Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 50 Source: TermDD

The RDP protocol component <component> detected an error in the protocol stream and has disconnected the client.
This error can be caused by having Hamachi software installed and enabled. Hamachi canibalises pretty much the whole networking stack for its own selfish purposes. Try exiting Hamachi.
In my case a corrupt virus scanner (Avira) caused the issue on a XP Machine. Uninstall, reboot and re-installation worked for me.
For us overwriting a few files with SP3 original solved the issue:
copy  c:\windows\ServicePackFiles\i386\lhmstsc.chm  c:\windows\Help\mstsc.chm
copy  c:\windows\ServicePackFiles\i386\lhmstsc.exe  c:\windows\system32\mstsc.exe
copy  c:\windows\ServicePackFiles\i386\lhmstsc.exe  c:\windows\system32\dllcache\mstsc.exe
copy  c:\windows\ServicePackFiles\i386\lhmstsc.mui  c:\windows\system32\en-US\mstsc.exe.mui
copy  c:\windows\ServicePackFiles\i386\lhmstscx.dll  c:\windows\system32\mstscax.dll
copy  c:\windows\ServicePackFiles\i386\lhmstscx.dll  c:\windows\system32\dllcache\mstscax.dll
copy  c:\windows\ServicePackFiles\i386\lhmstscx.mui  c:\windows\system32\en-US\mstscax.dll.mui
In my case the problem was caused by too many TCP conections and retries generated by Netware client installed on the server.
Reported protocol components:
- X.224 - The X.224 or ISO 8073 defines the Open Systems Interconnection - a protocol for providing the connection-mode transport service.
- WD - Winstation Driver
- MCS - Multipoint Communication Services
- RDP - Remote Desktop Protocol

See also ME186607 - "Understanding the Remote Desktop Protocol (RDP)".

I received this suggestion from Microsoft:

1. Launch TSCC.MSC and delete the RDP-tcp listener.
2. Reboot.
3. Go back to TSCC.MSC and create a new listener.
4. Reboot.
In my case, I was not able to connect remotely into an Windows XP machine. When I checked the settings in Computer management under system devices, there was a red X over Terminal Server Device Redirector. All I had to do was to right click on it and click enable.
- Component: "X.224" - Updating the network card driver is what ultimately fixed this problem for me. Does not tell me the root cause of the issue but at least it is working now.
- Component: "X.224" - In my case, this was caused by a security scan that was being done using Foundstone. The event was logged every 48 minutes, which cooresponded with the exact time that the scan kicked off.
- Component: "X.224" - This behavior can be the result of a corrupted certificate on the terminal server. See WITP77335 for details on solving this problem.

See MSW2KDB for additional information about this event.
In our case, the deletion of the Certificate entry inside HKLM\System\CurrentControlSet\Services\TermServices\Parameters, solved the problem. After server restart (Terminal service could not be restarted seperately) the right certificate was created automatically.
- Component: "DATA ENCRYPTION" - As per Microsoft: "Microsoft has added the FIPS Compliant  setting to the options for Terminal Services encryption levels in Windows Server 2003. A Windows Server 2003-based server with the encryption level set to FIPS Compliant cannot permit Remote Assistance connections from a computer that is running Microsoft Windows XP or Windows XP Service Pack 1 (SP1)". See ME811770 for more details.
If you have a slow connection it could be also a problem with the MTU size (change that in the registry). Increase to 1100 and test. Increase in steps of 50 each until the connection brokes. And keep in the last value. Of course, backup the registry before.
- Component: "DATA ENCRYPTION". This behavior occurs because the Terminal Services client was installed from the Terminal Services client folder before the 128-bit encryption pack was applied to the Terminal Services computer. MSKB article ME257894 resolves the issue. Also see ME232514 for more information about Terminal Services security.

- Component: "DATA ENCRYPTION". A potential race condition between the Icaapi.dll and Rdpwsx.dll dynamic-link libraries (DLLs) may cause the private certificate key on the Terminal Services server not to be synchronized. See ME323497.
- Component: "X.224". This is a known problem. See ME312313.
- Component: "DATA ENCRYPTION". A more likely cause to this error is due to a low-bandwidth situation, and decryption is not happening correctly. There is a hotfix for this error produced by Microsoft. See ME311371.
There have been 3 basic causes for your error:

1. Encryption levels defined on the RDP-TCP connection (or ICA, if appropriate), are set too high for the client to successfully negotiate. For example, a client set to Low encryption would be unable to connect to a server with High (or now, FIPS compliant) encryption levels defined. Additionally, XP and XP SP1 clients are currently unable to connect at all if "FIPS compliant" encryption level is set (article in progress on this issue).

To check this, open Terminal Services Configuration (tscc.msc) on the Terminal Server, select the RDP-Tcp connection, select properties, and view the Encryption settings on the General tab. Verify that this is set to Client Compatible, or low, and retest the connection (if needed).

2. Another frequent cause of these problems stems from issues with some registry values in the TermService\Parameters registry key. To this end, could you export the following key: HKLM\System\CurrentControlSet\Services\TermServices\Parameters

After doing this, delete the Certificate, X509 Certificate, and X509 Certificate ID values, and restart the Terminal Server. These values should be regenerated on reboot (but keep the Exported values just in case). This is documented in ME323497. The X509 Certificate and X509 Certificate ID values have also been known to cause this problem, so delete them as well. Also see ME329896. In 9 out of 10 cases this resolves the issue.

3. The third possibility is that some software you are installing is overwriting some of the files needed for the protocol stream. Schannel.dll, rsaenh.dll, and several others are involved in this process.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.