Case of the blank print jobs

  • Article

Hello Askperf! Anshuman here again with an interesting issue I worked a few weeks ago.

The following pop-up appeared on my workstation intermittently:

clip_image002

I then realized that I had the Send To OneNote printer set as my default printer.

The next time this occurred, I paused the print queue and noticed that the “Remote Desktop Redirected Printer Doc” document was getting spooled under my account. This was interesting because I had several remote desktop sessions opened to different machines from my workstation, and did not send any prints jobs from them.

clip_image003

So two questions came to mind:

1. Which RDS session is this coming from?

2. What was sending this print job?

I then thought to myself, “when in doubt, run Process Monitor!”

My first challenge was to figure out which server session this job was generated from. For this, I ensured that all the RDS sessions I established were using the command line option of of mstsc.exe (mstsc /v:servername). Next, I started process monitor on my workstation with a specific filter of “Process Name is mstsc.exe” and “Path contains .spl”. Since this issue was intermittent, I checked the “Drop filtered events” option. I also ensured that the Backing File option under File menu was pointing to a file, instead of Virtual Memory (pagefile). After a while the issue occurred, and procmon captured the following events:

clip_image004

One of the first things I noticed was the CloseFile operation immediately after the CreateFile operation. Typically, you will see a WriteFile operation in between these two operations. So mstsc is connecting to which server? That was easily found by examining the Command Line entry of mstsc captured in the pml file:

clip_image005

I logged into the problem server and launched procmon, ensuring that the Backing file option was set to point to a .pml file on a drive with enough space, and “Drop filtered events” was selected. Next I set up a filter “Path Contains tsclient” as well as “Path Contains RdpDr”. I then established an RDS session to the server from my work station and waited for the mysterious 0Kb print job. Once it happened, I had the following events in the pml file from the ProblemServer:

clip_image006

So there was an addon service that got installed on the printer server with a print driver. Disabling this ensured that those mysterious 0kb jobs ceased to occur.

-Anshuman