[DISCUSSION] Windows 10 termsrv.dll Patching

Discussion in 'Windows 10' started by Mr Jinje, Oct 2, 2014.

  1. l33tissw00t

    l33tissw00t MDL Addicted

    Dec 6, 2012
    784
    479
    30
    Thank you. Forgot that ServerRDSH changed names..
     
  2. Baiony

    Baiony MDL Novice

    May 23, 2010
    4
    2
    0
    Hello .. any patched version for "termsrv.dll 10.0.17763.292" ? Thank you !
     
  3. bjf2000

    bjf2000 MDL Addicted

    Apr 11, 2008
    965
    142
    30
    Read up the thread about that. Same string as before.
     
  4. cyberbot

    cyberbot MDL Senior Member

    Jul 30, 2011
    471
    20
    10
    Dear all
    after the update to 10.0.17763.292 we lost the printers on the remote desktop.
    before whenever we log in to the terminal we can print using the redirect printers but they are gone
    can someone please advies how to get those back ?
     
  5. djole02

    djole02 MDL Novice

    Feb 6, 2019
    1
    1
    0
    For Windows 10 LTSC:

    search for: 39 81 3C 06 00 00 0F 84 7F 2C 01 00
    replace with: B8 00 01 00 00 89 81 38 06 00 00 90

    ...should be at offset 17345

    OS Version: 10.0.17763
     
  6. Buffavento

    Buffavento MDL Novice

    Feb 13, 2019
    2
    1
    0
    #126 Buffavento, Feb 13, 2019
    Last edited: Feb 17, 2019
    You can only connect up to 10 different users! is there any chance to increase the number like 50? I've done procedures shown as below but still no more connection than 10 users.

    PS: I've already increased the connection on gpedit -> Administrative Templates -> windows Component -> Remote Desktop Services -> Remote Desktop Session Host -> Connections -> Limit Number of Connections-> RD Maximum connections allowed -> Enabled -> 99999(unlimited)

    Any other suggestions?
     
  7. Buffavento

    Buffavento MDL Novice

    Feb 13, 2019
    2
    1
    0
    Good News: I have found the solution :)

    I have checked the RDP log file and I've found a line like "Disconnection reason is 16" in log file. There is no good explanation about disconnect reason is 16 but I understand that it is related with Graphic Card's memory optimization so I have updated graphic card driver on my system then connection issues have been solved. :) Now more than 10 users can connect without any problem.

    ---------------

     
  8. PERSoft

    PERSoft MDL Novice

    Jun 20, 2010
    2
    0
    0
    Has anyone the hex codes for 32 bit termsrv.dll version 10.0.17763.1 or 10.0.17763.292 ???
     
  9. bjf2000

    bjf2000 MDL Addicted

    Apr 11, 2008
    965
    142
    30
    The 292 string still hasn't changed (see earlier post).
     
  10. PERSoft

    PERSoft MDL Novice

    Jun 20, 2010
    2
    0
    0
    #130 PERSoft, Feb 28, 2019
    Last edited: Mar 3, 2019
    Yes, I know. But I could not find any hex codes for 32 bit patch version 10.0.17763.1 too. May be there is no common interest to find the hex strings of 32 bit versions in future. So nobody takes effort in this. I have searched for this patch in the internet, but did not find any solution. Is there anyone who could solve this?

    Now I have found on github rdpwrapper section a rdpwrapper.ini file for both 32 bit and 64 bit versions for 292. You have to add the following entries under the existing ini file sections:

    [10.0.17763.292]
    ; Patch CEnforcementCore::GetInstanceOfTSLicense
    LocalOnlyPatch.x86=1
    LocalOnlyOffset.x86=AFAD4
    LocalOnlyCode.x86=jmpshort
    LocalOnlyPatch.x64=1
    LocalOnlyOffset.x64=77A11
    LocalOnlyCode.x64=jmpshort
    ; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled
    SingleUserPatch.x86=1
    SingleUserOffset.x86=4D665
    SingleUserCode.x86=nop
    SingleUserPatch.x64=1
    SingleUserOffset.x64=1322C
    SingleUserCode.x64=Zero
    ; Patch CDefPolicy::Query
    DefPolicyPatch.x86=1
    DefPolicyOffset.x86=4BE69
    DefPolicyCode.x86=CDefPolicy_Query_eax_ecx
    DefPolicyPatch.x64=1
    DefPolicyOffset.x64=17F45
    DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
    ; Hook CSLQuery::Initialize
    SLInitHook.x86=1
    SLInitOffset.x86=5B18A
    SLInitFunc.x86=New_CSLQuery_Initialize
    SLInitHook.x64=1
    SLInitOffset.x64=1ABFC
    SLInitFunc.x64=New_CSLQuery_Initialize

    [10.0.17763.292-SLInit]
    bInitialized.x86 =CD798
    bServerSku.x86 =CD79C
    lMaxUserSessions.x86 =CD7A0
    bAppServerAllowed.x86 =CD7A8
    bRemoteConnAllowed.x86=CD7AC
    bMultimonAllowed.x86 =CD7B0
    ulMaxDebugSessions.x86=CD7B4
    bFUSEnabled.x86 =CD7B8

    bInitialized.x64 =ECAB0
    bServerSku.x64 =ECAB4
    lMaxUserSessions.x64 =ECAB8
    bAppServerAllowed.x64 =ECAC0
    bRemoteConnAllowed.x64=ECAC4
    bMultimonAllowed.x64 =ECAC8
    ulMaxDebugSessions.x64=ECACC
    bFUSEnabled.x64 =ECAD0

    This works for 32 bit version in my case! May be it helps other people, too. Do not forget to restart term-services or to reboot the pc after changing ini-file.

    A follow up: The x64 version failed. I suppose you have to change SingleUserOffset.x64=1322C to SingleUserOffset.x64=3E570 like in the post of Prince_Charles on page 6.
     
  11. Prince_Charles

    Prince_Charles MDL Novice

    May 10, 2007
    36
    27
    0
    #131 Prince_Charles, Mar 5, 2019
    Last edited: Apr 4, 2019
    termsrv.dll version 10.0.18362.1 x64
    ============================

    Find: 39813C0600000F845D610100
    Replace: B80001000089813806000090

    Find: 047411488D15E7
    Replace: 04EB11488D15E7

    Find: 58010000FF1517
    Replace: 58000000FF1517 (multiple nested sessions - not really required)

    Single sessions only and network level authentication (RDPConf or registry)

    ==================
    RDPWrap :: 64-bit
    ==================
    [10.0.18362.1]
    LocalOnlyPatch.x64=1
    LocalOnlyOffset.x64=75978
    LocalOnlyCode.x64=jmpshort
    SingleUserPatch.x64=1
    SingleUserOffset.x64=4CB20
    SingleUserCode.x64=Zero
    DefPolicyPatch.x64=1
    DefPolicyOffset.x64=1FE05
    DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
    SLInitHook.x64=1
    SLInitOffset.x64=22DCC
    SLInitFunc.x64=New_CSLQuery_Initialize

    [10.0.18362.1-SLInit]
    bInitialized.x64 =F6A8C
    bServerSku.x64 =F6A90
    lMaxUserSessions.x64 =F6A94
    bAppServerAllowed.x64 =F6A9C
    bRemoteConnAllowed.x64=F6AA0
    bMultimonAllowed.x64 =F6AA4
    ulMaxDebugSessions.x64=F6AA8
    bFUSEnabled.x64 =F6AAC
     
  12. CutterKin

    CutterKin MDL Novice

    Aug 23, 2017
    6
    3
    0
    Out of curiosity what graphic card are you using?

    I have a remote site with an Nvidia 210 and a similar issue. Tempted to make the drive out and swap to a newer video card & driver based on your post.

    Would be odd if it works since (I think) plain vanilla RDP doesn't use the GPU at all without HyperV / RemoteFX.
     
  13. escapesg

    escapesg MDL Novice

    Aug 28, 2009
    18
    1
    0
    Sounds like RDPWrap & termsrv.dll do require new solution for 10.0.17763.437 after applying KB4493509. Ouch :)
     
  14. Prince_Charles

    Prince_Charles MDL Novice

    May 10, 2007
    36
    27
    0
    #134 Prince_Charles, Apr 10, 2019
    Last edited: Apr 10, 2019
    ===============================
    termsrv.dll x64: 10.0.17763.437
    ===============================

    39813C0600000F843B2B0100
    B80001000089813806000090

    007418488D
    00EB18488D

    58010000FF15E7
    58000000FF15E7

    ===========
    rdpwrap.ini
    ===========

    [10.0.17763.437]
    LocalOnlyPatch.x64=1
    LocalOnlyOffset.x64=77A41
    LocalOnlyCode.x64=jmpshort
    SingleUserPatch.x64=1
    SingleUserOffset.x64=3E520
    SingleUserCode.x64=Zero
    DefPolicyPatch.x64=1
    DefPolicyOffset.x64=18025
    DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
    SLInitHook.x64=1
    SLInitOffset.x64=1ACDC
    SLInitFunc.x64=New_CSLQuery_Initialize

    [10.0.17763.437-SLInit]
    bInitialized.x64 =ECAB0
    bServerSku.x64 =ECAB4
    lMaxUserSessions.x64 =ECAB8
    bAppServerAllowed.x64 =ECAC0
    bRemoteConnAllowed.x64=ECAC4
    bMultimonAllowed.x64 =ECAC8
    ulMaxDebugSessions.x64=ECACC
    bFUSEnabled.x64 =ECAD0

    =====================================
    =====================================

    =============================
    termsrv.dll x64 10.0.18362.53
    =============================

    39813C0600000F845D610100
    B80001000089813806000090

    047411488D1577
    04EB11488D1577

    58010000FF15F7
    58000000FF15F7

    ===========
    rdpwrap.ini
    ===========

    [10.0.18362.53]
    LocalOnlyPatch.x64=1
    LocalOnlyOffset.x64=759E8
    LocalOnlyCode.x64=jmpshort
    SingleUserPatch.x64=1
    SingleUserOffset.x64=4CB40
    SingleUserCode.x64=Zero
    DefPolicyPatch.x64=1
    DefPolicyOffset.x64=1FE15
    DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
    SLInitHook.x64=1
    SLInitOffset.x64=22DDC
    SLInitFunc.x64=New_CSLQuery_Initialize

    [10.0.18362.53-SLInit]
    bInitialized.x64 =F6A8C
    bServerSku.x64 =F6A90
    lMaxUserSessions.x64 =F6A94
    bAppServerAllowed.x64 =F6A9C
    bRemoteConnAllowed.x64=F6AA0
    bMultimonAllowed.x64 =F6AA4
    ulMaxDebugSessions.x64=F6AA8
    bFUSEnabled.x64 =F6AAC
     
  15. bjf2000

    bjf2000 MDL Addicted

    Apr 11, 2008
    965
    142
    30
    #135 bjf2000, Apr 10, 2019
    Last edited: Apr 10, 2019
    The locations aren't unusually difficult to find in that new version. No major changes in what you're looking for.

    Update: Of course, as soon as I post that, I see that there is one major change. Question: So, let's suppose that I used the prior string instead (which in the new file is found at 8B8058010000FF15E7 instead of 8B8058010000FF1597). What would have happened?
     
  16. 123412345

    123412345 MDL Novice

    Oct 29, 2007
    46
    0
    0
    hi, what about 17134.706? jost got updated to this one :(
     
  17. ShamblerDK

    ShamblerDK MDL Novice

    Jan 17, 2013
    1
    0
    0
    Tested and works flawlessly with version 10.0.17763.437.

    Thank you!
     
  18. smigors

    smigors MDL Novice

    Mar 27, 2013
    2
    0
    0
    #138 smigors, Apr 11, 2019
    Last edited: Apr 11, 2019
    HI! what about 10.0.17134.706 x64?

    Solution for 32bit termsrv.dll is:

    [10.0.17134.706]
    LocalOnlyPatch.x86=1
    LocalOnlyOffset.x86=ADAB8
    LocalOnlyCode.x86=jmpshort
    SingleUserPatch.x86=1
    SingleUserOffset.x86=36B1C
    SingleUserCode.x86=nop
    DefPolicyPatch.x86=1
    DefPolicyOffset.x86=33579
    DefPolicyCode.x86=CDefPolicy_Query_eax_ecx
    SLInitHook.x86=1
    SLInitOffset.x86=475DD
    SLInitFunc.x86=New_CSLQuery_Initialize

    [10.0.17134.706-SLInit]
    bInitialized.x86 =CBF38
    bServerSku.x86 =CBF3C
    lMaxUserSessions.x86 =CBF40
    bAppServerAllowed.x86 =CBF44
    bRemoteConnAllowed.x86=CBF48
    bMultimonAllowed.x86 =CBF4C
    ulMaxDebugSessions.x86=CBF50
    bFUSEnabled.x86 =CBF54

    Have a nice day
     
  19. smigors

    smigors MDL Novice

    Mar 27, 2013
    2
    0
    0
    i check it... work..

    [10.0.17134.706]
    LocalOnlyPatch.x86=1
    LocalOnlyOffset.x86=ADAB8
    LocalOnlyCode.x86=jmpshort
    LocalOnlyPatch.x64=1
    LocalOnlyOffset.x64=92521
    LocalOnlyCode.x64=jmpshort
    SingleUserPatch.x86=1
    SingleUserOffset.x86=36B1C
    SingleUserCode.x86=nop
    SingleUserPatch.x64=1
    SingleUserOffset.x64=1511C
    SingleUserCode.x64=Zero
    DefPolicyPatch.x86=1
    DefPolicyOffset.x86=33579
    DefPolicyCode.x86=CDefPolicy_Query_eax_ecx
    DefPolicyPatch.x64=1
    DefPolicyOffset.x64=10E78
    DefPolicyCode.x64=CDefPolicy_Query_edi_rcx
    SLInitHook.x86=1
    SLInitOffset.x86=475DD
    SLInitFunc.x86=New_CSLQuery_Initialize
    SLInitHook.x64=1
    SLInitOffset.x64=22F5C
    SLInitFunc.x64=New_CSLQuery_Initialize

    [10.0.17134.706-SLInit]
    bInitialized.x86 =CBF38
    bServerSku.x86 =CBF3C
    lMaxUserSessions.x86 =CBF40
    bAppServerAllowed.x86 =CBF44
    bRemoteConnAllowed.x86=CBF48
    bMultimonAllowed.x86 =CBF4C
    ulMaxDebugSessions.x86=CBF50
    bFUSEnabled.x86 =CBF54

    bServerSku.x64 =F1378
    lMaxUserSessions.x64 =F137C
    bAppServerAllowed.x64 =F1380
    bInitialized.x64 =F2430
    bRemoteConnAllowed.x64=F2434
    bMultimonAllowed.x64 =F2438
    ulMaxDebugSessions.x64=F243C
    bFUSEnabled.x64 =F2440
     
  20. escapesg

    escapesg MDL Novice

    Aug 28, 2009
    18
    1
    0
    #140 escapesg, Apr 15, 2019 at 23:03
    Last edited: Apr 16, 2019 at 00:46
    Deployed rdpwrap.ini onto two desktops: would not reconnect to the same / earlier disconnected session - will always create a new RDP session regardless.

    Any idea how to fix it / are all rdpwrap.ini values correct?

    Confirmed: rdpwrap.ini 10.0.17763.437 forces fSingleSessionPerUser value to 1 and also enforces multiple remote sessions for the same user. Ouch :)