Hi People, Got called in to have a look at this one, the wonders of remote access;-). There really were hundreds of instances of csrss.exe, from 500-2400 and growing on servers in the farm that were hosting the main published app, a desktop session. Most instances of csrss.exe had no accompanying instances of winlogon.exe One of the servers has very high sessionid numbers (thousands) despite the fact the server had been running for less than 11 hours and had 30-40 users, in at best the second shift since server reboot. Session Ids should have been no more than 200. When logins were disabled, the number of instances of csrss.exe started falling. Basically it takes quite a while for csrss.exe to die after an aborted login attempt. So if the aborted login attempts are frequent enough, there will be a net increase in the number of instances of csrss.exe on a server. Still have to track down the offending machine, but I guess this rates as an ICA denial of service attack. One to watch out for. Regards, Rick Ulrich Mack rmack@xxxxxxxxxxxxxx Volante Solutions 18 Heussler Terrace, Milton 4064 Queensland Australia. tel +61 7 3246 7777 ********************************************************* This Week's Sponsor - Neoware Now through March 31, 2003 Neoware is offering a Capio 500/Eon Proven 2100 for $299! Click the link below: http://www.neoware.com/promocp4a/thinnetban.html ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm