Jump to content

Problems on Windows 2012 R2 RDP


Recommended Posts

Hello,

I have been having a problem with 2 terminal servers (2012 R2) for about 2 weeks (it occurred on 29/03 with both and then on 9/4 with one and on 11/04 with the other). 
ESET is not in the taskbar and the following entries can be found in the event log:
The time limit (240000 ms) was reached while waiting for a transaction response from service ekrn.
and
The timeout (240000 ms) was reached while waiting for a transaction response from service ekrnEpfw.
The servers are then relatively difficult to operate and the message appears when logging off:
Please wait for "Notification text for system events".
The message is probably displayed for hours by the users, but also by the administrator when logging off. Solution with only a stop of the machine (which also takes 10 minutes or more) and a subsequent start.
Scans with ESET, MSERT, Maleware, AdwCleaner have brought no results. The logs do not provide any further information either.
Does anyone have the same problem? Are the servers hacked or are there problems with the current version?

Link to comment
Share on other sites

  • Administrators

What version of ESET Server Security do you have installed? Is it the latest v10.0.12010.0? Does uninstalling ESET and installing the latest version from scratch make a difference?

Link to comment
Share on other sites

4 minutes ago, Marcos said:

What version of ESET Server Security do you have installed? Is it the latest v10.0.12010.0? Does uninstalling ESET and installing the latest version from scratch make a difference?

Hello,

it is the latest version 10.0.12010.0

Link to comment
Share on other sites

  • Administrators

To start off, please provide:
1, A Procmon boot log saved in an unfiltered PML format and compressed
2, Logs collected with ESET Log Collector

Prior to generating the PML log, make sure to temporarily disable Protected service in the HIPS setup and reboot the server.

If the logs are too big to upload here, upload them to a file sharing service and drop me a private message with download links.

Link to comment
Share on other sites

Hello Thomas, did you find a tips for your problem except stop machine ?
I have the same problem for the second time on several servers (physical and virtual) after 5-6 days (Thursday or Friday).

Link to comment
Share on other sites

  • Administrators
51 minutes ago, GDELAVAQUERIE said:

Hello Thomas, did you find a tips for your problem except stop machine ?
I have the same problem for the second time on several servers (physical and virtual) after 5-6 days (Thursday or Friday).

Please provide logs collected with ESET Log Collector. In Thomas' logs I noticed catalog errors only from April 11:

CatalogDB: 10:56:10 11.04.2023: catadnew.cpp at line #1534 encountered error 0x800700c1

Link to comment
Share on other sites

2 hours ago, GDELAVAQUERIE said:

Thomas,

You haven't had a return of the problem since the last forced restart or reinstallation of ESET? Your servers have how many days of activity?

 

The last reboot I did was on 11.04. (that was also the last time the problem existed).
I have reinstalled ESET today.
The problems occurred so far on 29.03. and 11.04. with this server.
Since 11.04. no longer, but only a little time has passed.

Link to comment
Share on other sites

4 hours ago, Marcos said:

Please provide logs collected with ESET Log Collector. In Thomas' logs I noticed catalog errors only from April 11:

CatalogDB: 10:56:10 11.04.2023: catadnew.cpp at line #1534 encountered error 0x800700c1


I performed the operation on one of my servers as a witness. However, I had no error in my log. thank Marcos

Link to comment
Share on other sites

20 minutes ago, Thomas Fincke said:

However, the collector does not seem to work.

Indeed, the problem does not only impact the SENS service but also the Office suite, Windows Explorer, the RDS collection,...

Link to comment
Share on other sites

46 minutes ago, GDELAVAQUERIE said:

Indeed, the problem does not only impact the SENS service but also the Office suite, Windows Explorer, the RDS collection,...

I've also read that Kaspersky can also cause this problem. Did you have Kaspersky on these servers before?

Link to comment
Share on other sites

2 minutes ago, Marcos said:

Did you follow the above instructions for repairing the catalog db which might be the culprit?

Not on the server that has the problems now.
The tutorial is for 2008, does it also work on the 2012 R2?

Link to comment
Share on other sites

The problem now appears on servers without an RDS role.
Same symptom: Session gets stuck with 4-5 processes. The Winlogon process is blocked by the SENS service ID (2023-04-16_16h00_07.png). The SENS service is waiting for EKRN.EXE (2023-04-16_16h00_47.png).
On this servers, I kill the SENS service prosess, the sessions close. But, other problems are always present after reconnect (don't open explorer, gui ESET, ...) even with SENS Service stopped.

I discovered another symptom: unable to query ESET WMIs but Windows WMIs work.

2023-04-16_16h00_07.png

2023-04-16_16h00_47.png

Link to comment
Share on other sites

Good morning ,

Under Windows 2019, I encounter the same problem as you and see the same elements as gdelavaquerie in the task manager.

Here are more details about the issue:
04/05/23: windows update on 3 RDS servers
04/07/23: Session blocked with a message indicating to wait for the system event notification service (SENS) => reboot server => ok
04/12/23 => User session blocked again => uninstallation of Eset on 2 of the 3 servers.
04/16/23 => User sessions blocked on the only server with Eset

Eset is latest version, ekrn.exe blocks processes

here is the list of updates installed since 04/05/23:
KB4486153
Servicing stack 10.0.17763.4121
KB5022504
KB5023702
Adobe reader 23.001.20143

 

Bonjour ,

Sous windows 2019, je rencontre le même problème que vous et constate les même éléments que gdelavaquerie dans le gestionnaire de tache.

Voici plus de détails sur le problème :
05/04/23 : mise à jour windows sur 3 serveurs RDS
07/04/23 : Session bloquée avec un message indiquant d'attendre le service de notification d'évenements systèmes (SENS) => reboot server => ok
12/04/23 => Session utilisateurs bloquées de nouveau => désinstallation de Eset sur 2 des 3 serveurs.
16/04/23 => Sessions utilisateurs bloquées sur le seul serveur avec Eset

Eset est en dernière version, ekrn.exe bloque les processus

voici la liste des mises à jours installés depuis le 05/04/23 :
KB4486153
Servicing stack 10.0.17763.4121
KB5022504
KB5023702
Adobe reader 23.001.20143

Link to comment
Share on other sites

  • Administrators

If the system doesn't start with ESET installed, please follow the instructions at https://forum.eset.com/topic/36081-server-problem-after-reboot-elam:

  1. Configure Windows to generate complete memory dumps as per https://support.eset.com/en/kb380
  2. Reproduce the system lockup
  3. Manually trigger a crash according to the above KB
  4. Rename eelam.sys driver in safe mode (ekrn will not load and protect the server)
  5. Compress the memory dump and supply it to me in a compressed form along with logs collected with ESET Log Collector.
Link to comment
Share on other sites

Experiencing the same issue. 

Server 2012 R2 in remote desktop deployement.

Performance degradation and occasionally logoff sessions getting stuck on "Please wait for "Notification text for system events""

I've opened a support ticket, if it's not resolved by Wednesday we will uninstall ESET during out maintenance window to see if ESET is to blame

Link to comment
Share on other sites

  • Administrators
19 minutes ago, MickZe said:

Experiencing the same issue. 

Performance degradation and occasionally logoff sessions getting stuck on "Please wait for "Notification text for system events""

This topic is about ekrn.exe not starting with Windows at times, your issue seems to be different. As for performance degradation, does pausing real-time protection for a while make a difference?

Link to comment
Share on other sites

I already think that it is the same problem.
Perhaps I have expressed myself in a misleading way. We don't have problems starting ESET, but the programme crashes and we then have problems logging off.
After a hard restart, ESET works again.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...