Jump to content

RDS servers - ekrn.exe Application Errors logged every time users login


Recommended Posts

We've noticed this phenomenon occurring on multiple Windows Server 2016 remote desktop services session hosts. For one of our clients it appears to be causing resource exhaustion issues causing the servers to become unresponsive. 

It appears a new instance of ekrn.exe is attempting to be created whenever a new user session is created - is this normal?

Serves are running ESET Server Security vers 10.0.12014.0

Here's what I've determined:

Windows Application log records Application error ID 1000 logged everytime a new user session is created:
Faulting application path: C:\Program Files\ESET\ESET Security\ekrn.exe
Faulting module path: C:\Program Files\ESET\ESET File Security\em039_64\2102\em039_64.dll

Similarly, Windows System log records Service Control Manager ID 7031 error at the same time as the Application error is logged: The ESET Service service terminated unexpectedly. 

ESET event log indicates “File 'Ekrn_*.mdmp' was sent to ESET Virus Lab for analysis." each time. These events appear to have commenced immediately after the Detection engine was updated to vers 28271 (on 21 Nov). They started being logged a few hours prior to the Application error ID 1000 errors first being recorded.

The ESET Audit log is now recording "Feature changed" events multiple times a day (I assume whenever a new user session is created and the ekrn.exe is run). Prior to 21 Nov, these events were only logged whenever the server was restarted.

 

Link to comment
Share on other sites

  • Administrators
1 hour ago, CJD138 said:

My name is Colin and I work with Craig who posted this.
Sorry for the delay but I attached the log files from the affected server.

Please uninstall ESET Server Security and install the latest version while keeping the default modules folder. You have changed it to the program install folder which might cause issues and it's not recommend. At least the path should point to a separate modules folder.

By default modules are installed in "C:\Program Files\ESET\ESET Security\Modules", you have them in "C:\Program Files\ESET\ESET File Security" .

image.png

 

Link to comment
Share on other sites

It appears this issue resolved following install of Detection Engine version 28382 (or one of the subsequent updates - there were 4 in a space of 10 hours), as we haven't seen the issue logged since.

We have performed the uninstall/reinstall as suggested on one of our RDS farm servers, so we can see whether this makes any difference if we notice the errors return.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...