Remko Weijnen's Blog (Remko's Blog)

About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like


I just wanted to show some of the progress that I made in development of TSAdminEx. I thought the best way would be to show some screenshots. Which reminds me I installed a nice Javascript to enlarge the thumbnails, click to see it…

Edit: A beta is ready!

This screenshot shows TSAdminEx after startup. In the Left Treeview you can see the This Computer, Favorites and All Listed Servers icon. On Startup all available domains are enumerated.
Here you see the Users tab. If you move the mouse over some columns you can get extra info in the hint. In this hint you get the actual shadow permissions of the highlighted session.
This is the Sessions tab where extra details of a session are shown. By default you can see sessions statistics such as Incomingbytes and Outgoingbytes, this makes it easy to identify sessions that have much traffic.Interesting detail is that the Remote Address column lists the real ip address that is connected to Terminal Server! Hovering the mouse also shows the port number.
Now the Process tab is my favorite! It lists far more details than TSAdmin and also some usefull columns that cannot be show with TSAdmin or any documented Terminal Server API!The Process Age columns shows how long the process is running. You can compare this with the CPU Time column to see how much CPU Time the process has allocated since startup.The Mem Usage shows the amount of physical RAM a process uses while the VM Size column shows the amount of Private Bytes (Virtual Memory) a process uses.
If you click on a domain in the Left Treeview, TSAdminEx will enumerate all Terminal Servers for that domain. You can continue using and even enumerate multiple domains, because enumeration is done from seperate threads!
If you select (highlight) a particular session the appropriate toolbar buttons are enabled or disabled automically indicating the actions that can be performed on the selected session.
And offcourse, an about dialog…

Hope you like it! Comments are open…



Today I received an e-mail from Softpedia telling me that they have listed one of my commandline tools, LaunchRDP. I don’t know how they found or why they think that it should be listed, but it’s nice to see that they respect the author and informed me. If you want to rate it, here’s your chance!


If you develop an application for Terminal Server you might want to react on session events. This means that your application is notified when a user logs on, logs off or becomes idle. This can be done with the WTSWaitSystemEvent function. Implementing it is rather simple and could look something like this:

Notice that you would probably do this from a seperate thread otherwise you will block the main thread. To stop waiting for Events you send a special event:

Please note that there are at least 2 issues with this API, one with Windows 2000 and one with Windows Vista. On Windows 2000 events are reported twice for each actual event. Microsoft’s resolution?

The application should expect the event twice, and filter out the second occurrence.

Now how do we solve this? I would suggest introducing a small delay after an event trigger, this way you will probably not receive the duplicate event.

On Windows Vista there’s another issue: After you set the value of the EventMask parameter to WTS_EVENT_FLUSH in the WTSWaitSystemEvent function, no pending calls to the function return on a Windows Vista-based computer. Now what does this mean? It means that after sending WTS_EVENT_FLUSH the thread never responds! So there’s actually no nice way to end the thread, the only escape is a call to TerminateThread.

Microsoft does offer a hotfix, so my suggestion is a check on startup that will notify the user that he/she needs to install the hotfix. A version check can be done on winsta.dll, the version before the fix is 6.0.6000.16386. Hotfix version is 6.0.6000.20664. According to this article the fix will be included in Vista SP1.



Have you ever tried running the Terminal Server Administration tool (aka TSAdmin) on Windows Vista? You would need it to remotely administer windows 2000/2003 Terminal Servers. If you try to run it you will get an Access Violation but why? I found the answer to this question today because I was testing my TSAdmin replacement on different Windows versions. Just like TSAdmin I use an (undocumented) function from Utildll.dll called ElapsedTimeString. It’s a very simple function that returns a formatted elapsed time string (as seen in the Idle time column from TSAdmin).

While my TSAdminEx ran fine on Windows XP, 2003 and even 2008 it would crash on Vista. Investigation showed that the stack was corrupted in the process of enumerating processes and sessions. Eventually I pinned it down to ElapsedTimeString but could not understand what went wrong. At least not until I investigated Utildll.dll version from Windows Vista. In what was probably an attempt from Microsoft to produce safer code they replaced wsprintfW by StringCchPrintfW. But StringCchPrintfW has an additional parameter (count of characters) so they introduced a new parameter to ElapsedTimeString. Now that’s not a smart decision as this directly breaks compatibility with software that uses this API, but they probably thought that it wasn’t issue since TSAdmin is not included with Vista (I don’t know of any other MS tool that uses this API).

But why doesn’t the Access Violation appear on Server 2008? Is this still using wsprintfW for string formatting? The answer is no, they also use StringCchPrintfW but use a fixed 15 character length. (so they “fixed” the issue).

That leaves you with 2 options if you still want to use TSAdmin on Vista:

  1. Patch TSAdmin or Utildll
  2. Use my TSAdminEx instead which also offers some extra functionality over TSAdmin (I hope to finish it soon, should you wish to beta test then leave a comment).

For now I’ll leave you with a screenshot (click to enlarge) of the current Beta version. As you can see it returns detailed information in the process tab like Memory Usage, Virtual Memory Usage, CPU Time and Process Age.

TSAdminEx Beta Screenshot


Several of Microsoft’s Terminal Server tools use undocumented API’s from Utildll.dll. For instance Terminal Server Admin uses it to get a localised connect state string and to format time strings like idle time, logon time etc.

Functions below seems to be the most usefull ones, I will add those to the JwaWinsta unit:

  • function StrConnectState (returns localised string of the given ConnectState)
  • DateTimeString (returns formatted date timestring according to user’s timesettings)
  • function CurrentDateTimeString (like the name says)
  • function ElapsedTimeString (returns formatted string with elapsed time as in TSAdmin)
  • function CalculateElapsedTime (returns elapsed time in seconds)
  • function CalculateDiffTime (returns time difference in seconds)
  • function GetUnknownString (returns localised “unknown” string)

Citrix has it’s own version of this DLL called CUtildll.dll which is similar but uses (Citrix) MUI for localising strings.


Datarescue has release IDA 4.9 as freeware. IDA Pro is the de-facto standard for the analysis of hostile code, vulnerability research and reverse engineering in general. You can find IDA freeware here:


When an application is not Terminal Server aware (also known as a legacy application), Terminal Server makes certain modifications to the legacy application to make it work properly in a multiuser environment. For example, Terminal Server will create a virtual Windows folder, such that each user gets a Windows folder instead of getting the system’s Windows directory. This gives users access to their own INI files. In addition, Terminal Server makes some adjustments to the registry for a legacy application. These modifications slow the loading of the legacy application on Terminal Server and require up to 8 MegaBytes extra memory. This behaviour can be avoided if the TSAware flag is present in the PE header of an executable as can be read here at MSDN.

But how do we set this property in Delphi?

In Windows.pas we can see that the constant is defined:

But how to use this in your application?
Add the line

somewhere below the uses clause and we’re done!

Offcourse you are now responsible for making your application Terminal Server compliant which according to Microsoft means: If an application is Terminal Server aware, it must neither rely on INI files nor write to the HKEY_CURRENT_USER registry during setup.


I was contact by Danila Galimov a while ago because he was working with my JwaWinsta unit. Together we were able (and are still working on) uncovering more of the undocumented API’s in winsta.dll.

 We found several new classes for WinStationQueryInformationW that return lots of information:

  • The user’s password (under special circumstances).
  • The Windows Product ID (server and client’s).
  • Client Info such as Timezone information.

We got the following API’s working:

  • WinStationGetAllProcesses
  • WinStationGetTermSrvCountersValue (“QWinsta /Counter”)
  • WinStationFreeGAPMemory
  • WinStationSendMessage
  • WinStationCloseServer
  • WinStationDisconnect
  • WinStationReset
  • WinStationShutdownSystem

Further testing is needed to determine if the functions work on different OS versions and produce the same results.


There were 2 ways (known to me) of extending Windows XP to offer mulitple concurrent Terminal Sessions. One with the RC1 version of XP SP2 and one that patches Winlogon and Termsrv.dll. The latter offers not only multiple sessions but also multiple sessions under the same account and sessions to the local machine.

Seems like the someone hacked Windows Vista Terminal server too by patching Termsrv.dll. Read more at source.


I added some more undocumented API’s to my Jwawinsta unit, the unit is now becoming a collection of the undocumented API’s in winsta.dll.

These are the functions I added:

  • WinStationDisconnect
  • WinStationGetProcessSid
  • CachedGetUserFromSid (exported by utildll.dll)

I also added some more parts of the undocumented structure returned by WinStationQueryInformationW, it now contains:

  • Session State
  • WinStationName
  • SessionId
  • ConnectTime
  • DisconnectTime
  • LastInputTime
  • LogonTime
  • OutgoingFrames
  • OutgoingBytes
  • OutgoingCompressedBytes
  • IncomingCompressedBytes
  • IncomingFrames
  • IncomingBytes
  • Domain
  • Username
  • CurrentTime