, LogonId=0, sending cmd

23:04:50.703 896075D4.E17D18F8 TERMSRV: SendWinStationCommand, LogonId=0, waiting for response

W32WinStationDoConnect - Display resolution information for session 0 :

ProtocolType : 0000

HRes : 0000

VRes : 0000

ColorDepth : 0000

KeyboardType : 35

KeyboardSubType : 2012410280

KeyboardFunctionKey : 2011527687

23:04:50.796 895551FC.00000000 TermDD: IcaLockChannel: cc 4, vc 0

23:04:50.796 895551FC.00000000 TermDD: IcaReferenceChannel: cc 4, vc 0, ref 1

23:04:50.796 895551FC.00000000 TermDD: _IcaQueueReadChannelRequest, cc 4, vc 0 (pending)

23:04:50.796 895551FC.00000000 TermDD: IcaUnlockChannel: cc 4, vc 0

23:04:50.796 895551FC.00000000 TermDD: IcaDefeferenceChannel: cc 4, vc 0, ref 2

23:04:50.796 89516504.E17581A8 TERMSRV: WinStation LPC Service Thread got a message

23:04:50.796 89516504.E17581A8 TERMSRV: WinStation LPC Service Thread got WinStationGetSMCommand message

23:04:50.796 89516504.E17581A8 TERMSRV: WinStationGetSMCommand, LogonId=0

23:04:50.796 89516504.E17581A8 TERMSRV: WinStationGetSMCommand wait for reply

23:04:50.796 89516504.E17581A8 TERMSRV: WinStationGetSMCommand list entry

23:04:50.796 89516504.E17581A8 TERMSRV: WinStationGetSMCommand, LogonId=0, Reply for Cmd WinStationDoConnect, Status=0x0

23:04:50.796 89516504.E17581A8 TERMSRV: WinStationGetSMCommand queue empty port 0000075C

23:04:50.796 896075D4.E17D18F8 TERMSRV: SendWinStationCommand, LogonId=0, Cmd=WinStationDoConnect, Status=0x0

23:04:50.796 896075D4.E17D18F8 TERMSRV: SMWinStationDoConnect 0 Status=0x0

23:04:50.796 896075D4.E17D18F8 TERMSRV: CdmConnect 0 Status=0x0

TermSrv : HelpAssistant protocol type not RDP

TermSrv : HelpAssistant protocol type not RDP

23:04:50.796 896075D4.E17D18F8 TERMSRV: WinStationNotifyLogon, Status=0x0

23:04:50.796 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:50.796 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:50.796 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:50.796 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:50.796 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:50.796 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=8

23:04:50.796 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error

23:04:50.796 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=8, Status=0x0

AudioSrv: CUser::Initialize : error: WTSQueryUserToken returned error=1245

23:04:50.812 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:50.812 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\SYSTEM

23:04:50.812 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY

23:04:50.812 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT

23:04:50.828 89433C9C.E174E6F8 TERMSRV: -|--------------------------------------------|-

23:04:50.828 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error

456.180> AUTOENRL: RegisterAutoEnrollmentProcessing exiting with error: (0x80004004)

Wlballoon\] - Info: Logoff event name = Local\\WlballoonLogoffNotification. 23:04:50.921 896075D4.E17D18F8 TERMSRV: -\|--------------------------------------------\|- 23:04:50.921 896075D4.E17D18F8 TERMSRV: Client SPN: NT AUTHORITY\\SYSTEM 23:04:50.921 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY 23:04:50.921 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT 23:04:50.921 896075D4.E17D18F8 TERMSRV: -\|--------------------------------------------\|- 23:04:50.921 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=8 23:04:50.937 896075D4.E17D18F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error 23:04:50.937 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=8, Status=0x0 AudioSrv: note: new console user SID S-1-5-21-627781131-2180906709-4154875691-500 WINMM(p456:t240): Session state changed: CONSOLE 23:04:50.968 896075D4.E17D18F8 TERMSRV: -\|--------------------------------------------\|- 23:04:50.968 896075D4.E17D18F8 TERMSRV: Client SPN: NT AUTHORITY\\SYSTEM 23:04:50.968 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY 23:04:50.968 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT 23:04:50.968 896075D4.E17D18F8 TERMSRV: -\|--------------------------------------------\|- 23:04:50.968 896075D4.E17D18F8 TERMSRV: WinStationUpdateUserConfig, LogonId=0 23:04:50.968 896075D4.E17D18F8 TERMSRV: RpcWinStationUpdateUserConfig, Status=0x0 23:04:50.984 89433C9C.E174E6F8 TERMSRV: -\|--------------------------------------------\|- 23:04:50.984 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\\SYSTEM 23:04:50.984 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY 23:04:50.984 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT 23:04:50.984 89433C9C.E174E6F8 TERMSRV: -\|--------------------------------------------\|- 23:04:50.984 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=6 23:04:51.000 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error 23:04:51.000 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=6, Status=0x0 (s: 0 0x144.154 Explorer.EXE) USER-\[Wrn=1400\] HMValidateHandle: Invalid:00000000 Type:0x1 (s: 0 0x144.154 Explorer.EXE) USER-\[Wrn=1400\] HMValidateHandle: Invalid:00000000 Type:0x1 (s: 0 0x144.154 Explorer.EXE) USER-\[Wrn=1400\] HMValidateHandle: Invalid:00000000 Type:0x1 (s: 0 0x144.154 Explorer.EXE) USER-\[Wrn=1400\] HMValidateHandle: Invalid:00000000 Type:0x1 (s: 0 0x144.154 Explorer.EXE) USER-\[Wrn=1400\] HMValidateHandle: Invalid:00000000 Type:0x1 (s: 0 0x144.154 explorer.exe) USRK-\[Wrn\] ZOrderByOwner: Topmost change while using SWP_NOOWNERZORDER. pwndRoot:BC674D34 pwndOriginal:BC674D34 (s: 0 0x144.154 Explorer.EXE) USER-\[Wrn=1400\] HMValidateHandle: Invalid:00000000 Type:0x1 (s: 0 0x144.154 Explorer.EXE) USER-\[Wrn=1400\] HMValidateHandle: Invalid:00000000 Type:0x1 (s: 0 0x244.b8 MSConfig.exe) USER-\[Wrn=1400\] HMValidateHandle: Invalid:00000000 Type:0x1 (s: 0 0x244.b8 msconfig.exe) USRK-\[Wrn=1400\] ValidateHwnd: Invalid hwnd (00000000) err comctlv6 Cannot combine TVS_HASLINES and TVS_FULLROWSELECT err comctlv6 Cannot combine TVS_HASLINES and TVS_FULLROWSELECT 23:04:54.015 89433C9C.E174E6F8 TERMSRV: -\|--------------------------------------------\|- 23:04:54.031 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\\SYSTEM 23:04:54.031 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY 23:04:54.046 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT 23:04:54.046 89433C9C.E174E6F8 TERMSRV: -\|--------------------------------------------\|- 23:04:54.062 896075D4.E17D18F8 TERMSRV: -\|--------------------------------------------\|- 23:04:54.062 896075D4.E17D18F8 TERMSRV: Client SPN: NT AUTHORITY\\SYSTEM 23:04:54.062 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY 23:04:54.062 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT 23:04:54.062 896075D4.E17D18F8 TERMSRV: -\|--------------------------------------------\|- 23:04:54.062 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=8 23:04:54.062 896075D4.E17D18F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error 23:04:54.062 896075D4.E17D18F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=8, Status=0x0 23:04:56.359 896075D4.E17D18F8 TERMSRV: -\|--------------------------------------------\|- 23:04:56.359 896075D4.E17D18F8 TERMSRV: Client SPN: NTDEV-QQTQSNLDX\\Administrator 23:04:56.375 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY 23:04:56.375 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT 23:04:56.375 896075D4.E17D18F8 TERMSRV: -\|--------------------------------------------\|- 23:04:56.375 89433C9C.E174E6F8 TERMSRV: -\|--------------------------------------------\|- 23:04:56.375 89433C9C.E174E6F8 TERMSRV: Client SPN: NTDEV-QQTQSNLDX\\Administrator 23:04:56.375 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY 23:04:56.375 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT 23:04:56.375 89433C9C.E174E6F8 TERMSRV: -\|--------------------------------------------\|- 712.568p\> Cairole: StartService ImapiService failed, error = 0x422 23:04:56.406 896075D4.E17D18F8 TERMSRV: -\|--------------------------------------------\|- 23:04:56.406 896075D4.E17D18F8 TERMSRV: Client SPN: NTDEV-QQTQSNLDX\\Administrator 23:04:56.406 896075D4.E17D18F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY 23:04:56.406 896075D4.E17D18F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT 23:04:56.406 896075D4.E17D18F8 TERMSRV: -\|--------------------------------------------\|- NETCFG \*ERROR\*: Error sending IPNATHLP_CONTROL_UPDATE_POLICY to SharedAccess service \[The service has not been started.\] Win32=1062,0x00000426 hr=0x80070426 File:d:\\srv03rtm\\net\\config\\netman\\conman\\gpnla.cpp,1198 (s: 0 0x144.364 Explorer.EXE) USER-\[Wrn=1400\] HMValidateHandle: Invalid:0X000200E8 Type:0x1 23:04:58.265 89433C9C.E174E6F8 TERMSRV: -\|--------------------------------------------\|- 23:04:58.265 89433C9C.E174E6F8 TERMSRV: Client SPN: NT AUTHORITY\\SYSTEM 23:04:58.265 89433C9C.E174E6F8 TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY 23:04:58.265 89433C9C.E174E6F8 TERMSRV: Authentication service: RPC_C_AUTHN_WINNT 23:04:58.265 89433C9C.E174E6F8 TERMSRV: -\|--------------------------------------------\|- 23:04:58.265 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=14 23:04:58.265 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error 23:04:58.265 89433C9C.E174E6F8 TERMSRV: RpcCheckClientAccess, AccessCheckAndAuditAlarm(0) returned no error 23:04:58.265 89433C9C.E174E6F8 TERMSRV: WinStationQueryInformation LogonId=0, Class=14, Status=0x0 (s: 0 0x144.364 Explorer.EXE) USER-\[Wrn=1400\] HMValidateHandle: Invalid:0X000200F0 Type:0x1 \*\*\* LocalFree( 96000c ) - invalid handle Break instruction exception - code 80000003 (first chance) \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \* \* \* You are seeing this message because you pressed either \* \* CTRL+C (if you run console kernel debugger) or, \* \* CTRL+BREAK (if you run GUI kernel debugger), \* \* on your debugger machine's keyboard. \* \* \* \* THIS IS NOT A BUG OR A SYSTEM CRASH \* \* \* \* If you did not intend to break into the debugger, press the "g" key, then \* \* press the "Enter" key now. This message might immediately reappear. If it \* \* does, press "g" and "Enter" again. \* \* \* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* eax=00000001 ebx=105f0c4a ecx=80b16780 edx=000003f8 esi=00002708 edi=3cb4bf20 eip=80ae0d1c esp=80b14600 ebp=80b14610 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202 nt!RtlpBreakWithStatusInstruction: 80ae0d1c cc int 3