My event log's are being hammered with Event 4005 The Windows logon process has unexpectedly terminated, Event 50 The Terminal Server security layer detected an error in the protocol stream and has disconnected the clientand Event 56 The RDP protocol component <component> detected an error in the protocol stream and has disconnected the client.
I have followed the suggestions in http://technet.microsoft.com/en-us/library/cc734097(v=ws.10).aspx and searched on this without finding a solution to make the events go away.
I also tried following this suggestion to remove two Windows Updates (even though I have Win 2008 Standard R2 and not SBS) http://social.technet.microsoft.com/Forums/en-US/dd7157b8-8ecc-4a13-88ad-f4ca0d3b3249/error-the-windows-logon-process-has-unexpectedly-terminated?forum=smallbusinessserver
I have cross referenced the dates & times of these events with a login audit file I keep and hoping to find a pattern related to specific users but no luck.
Before I open a paid support ticket, I just want to find out if there is any common thread to these Event ID's.
Can these be caused by:
1) an RDP worm/malware?
2) Macintosh RDP clients?
3) Disconnected session being logged off after 2 hrs by policy?