Remko Weijnen's Blog (Remko's Blog)

About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like


1,597 views

Softpedia

Today I received an e-mail from Softpedia telling me that they have listed one of my commandline tools, LaunchRDP. I don’t know how they found or why they think that it should be listed, but it’s nice to see that they respect the author and informed me. If you want to rate it, here’s your chance!

5,017 views

If you develop an application for Terminal Server you might want to react on session events. This means that your application is notified when a user logs on, logs off or becomes idle. This can be done with the WTSWaitSystemEvent function. Implementing it is rather simple and could look something like this:

Notice that you would probably do this from a seperate thread otherwise you will block the main thread. To stop waiting for Events you send a special event:

Please note that there are at least 2 issues with this API, one with Windows 2000 and one with Windows Vista. On Windows 2000 events are reported twice for each actual event. Microsoft’s resolution?

The application should expect the event twice, and filter out the second occurrence.

Now how do we solve this? I would suggest introducing a small delay after an event trigger, this way you will probably not receive the duplicate event.

On Windows Vista there’s another issue: After you set the value of the EventMask parameter to WTS_EVENT_FLUSH in the WTSWaitSystemEvent function, no pending calls to the function return on a Windows Vista-based computer. Now what does this mean? It means that after sending WTS_EVENT_FLUSH the thread never responds! So there’s actually no nice way to end the thread, the only escape is a call to TerminateThread.

Microsoft does offer a hotfix, so my suggestion is a check on startup that will notify the user that he/she needs to install the hotfix. A version check can be done on winsta.dll, the version before the fix is 6.0.6000.16386. Hotfix version is 6.0.6000.20664. According to this article the fix will be included in Vista SP1.

References:

6,008 views

Have you ever tried running the Terminal Server Administration tool (aka TSAdmin) on Windows Vista? You would need it to remotely administer windows 2000/2003 Terminal Servers. If you try to run it you will get an Access Violation but why? I found the answer to this question today because I was testing my TSAdmin replacement on different Windows versions. Just like TSAdmin I use an (undocumented) function from Utildll.dll called ElapsedTimeString. It’s a very simple function that returns a formatted elapsed time string (as seen in the Idle time column from TSAdmin).

While my TSAdminEx ran fine on Windows XP, 2003 and even 2008 it would crash on Vista. Investigation showed that the stack was corrupted in the process of enumerating processes and sessions. Eventually I pinned it down to ElapsedTimeString but could not understand what went wrong. At least not until I investigated Utildll.dll version from Windows Vista. In what was probably an attempt from Microsoft to produce safer code they replaced wsprintfW by StringCchPrintfW. But StringCchPrintfW has an additional parameter (count of characters) so they introduced a new parameter to ElapsedTimeString. Now that’s not a smart decision as this directly breaks compatibility with software that uses this API, but they probably thought that it wasn’t issue since TSAdmin is not included with Vista (I don’t know of any other MS tool that uses this API).

But why doesn’t the Access Violation appear on Server 2008? Is this still using wsprintfW for string formatting? The answer is no, they also use StringCchPrintfW but use a fixed 15 character length. (so they “fixed” the issue).

That leaves you with 2 options if you still want to use TSAdmin on Vista:

  1. Patch TSAdmin or Utildll
  2. Use my TSAdminEx instead which also offers some extra functionality over TSAdmin (I hope to finish it soon, should you wish to beta test then leave a comment).

For now I’ll leave you with a screenshot (click to enlarge) of the current Beta version. As you can see it returns detailed information in the process tab like Memory Usage, Virtual Memory Usage, CPU Time and Process Age.

TSAdminEx Beta Screenshot

1,572 views

Several of Microsoft’s Terminal Server tools use undocumented API’s from Utildll.dll. For instance Terminal Server Admin uses it to get a localised connect state string and to format time strings like idle time, logon time etc.

Functions below seems to be the most usefull ones, I will add those to the JwaWinsta unit:

  • function StrConnectState (returns localised string of the given ConnectState)
  • DateTimeString (returns formatted date timestring according to user’s timesettings)
  • function CurrentDateTimeString (like the name says)
  • function ElapsedTimeString (returns formatted string with elapsed time as in TSAdmin)
  • function CalculateElapsedTime (returns elapsed time in seconds)
  • function CalculateDiffTime (returns time difference in seconds)
  • function GetUnknownString (returns localised “unknown” string)

Citrix has it’s own version of this DLL called CUtildll.dll which is similar but uses (Citrix) MUI for localising strings.

3,163 views

Datarescue has release IDA 4.9 as freeware. IDA Pro is the de-facto standard for the analysis of hostile code, vulnerability research and reverse engineering in general. You can find IDA freeware here: http://www.datarescue.com/idabase/idadownfreeware.htm

7,732 views

When an application is not Terminal Server aware (also known as a legacy application), Terminal Server makes certain modifications to the legacy application to make it work properly in a multiuser environment. For example, Terminal Server will create a virtual Windows folder, such that each user gets a Windows folder instead of getting the system’s Windows directory. This gives users access to their own INI files. In addition, Terminal Server makes some adjustments to the registry for a legacy application. These modifications slow the loading of the legacy application on Terminal Server and require up to 8 MegaBytes extra memory. This behaviour can be avoided if the TSAware flag is present in the PE header of an executable as can be read here at MSDN.

But how do we set this property in Delphi?

In Windows.pas we can see that the constant is defined:

But how to use this in your application?
Add the line

somewhere below the uses clause and we’re done!

Offcourse you are now responsible for making your application Terminal Server compliant which according to Microsoft means: If an application is Terminal Server aware, it must neither rely on INI files nor write to the HKEY_CURRENT_USER registry during setup.

4,215 views

I was contact by Danila Galimov a while ago because he was working with my JwaWinsta unit. Together we were able (and are still working on) uncovering more of the undocumented API’s in winsta.dll.

 We found several new classes for WinStationQueryInformationW that return lots of information:

  • The user’s password (under special circumstances).
  • The Windows Product ID (server and client’s).
  • Client Info such as Timezone information.

We got the following API’s working:

  • WinStationGetAllProcesses
  • WinStationGetTermSrvCountersValue (“QWinsta /Counter”)
  • WinStationFreeGAPMemory
  • WinStationSendMessage
  • WinStationCloseServer
  • WinStationDisconnect
  • WinStationReset
  • WinStationShutdownSystem

Further testing is needed to determine if the functions work on different OS versions and produce the same results.

4,062 views

There were 2 ways (known to me) of extending Windows XP to offer mulitple concurrent Terminal Sessions. One with the RC1 version of XP SP2 and one that patches Winlogon and Termsrv.dll. The latter offers not only multiple sessions but also multiple sessions under the same account and sessions to the local machine.

Seems like the someone hacked Windows Vista Terminal server too by patching Termsrv.dll. Read more at source.

3,066 views

I added some more undocumented API’s to my Jwawinsta unit, the unit is now becoming a collection of the undocumented API’s in winsta.dll.

These are the functions I added:

  • WinStationDisconnect
  • WinStationGetProcessSid
  • CachedGetUserFromSid (exported by utildll.dll)

I also added some more parts of the undocumented structure returned by WinStationQueryInformationW, it now contains:

  • Session State
  • WinStationName
  • SessionId
  • ConnectTime
  • DisconnectTime
  • LastInputTime
  • LogonTime
  • OutgoingFrames
  • OutgoingBytes
  • OutgoingCompressedBytes
  • IncomingCompressedBytes
  • IncomingFrames
  • IncomingBytes
  • Domain
  • Username
  • CurrentTime
3,046 views

If you want to get rid of this message: 

Remote Desktop cannot verify the identity of the computer you want to connect to.  This problem can occur if:

1) The remote computer is running a version of Windows that is earlier than Windows Vista.
2) The remote computer is configured to support only the RDP security layer.

Contact your network administrator or the owner of the remote computer for assistance.

Do you want to connect anyway?

Set the DWORD value AuthenticationLevelOverride of HKCU\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride to 0.

Read more on Scott Forsyth’s blog

Donate


Blogroll


Categories


Archives