In part 1 I showed how winlogon.exe registers its process and main window handle.

In the SasCreate function, winlogon.exe registers hotkeys like this:

Did you notice the MOD_SAS constant? (more…)

Windows XP X64 shares the same binaries with Windows 2003 X64, but Terminal Server has some restrictions on XP. This article shows you how to get rid of them and is based on cw2k ideas from the original Windows XP Terminal Server patch.

Version 1.1 contains bug#1 fix and is smaller (less bytes are changed).

1) Winlogon.exe contains a function, called EnumerateMatchingUsers which in turn calls IsProfessionalTerminalServer function. We need to patch this function to return zero (false):

.text:0000000100042F77 IsProfessionalTerminalServer proc near ; CODE XREF: EnumerateMatchingUsers:loc_10002B44Bp
.text:0000000100042F77 ; DATA XREF: .pdata:00000001000D01DCo …
.text:0000000100042F77
.text:0000000100042F77 VersionInformation= _OSVERSIONINFOW ptr -138h
.text:0000000100042F77 var_20 = word ptr -20h
.text:0000000100042F77 var_ 1E = byte ptr -1Eh
.text:0000000100042F77 var_18 = qword ptr -18h
.text:0000000100042F77
.text:0000000100042F77 48 81 EC 58 01 00 00 sub rsp, 158h => 31 C0 C3 xor eax, eax; retn
.text:0000000100042F7E 48 8B 05 F3 3A 08 00 mov rax, cs:__security_cookie
.text:0000000100042F85 48 89 84 24 40 01 00 00 mov [rsp+158h+var_18], rax
.text:0000000100042F8D 48 8D 4C 24 20 lea rcx, [rsp+158h+VersionInformation] ; void *
.text:0000000100042F92 33 D2 xor edx, edx ; int

(more…)

On a Citrix or Terminal Server you will want to disable autoupdate notifications of the flash player.

This can be done by creating a file mm.cfg in the folder where the flash ActiveX control is installed (normally C:\Windows\System32\Macromed\Flash).

Place the following line in this file (with a text editor like Notepad):

AutoUpdateDisable=1

Be sure to save the file with UTF-8 encoding, this can be selected in the Save As dialog in Notepad:

Ofcourse you are aware that only certain Flash versions are supported (and optimized) in Citrix? At this time these versions are: 7a, 8, 8b, 9, 9c, and 9d.

Win32 API provides only 1 function for locking workstation, named LockWorkstation. What does it do and how we can use it?

When a new session is started, smss.exe invokes winlogon.exe. It registers its process id in win32k.sys by calling RegisterLogonProcess. It has this prototype: (more…)

Windows has a couple of different formats for volume names but it is unclear how to convert a Volumename (example: \\?\Volume{GUID}\) to a DeviceName (example: \Device\HarddiskVolume1).

I found at that you can use the QueryDosDevice function but you need to remove the preceeding \\?\ and the trailing \ of the VolumeName:

One of the side effects of using sysprep to prepare an image is that drive letter assignments are reset to default. This behaviour is documented in a knowledge base article.

I previously solved this by running a diskpart script but that needed a custom script for each system (if the disk or partition order differs the script needed to be adjusted). So I needed to run a restore with sysprep determine the drive layout after sysprep, change the script, test by restoring again. So I wrote a commandline tool that can change a drive letter assignment based on the volume label.

(more…)

A while ago I published a patch for Windows 2003 Terminal Server that allows more than 2 concurrent sessions in Remote Administration mode.

Today I publish the same patch but for Windows Server 2003 X64. The patched function (CRAPolicy::Logon) is the same as in the original patch.

(more…)

Up until now I used VPatch for all my patches. The disadvantage of VPatch is that it uses strict MD5 hash checks. This means that a patch can only be applied to exactly the same file the patch was based on (exact same build and language).

Because many people are asking for patches for other builds and languages I decided to move over to another patch mechanism. This will use search & replace on specific Hex bytes.

The consequence is that patching another build or language version is possible. However there is no absolute certaintity that the patch will work on other builds or languages. Ofcourse the patcher will only patch if the specific bytes were found which is safer than patching an offset.

It’s up to the user to carefully test the patched file and hopefully report back to me if it’s working.

Now I will describe how to use this universal patcher.

(more…)