session microsoft security client oobe stopped - windows-server-2008-r2

i use Windows Server 2008 R2. I connect the server by remote desktop connection. But nowadays the server closes my remote desktop session randomly and all my application running during the session are closed. Simply, my remote desktop connection is forcely logged off by windows.
When i reconnect, i open event viewer and see that following error:
session 'microsoft security client' oobe stopped due to the following error: 0xC000000D
What can be reason which makes the server behave like that?

OOBE problem SOLVED ?
IT'S A SECURITY COUNTER
YOU MUST, again, MUST shutdown the security counter.
This is the reason that everyone says to delete the C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppOobe.etl file. This file is used and created by this counter.
DON'T DELETE THE EppOobe.etl file instead
You MUST go into into Computer Management by these steps
-> control panel -> administrative tools -> computer management and drill down into:
System Tools -> Performance -> Data Collector Sets -> Startup Event Tracing Sessions
Then, in the frame to the right on that window, select Microsoft Security Client OOBE, right click on it and select Properties.
Click on the tab Trace Session and
Then DISABLE it (uncheck the Enabled box). Then, you select OK.
Disabling the MS Security Client Counter as I listed above, will not stop the
Security Esssentials- will run fine without it.
theses steps are for windows 7

Related

stop my idle remote desktop session form being logged out on windows server 2012 r2

I'm running performance tests from a virtual windows 2012 r2 server.
Tests take several hours to run, if my remote desktop session is disconnected or idle for more than ~30 minutes, then when I reconnect using mstsc.exe I login again and my existing session is either logged out at that point, or has expired during the intervening period.
I've used gpedit.msc On the server to set the Idle session timeout for remote desktop to never and restarted the server - But I'm still seeing the same behavior. Any ideas?
Note:
I'm not an admin on the server, normal user with some extra permissions.
I've enabled the "Set time limit for disconnected sessions" and set it to "Never" under 'Computer Configuration' - Help suggests this is the dominant setting, and there's no overriding group policy.
I had this same behavior with one of our 2012 R2 server.
After trying all hints finally, editing the registry on the server fixed this issue to me.
Login as local administrator into the 2012 R2 server.
Open registry.
Edit the values as below, save and restart the server.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
"MaxDisconnectionTime" set to 0
"MaxIdleTime" set to 0

How can I run a performance and diagnostics session on a Surface RT machine?

I am trying to launch a remote performance and diagnostics session on my Surface RT machine in Visual Studio Express 2013 by selecting Debug -> Performance and Diagnostics. However, I get the following message:
Diagnostics session failed to start.
Unable to connect to the Microsoft Visual Studio Remote Debugging Monitor named '192.168.11.43:4018 (< device name >)'. Connection request was rejected by the remote debugger. Ensure that the remote debugger is running in 'Windows Authentication' mode.
OK, fair enough, so I change the remote debugger to Windows Authentication mode, but no matter what I do I can't authenticate because my PC and tablet are on different domains (that is the way it seems anyway). The tablet is running Windows RT, of course, so it is impossible to change the domain. I have tried to start the remote debugger from the command line using the -u switch with the username and domain from my PC but that was no good either since the tablet can't authenticate it. I also tried to join the tablet's domain on my PC using the script from this answer but I don't get a successful return value (the return value is 5).
Most of the blogs I have come across say "just save yourself the trouble and switch to 'No Authentication' mode" which is what I did in the first place, but the diagnostics session refuses to run this way. What hoops do I have to jump through to get this to work?
Unfortunately I don't think you can get this to work on an RT. Our team has Pros for exactly this reason. Not being able to join a domain is the killer. :(

Group policy in RDP connections

So I've backed myself into a corner - I wanted an application or command to run when a user logged in over RDP to a server. As per a best-practice suggestion on a Microsoft site, I set up this program to run under group policy rules and now I have a dilemma:
I log into my server via RDP, the default program launches and then immediately logs me out without a chance for me to do anything.
How can I get into the box again to change this setting? Server is Windows 2008 r2 with terminal services installed on a remote IP.
Could you just remove\edit the GPO, wait a bit, and then reboot the server? You could still send it the "shutdown /m \computername". You could also use psexec to remotely run "gpupdate /force" before rebooting.
If you set that up as local group policy, then you can try opening mmc, choosing the Group Policy editor, and pointing it to that machine to edit the policies. In more detail:
Start --> Run --> mmc
File --> Add/Remove Snap-in
Under the Standalone tab, click Add...
Choose Group Policy Object Editor
In the following wizard, click the Browse button
Click the "Computers" tab, select the Another computer radial button, and type the name or Browse to the remote computer
Click OK, then Finish, then Close, and finally OK
Also you could maybe edit/add a logon script that runs "shutdown -a" to abort logoff/shutdowns, but that may not work due to timing.
You didn't mention if this was Domain, or local, but those options should take care of either.

Unable to start debugging on the web server. The underlying connection was closed. The connection was closed unexpectedly

All of the sudden I'm getting the following error on my local web server (Win7 64bit, IIS 7.5). I've uninstalled & reinstalled IIS locally and it didn't fix it. IIS is set to start up automatically and I can see that the service has been successfully started. Upon a fresh reboot if I go into IIS and click on start website I get the following error:
The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020
If I try to start debugging on my local website project I get the following error:
Unable to start debugging on the web server. The underlying connection was closed. The connection was closed unexpectedly.
Any ideas on what I can try? I've been doing research on the issue and Microsoft suggest making sure no other service is listening on the same ports. I've verified that this isn't the issue.
Try changing the web site to use a port other than 80 (suggest 8080 for example) and see it if will start. If so that's a sure sign of another service using port 80 (Skype is a common culprit for this).
Application pool's identity password changed?
I know this is an old post, but I can't believe how many times I've been bitten by this. Some shops use integrated security for SQL, and often then on your local IIS needs your network login for the application pool. When your password expires, and you forget to change your password here, start banging your head on the wall... DOH!
Open IIS. Select Application Pools. Select the application pool used by your app. Click Advanced Settings... Select Identity, and the little "..." button to update your user/password.

How to view Windows Event Log remotely with limited privileges

To debug some code, I would like to view the Windows event log of a remote machine (target is Windows2003). With mmc.exe I can add the event log for a remote machine, but only if I have sufficient permissions. For this remote machine, they do not want to give me permissions to log in remotely (or admin privileges for that matter). Is there a specific permission I can be given to view the event log and not much else?
On newer Windows versions (Windows 7, Windows Server 2008...) you can simply add the corresponding account to the built-in group Event Log Readers.
Source: Jane Lewis's Weblog on TechNet, Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
This source also describes an alternative if you need more fine-grained control.
(The OP asked for Windows 2003, where this method doesn't work, but as Windows Server 2003 is no longer supported, people might be interested in this method.)
For the security log, users need the privilege "Manage auditing and security log"
For the system and applciation logs you should be able to read them as just a guest unless they have set the RestrictGuestAZccess value under the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application
One Option is to get a local ID that is on the remote local admin group.
Next, from your system, map to a drive on the remote server using the new remote local ID.
Create a new MMC from the Windows Run start menu - by typing in MMC /a
Add the EventView Snap-in
When it prompts you for local or remote server - put in the Host name of the server that you mapped to.
Tip: Windows uses established secure connection - if it can. Hence the map a drive trick work VERY well.
Please Note: I use this trick with WMI query(s) - hence the query never fails do to a timeout issue.
Joshua Flanagan outlined a process to delegate rights through modifying the security descriptor of the event logs.
Please add the domain user (without admin rights) to the "Event Log Readers" group on the target server. Then, from the source server, you can use the standard user credentials to access and read the event logs on the target.
If you could enable web access to the server then you could use an eventlog viewer page that I published a while ago. This would allow the administrators to run the website with just enough permissions to see the eventlog without granting you an account to login...

Resources