$theTitle=wp_title(" - ", false); if($theTitle != "") { ?>
About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
In part 1 I’ve showed how to get rid of some terminal server restrictions on Windows xp x64. But there are still some problems:
1) You cannot connect to the localhost (127.0.0.1) (but can to 127.a.b.c, where a,b,c in [0..255] (except 127.0.0.0 and 127.255.255.255)).
When you’re connecting to remote server, Remote Desktop Connection (mstsc.exe) checks through mtscax.dll that you’re connecting to your own address, connections are only allowed and you’re in the server mode. If this is not true, the connection is denied, usually with this message: . The logic of checking is the same: call gethostbyname for server name and check if it’s not equal to 127.0.0.1. So, we can use a very simple patch: find and replace 7F 00 00 01 (127.0.0.1) with, for example, some invalid network address, like FF FF FF FF (255.255.255.255).
It’s working for all known version of mstscax.dll (from 5.1 to Windows 7; version 5.0, which is shipped with Windows 2000 server, doesn’t have this restriction at all).
2) When FUS (Fast User Switching) is active, you’re getting some ‘strange’ results when connecting via RDP: when you press CAD (Ctrl+Alt+Del), Task Manager will popup; if you try to lock your workstation, for example, by calling LockWorkStation API, it will just disconnect your session. This is default behavior of Windows XP; let’s see what we can do.
Msgina.dll has an undocumented function, exported by number 3, named ShellIsFriendlyUIActive.
1 | void BOOL ShellIsFriendlyUIActive(void); |
It’s a wrapper for function
1 | static bool CSystemSettings::IsFriendlyUIActive(void) |
which is used to determine if we’re displaying welcome screen or not. In turn, function calls
1 | static bool CSystemSettings::IsDomainMember(void) |
then
1 | static bool CSystemSettings::IsNetwareActive(void). |
What if we’ll overwrite one of them to return true if we’re in RDP session and are active, and false overwise? Let’s write this function:
1 2 3 4 5 6 7 8 | bool IsRpdSessionActive() { WTS_CONNECTSTATE_CLASS ConnectState; ULONG res; return GetSystemMetrics(SM_REMOTESESSION) && WinStationQueryInformationW((HANDLE)SERVERNAME_CURRENT, LOGONID_CURRENT, (WINSTATIONINFOCLASS)37, &ConnectState, sizeof(ConnectState), &res) && WTSActive == ConnectState; } |
If we compile this function to x64 code, we’ll get the assembler code like below:
.text:0000000140001170
.text:0000000140001170 ; =============== S U B R O U T I N E =======================================
.text:0000000140001170
.text:0000000140001170
.text:0000000140001170 ; bool IsRpdSessionActive(void)
.text:0000000140001170 ?IsRpdSessionActive@@YA_NXZ proc near ; DATA XREF: main+131o
.text:0000000140001170 ; .pdata:000000014000400Co
.text:0000000140001170
.text:0000000140001170 var_18 = dword ptr -18h
.text:0000000140001170 var_10 = qword ptr -10h
.text:0000000140001170 arg_0 = dword ptr 8
.text:0000000140001170 arg_8 = byte ptr 10h
.text:0000000140001170
.text:0000000140001170 48 83 EC 38 sub rsp, 38h
.text:0000000140001174 B9 00 10 00 00 mov ecx, 1000h ; nIndex
.text:0000000140001179 FF 15 D1 0F 00 00 call cs:__imp_GetSystemMetrics
.text:000000014000117F 85 C0 test eax, eax
.text:0000000140001181 74 3A jz short loc_1400011BD
.text:0000000140001183 48 8D 44 24 48 lea rax, [rsp+38h+arg_8]
.text:0000000140001188 4C 8D 4C 24 40 lea r9, [rsp+38h+arg_0]
.text:000000014000118D 41 B8 25 00 00 00 mov r8d, 25h
.text:0000000140001193 48 89 44 24 28 mov [rsp+38h+var_10], rax
.text:0000000140001198 83 CA FF or edx, 0FFFFFFFFh
.text:000000014000119B 33 C9 xor ecx, ecx
.text:000000014000119D C7 44 24 20 04 00 00 00 mov [rsp+38h+var_18], 4
.text:00000001400011A5 FF 15 B5 0F 00 00 call cs:__imp_WinStationQueryInformationW
.text:00000001400011AB 84 C0 test al, al
.text:00000001400011AD 74 0E jz short loc_1400011BD
.text:00000001400011AF 83 7C 24 40 00 cmp [rsp+38h+arg_0], 0
.text:00000001400011B4 75 07 jnz short loc_1400011BD
.text:00000001400011B6 B0 01 mov al, 1
.text:00000001400011B8 48 83 C4 38 add rsp, 38h
.text:00000001400011BC C3 retn
.text:00000001400011BD ; —————————————————————————
.text:00000001400011BD
.text:00000001400011BD loc_1400011BD: ; CODE XREF: IsRpdSessionActive(void)+11j
.text:00000001400011BD ; IsRpdSessionActive(void)+3Dj …
.text:00000001400011BD 32 C0 xor al, al
.text:00000001400011BF 48 83 C4 38 add rsp, 38h
.text:00000001400011C3 C3 retn
.text:00000001400011C3 ?IsRpdSessionActive@@YA_NXZ endp
.text:00000001400011C3 .text:00000001400011C3 ; —————————————————————————
So we can replace the function, for example CSystemSettings::IsNetwareActive with our one (if we’re not using Netware, which is a pretty rare case:-) ). Since our code is address independent (we can safely place it in any place), we only need to correct the call addresses of GetSystemMetrics and WinStationQueryInformationW, because they are located at other addresses in msgina.dll
Now, when we press CAD in RDP session, we’ll see the screen like this:
while in console sessions FUS screen will be working and looking as usual.
Please note that this patch is for msgina.dll from Windows XP x64 SP2 build 5.2.3790.3959 EXACTLY. If you have other version of msgina.dll, you’ll have to repeat all of these steps and create the patch yourself!!!
Of course, to apply the patches you need to follow the same patching procedure which has described in part 1
13 Responses for "Windows XP x64 Terminal Server Patch part 2 (optional)"
Hello, great stuff … where can i read about Windows XP 32 bits patch with multi same user logon?
Thanks 🙂
Hello Tr4d3r,
You can read about 32 bit patch at this link:
http://defcon5.biz/phpBB3/viewtopic.php?f=4&t=1120
Multiple user same logon should be enabled by default. If not, you can open system policy, go to “Computer Configuration/Administrative Templates/Windows Components/Terminal Services/Restrict Terminal Services users to single remote session”, and set it to Disabled.
Hi, how should be used the patch for Gina?, it doesn’t seem to be a file for dup2
You need to use VPatch program for that.
Does this patch work if the computer is part of a domain?
You mean msgina patch or mandatory patch? Msgina patch is not required if your computer belongs to domain; other patches should be working with domain as well. Do you have any problems with it?
oops I meant to post this on the mandatory patch page. I haven’t tried it yet, but saw domainss were an issue trying to do something similar with xp32. Currently I’m trying to get some other bugs worked out in x64 before trying your patch. I’m considering upgrading to vista 64 if I can’t work out the bugs (driver issues) is there something similar to the mandatory patch for Vista 64?
What is the domains issue for xp x86? I’m using XP x86 SP3 at work with this patch enabled and i see no ussues. Of course, FUS screen is disabled, but you can just disconnect the console to get a new session and logon a new user (or you can use fmlogin custom gina which will do it for you).
I didn’t try my patch on domain configuration, but i don’t think there would be any issues with it. You should check the patches for Vista x64, where were a couple of them floating on the net.
Hi
I found 2 mtscax.dll in differents subdir of windows.
They are of differents size: which one of them are to be patched (maybe both)?
Hello Alex,
There are 2 versions of mstsc.exe, 32 bit and 64 bit. You need to patch the version you’re going to use or both of them.
I have tried to patch msgina.dll with vpatch and MsGinaPatch.pat and it is exactly Windows XP x64 SP2 build 5.2.3790.3959 but vpatchprompt.exe will return an error, no suitable patch found. I used the command vpatchprompt.exe MsGinaPatch.pat msgina.dll msgina2.dll
never mind… there are two versions of msgina.dll one in c:\windows\system32 and one in c:\windows\wow64, the patch works with the msgina.dll from the system32 folder
daNIL can You please explain a little bit, or post some links where I can get information how to dissable and dig in system dll files, like You did with termserv.dll ? What tools and how to start with it. Thank You.
Leave a reply