The Event Record inspector is returning an error for the description of the event

strawgate · May 9, 2016, 9:58pm

Hello,

I am seeing the following issue with the Event Record inspector:

Q: (time generated of it, exists description of it) of records whose (event id of it = 25) of event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
A: ( Wed, 27 Apr 2016 23:17:41 -0500 ), False
T: 7.896 ms
I: plural ( time, boolean )

This event ID is generated when a remote user uses Remote Desktop Connection to connect to a PC and resumes an existing session. Specifically if you are already logged into a device and then you RDP into it from another device.

Most strangly, I am only seeing this if the RDP connection occurs over IPv6.

This generates event ID 25 with the following description:

Remote Desktop Services: Session reconnection succeeded:

User: AD\User
Session ID: 1
Source Network Address: ::fd:ea:ea:ea:6203:8ff%946576126

If the Source Network Address isn’t “LOCAL” or IPv4 then BigFix is unable to pull this event description at all for some reason. Description of it returns nothing and exists description of it returns false.

Has anyone seen anything like this?
Bill

jgstew · May 10, 2016, 12:32am

This definitely seems like a bug / issue with the inspector.

I haven’t seen this specifically, but I recall some inconsistencies with the event log inspector in general.

AlanM · May 10, 2016, 5:02pm

Looks like its a bug due to the % being in the string so code is trying to format the string. We think there is a way around it (Microsoft somehow does obviously) so we are opening an internal bug. If you do file a PMR then please indicate there is an internal defect opened