Article ID: 118366, created on Nov 1, 2013, last review on May 11, 2014

  • Applies to:
  • Virtuozzo
  • Virtuozzo hypervisor


There are a lot of prl_tools.exe processes (~1000) hanging in the Virtual Machine, using large amount of RAM. You can see them using "RAMMAP" utility, they won't be seen via Task manager.

In Event Viewer you can see a lot of events like the one below:

Log Name:      System
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          9/30/2013 5:21:21 AM
Event ID:      1012
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      host
Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.


An instance of prl_tools process is started on each launch on winlogon inside of Virtual Machine. Thus, on each login attempt a new prl_tools instance will be started. Normally it is closed when this RDP session is closed, however when Virtual Machine is under DDoS attack the process prl_tools might not be able to exit gracefully, and thus it might be unable to free handles and thus causing high memory usage in this VM.

Parallels Tools behavior under DDoS should be improved in scope of a request PSBM-23129.


This Parallels Tools behavior will be improved in one of the future releases. Meanwhile please secure your host from DDoS attacks, there are few options to do it:

  • Configure firewall rules for RDP port (the default port number is 3389) and allow connection only from Trusted Hosts.
  • Change RDP port from default 3389 to custom one, known only to owner of Virtual Machine, follow this MS article: How to change the listening port for Remote Desktop.
  • Enable Network-Layer Authentication as described in this MS article: Configure Network Level Authentication. That would allow you to survive load caused by attacks as with enabled NLA Windows doesn't spawn winlogon and prl_tools processes on each login attempt - the processes are started after passing the authorization only.

Search Words

Remote session from client name a exceeded the maximum allowed failed logon attempts




memory leak




a26b38f94253cdfbf1028d72cf3a498b 2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef

Email subscription for changes to this article
Save as PDF