Remote Desktop Login Failures With Agent Installed On Server 2022
search cancel

Remote Desktop Login Failures With Agent Installed On Server 2022

book

Article ID: 286586

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Limited hardware resources and/or multiple security products running on the same box exposes or worsens the issue.
  • Attempts to log in via Remote Desktop Fail with the error: 
    Your Remote Desktop Services session has ended, possibly for one of the following reasons:

The administrator has ended the session.
An error occurred while the connection was being established
A network problem occurred.

For help solving the problem, see "Remote Desktop" in Help and Support.
  • Windows Event Viewer Application Log shows the dwm.exe process registering and exiting several times: 
    Level: Information
Source: Desktop Window Manager
Event ID: 9027
The Desktop Window Manager has registered the session port.
    Level: Warning
Source: Dwminit
Event ID: 0
The Desktop Window Manager process has exited. (Process exit code: 0x800401f0, Restart count: 8, Primary display device ID: )

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Window Server 2022: All Supported Versions

Cause

Race condition with the Dwm.exe process and rpcss.dll

Resolution

Customers running Agent versions 8.8.x - 8.9.0 have reported higher rates of failure. 

  • Carbon Black has determined that this issue is not ultimately caused by App Control.
  • It is recommend to contact Microsoft support for additional assistance with the Race Condition on dwn.exe and rpcss.dll.
  • In the meantime changes in Agent version 8.10.0+ and the steps below will help reduce the chances of this Race Condition.

 

  1. Upgrade the Agent to version 8.10.0 (or higher) to lessen the chances of hitting the race condition
    • EPCB-18471: Rule Expansion optimization (Agent 8.9.2)
    • EPCB-18811: Rule Expansion optimization (Agent 8.9.2)
    • EPCB-19007: Rule Expansion optimization (Agent 8.10.0)
    • EPCB-21407: Change ExpandRulesTimeoutMs to 0
  2. Test the changes. If the issue persists, continue.
  3. Log in to the Console and navigate to https://ServerAddress/agent_config.php
  4. Add a new Agent Config with the following details:
    • Name: RDP - Disable Process Hollowing (or something memorable)
    • Host ID: 0
    • Value: 
      kernelDisableProcessHollowingDetection=1
    • Platform: Windows
    • Status: Enabled
    • Create For: <Relevant Policies>
  5. Save the changes and verify the Agent shows as Connected & Up to Date before attempting to reproduce the issue.
  6. If the issue persists, add another Agent Config to ignore the involved processes:
    • Name: RDP - KPE (or something memorable)
    • Host ID: 0
    • Value: 
      kernelProcessExclusions=*\Windows\system32\dwm.exe:8388607,*\Windows\system32\LogonUI.exe:8388607
    • Platform: Windows
    • Status: Enabled
    • Create For: <Relevant Policies>
  7. Save the changes and verify the Agent shows as Connected & Up to Date before attempting to reproduce the issue.

Additional Information

  • Reminder: This ultimately is caused by a race condition issue on Server 2022 that Microsoft has stated they will not currently be addressing.
  • For security reasons, it is recommended to avoid creating the Kernel Process Exclusion listed unless absolutely necessary. 
  • Some customers have noted the issue persists even when all security products have been removed.
Powered by Wolken Software