RDP Interrupts and Tracing of Terminal Services Sessions

Hi together,

we deployed terminal services on Windows Server 2008 R2, Standard.

Terminal services licences are available more than needed. In a Group Policy in the domain we set only the parameters as follow:

Idle session limit: 5 days

Active session limits: 5 days

All other parameters are not set in the Group Policy.

The users complain that their sessions are interupted bevor the active or idle session limit is  reached.

In the Event logs there is no eye-catching logs. But there are some Events which should be analyzed. I could not find any good Information about these Event IDs:

Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          06.10.2016 02:27:34
Event ID:      1530
Task Category: None
Level:         Warning
Keywords:
User:          SYSTEM
Computer:      <TERMINAL SERVER NAME>
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

 DETAIL -
 1 user registry handles leaked from \Registry\User\S-1-5-21-1465920317-3573457174-689236308-1025:
Process 224 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1465920317-3573457174-689236308-1025\Printers\DevModePerUser

Event ID 56 indicates a Time-out. This Event ID is monitored very rarerly during interrupts occur very often from different clients (Windows PCs, Handheld, etc.):

Log Name:      System
Source:        TermDD
Date:          06.10.2016 02:27:31
Event ID:      56
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      <TERMINAL SERVER NAME>
Description:
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: <IP ADDRESS>
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="TermDD" /><EventID Qualifiers="49162">56</EventID><Level>2</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2016-10-06T00:27:31.702701900Z" /><EventRecordID>199479</EventRecordID><Channel>System</Channel><Computer>TERMINAL SERVER NAME</Computer><Security /></System><EventData><Data>\Device\Termdd</Data><Data>IP ADDRESS</Data><Binary>0000040002002C000000000038000AC00000000038000AC000000000000000000000000000000000B50000D0</Binary></EventData></Event>

My analyzing for the error code in Event ID 56:

B50000D0 turning to > D00000B5
ERROR: C00000B5

Error code with err.exe:

D:\err>err.exe /ntstatus.h C00000B5
# ntstatus.h selected.
# for hex 0xc00000b5 / decimal -1073741643 :
  STATUS_IO_TIMEOUT                                             ntstatus.h
# {Device Timeout}
# The specified I/O operation on %hs was not completed before
# the time-out period expired.
# 1 matches found for "C00000B5"

The other Event ID is

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          06.10.2016 02:27:31
Event ID:      4779
Task Category: Other Logon/Logoff Events
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      <TERMINAL SERVER NAME>
Description:
A session was disconnected from a Window Station.

Subject:
	Account Name:		<USER ACCOUNT>
	Account Domain:		<TERMINAL SERVER NAME>
	Logon ID:		0xf8e72c6f

Session:
	Session Name:		RDP-Tcp#12

Additional Information:
	Client Name:		<CLIENT NAME>
	Client Address:		<IP ADDRESS>


This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /><EventID>4779</EventID><Version>0</Version><Level>0</Level><Task>12551</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime="2016-10-06T00:27:31.718302300Z" /><EventRecordID>1473106</EventRecordID><Correlation /><Execution ProcessID="600" ThreadID="10144" /><Channel>Security</Channel><Computer>TERMINAL SERVER NAME</Computer><Security /></System><EventData><Data Name="AccountName">USER ACCOUNT</Data><Data Name="AccountDomain">TERMINAL SERVER NAME</Data><Data Name="LogonID">0xf8e72c6f</Data><Data Name="SessionName">RDP-Tcp#12</Data><Data Name="ClientName">CLIENT NAME</Data><Data Name="ClientAddress">IP ADDRESS</Data></EventData></Event>

My questions:

How can I trace all RDP sessions in DETAILS inkl. logon, logoff, Interrupts, etc.?

Is there any  tool for it? I mean EXCEPT "Remote Server Services Manager".

Best Regards

Birdal