Remko Weijnen's Blog (Remko's Blog)

About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like


1,684 views

Several of Microsoft’s Terminal Server tools use undocumented API’s from Utildll.dll. For instance Terminal Server Admin uses it to get a localised connect state string and to format time strings like idle time, logon time etc.

Functions below seems to be the most usefull ones, I will add those to the JwaWinsta unit:

  • function StrConnectState (returns localised string of the given ConnectState)
  • DateTimeString (returns formatted date timestring according to user’s timesettings)
  • function CurrentDateTimeString (like the name says)
  • function ElapsedTimeString (returns formatted string with elapsed time as in TSAdmin)
  • function CalculateElapsedTime (returns elapsed time in seconds)
  • function CalculateDiffTime (returns time difference in seconds)
  • function GetUnknownString (returns localised “unknown” string)

Citrix has it’s own version of this DLL called CUtildll.dll which is similar but uses (Citrix) MUI for localising strings.

4,307 views

Datarescue has release IDA 4.9 as freeware. IDA Pro is the de-facto standard for the analysis of hostile code, vulnerability research and reverse engineering in general. You can find IDA freeware here: http://www.datarescue.com/idabase/idadownfreeware.htm

  • 1 Comment
  • Filed under: Uncategorized
  • 8,969 views

    When an application is not Terminal Server aware (also known as a legacy application), Terminal Server makes certain modifications to the legacy application to make it work properly in a multiuser environment. For example, Terminal Server will create a virtual Windows folder, such that each user gets a Windows folder instead of getting the system’s Windows directory. This gives users access to their own INI files. In addition, Terminal Server makes some adjustments to the registry for a legacy application. These modifications slow the loading of the legacy application on Terminal Server and require up to 8 MegaBytes extra memory. This behaviour can be avoided if the TSAware flag is present in the PE header of an executable as can be read here at MSDN.

    But how do we set this property in Delphi?

    In Windows.pas we can see that the constant is defined:

    But how to use this in your application?
    Add the line

    somewhere below the uses clause and we’re done!

    Offcourse you are now responsible for making your application Terminal Server compliant which according to Microsoft means: If an application is Terminal Server aware, it must neither rely on INI files nor write to the HKEY_CURRENT_USER registry during setup.

    4,539 views

    I was contact by Danila Galimov a while ago because he was working with my JwaWinsta unit. Together we were able (and are still working on) uncovering more of the undocumented API’s in winsta.dll.

     We found several new classes for WinStationQueryInformationW that return lots of information:

    • The user’s password (under special circumstances).
    • The Windows Product ID (server and client’s).
    • Client Info such as Timezone information.

    We got the following API’s working:

    • WinStationGetAllProcesses
    • WinStationGetTermSrvCountersValue (“QWinsta /Counter”)
    • WinStationFreeGAPMemory
    • WinStationSendMessage
    • WinStationCloseServer
    • WinStationDisconnect
    • WinStationReset
    • WinStationShutdownSystem

    Further testing is needed to determine if the functions work on different OS versions and produce the same results.

    4,137 views

    There were 2 ways (known to me) of extending Windows XP to offer mulitple concurrent Terminal Sessions. One with the RC1 version of XP SP2 and one that patches Winlogon and Termsrv.dll. The latter offers not only multiple sessions but also multiple sessions under the same account and sessions to the local machine.

    Seems like the someone hacked Windows Vista Terminal server too by patching Termsrv.dll. Read more at source.

    3,265 views

    I added some more undocumented API’s to my Jwawinsta unit, the unit is now becoming a collection of the undocumented API’s in winsta.dll.

    These are the functions I added:

    • WinStationDisconnect
    • WinStationGetProcessSid
    • CachedGetUserFromSid (exported by utildll.dll)

    I also added some more parts of the undocumented structure returned by WinStationQueryInformationW, it now contains:

    • Session State
    • WinStationName
    • SessionId
    • ConnectTime
    • DisconnectTime
    • LastInputTime
    • LogonTime
    • OutgoingFrames
    • OutgoingBytes
    • OutgoingCompressedBytes
    • IncomingCompressedBytes
    • IncomingFrames
    • IncomingBytes
    • Domain
    • Username
    • CurrentTime
    3,307 views

    If you want to get rid of this message: 

    Remote Desktop cannot verify the identity of the computer you want to connect to.  This problem can occur if:

    1) The remote computer is running a version of Windows that is earlier than Windows Vista.
    2) The remote computer is configured to support only the RDP security layer.

    Contact your network administrator or the owner of the remote computer for assistance.

    Do you want to connect anyway?

    Set the DWORD value AuthenticationLevelOverride of HKCU\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride to 0.

    Read more on Scott Forsyth’s blog

    1,889 views

    Yesterday I attended the Citrix Solutions Conference in Antwerp. Brad Pedersen (Chief Architect and Senior Fellow at  Citrix Systems) held an interesting speech about The End User Experience. I liked especially liked the part about the history of Citrix and the early versions of their products like Wincredible and Winframe. Since Brad wrote the original code for Citrix and thus Terminal Server (the stuff that is in winsta.dll now) I hoped he could share some info with me on the undiscovered parts of winsta.dll. Unfortunately Brad could not do this because of a non disclosure agreement with Microsoft. He did tell me that Citrix is pushing Microsoft to make more Terminal Server API’s public. I presume that’s why Vista and Windows 2008 offer some new API’s which I wrote about earlier.

    10,134 views

    Command Prompt IconA little while ago I wrote an article on launching a process in another Terminal Session (https://www.remkoweijnen.nl/blog/2007/10/20/how-to-launch-a-process-in-a-terminal-session/).

    The article didn’t have a demo app yet so I’ve attached it here. Read the rest of this entry »

    2,430 views

    It has been a little silent on the JEDI Apilib project lately, but this will change!

    We had some change in the team members: Marcel van Brakel, founder and large contributor of the project has signed off because he no longer actively uses Delphi. Christian Wimmer has joined the team and he is a very promising member.

    Christian has been working on a new include model (optional) of the Jedi Apilib which has the advantage that you only need to use one unit (JwaWindows) for the whole library.

    Chris has also published the JEDI Windows Security Code Library (Jwscl). This is library that tremendously simplifies using Win32 API calls from Delphi. At this point the library contains:

    • Windows Version
    • Token
    • Impersonation
    • Login
    • SID
    • Access Control List
    • Security Descriptor
    • Owner, Group, DACL, SACL
    • WindowStation
    • Desktop
    • LSA
    • Rights mapping
    • Secured Objects Files, Registry (+Inheritance), etc.
    • Credentials (Login Dialog)
    • Encryption (MS Crypto API)
    • Well Known SIDs
    • Privileges
    • Security Dialogs (The “ACL Editor” you see on the security yab when you rightclick object in Explorer)
    • Terminal Sessions
    • Unicode + Ansicode
    • Vista Elevation
    • Vista Integrity Level

    Although Jwscl is in beta stage it is already very well useable.

    Read the rest of this entry »

    Blogroll


    Categories


    Archives