[DISCUSSION] Windows 8.1 termsrv.dll Patching

Discussion in 'Windows 8' started by GuryYu, Aug 31, 2013.

Tags:
  1. Cowboy

    Cowboy MDL Member

    Oct 25, 2008
    189
    29
    10
    OK, I have it working. The problem of course was the ini file. I have used a lot of programs that have line numbers in the ini files and so it didn't surprise me that yours contained line numbers. What did surprise me is that by clicking on the "Raw" button on your web page I was presented with another line number free image of the ini file. I still was unable to replace the older ini file without booting into WinPE. It would be very helpful if you could spell out a procedure to over-write the ini file or release an update to you program that contained the latest file. All that said I have to tip my hat to you and admit that you have developed a very clever tool that I am sure will be of great use to many. Thank You!
     
  2. kriscahya

    kriscahya MDL Novice

    Nov 21, 2013
    4
    0
    0
    Hey Guys, it's been a while coming to this Thread, my RDP on Win 8.1 Pro 64 bit works fine with 3-4 login to Main/server pc using Thin Client and windows RDP.

    But lately I notice there's an update for my 8.1 pro 64 bit. after update RDP is not working anymore, not even to the log on screen which the host pc has a pop up windows saying other user would like to connect.

    Any latest Termserv.dll for this 8.1 pro 64 bit, I read few pages back there's RDP wrapper?

    appreciate any help
     
  3. sonicx

    sonicx MDL Novice

    Mar 4, 2015
    1
    0
    0
    Hello! The problem, as in kriscahya post. Have a laptop with windows 8.1 pro with all the latest updates. Everything found on the Internet did not help. Subject died?
     
  4. hozekes

    hozekes MDL Novice

    Mar 18, 2015
    2
    0
    0
    working? I'm looking for it to long

     
  5. mickrussom

    mickrussom MDL Novice

    May 17, 2010
    17
    9
    0
    Need help patching a termsrv.dll, Windows 7, 6.1.7601.22843. RDPwrap does have this termsrv.dll patched, but I do not use RDPwrap due to massive stability and reliability issues that have in the past cost me a datacenter run. When the termsrv.dll patch fails I can still login but when RDPwrap fails, it can deny connections even if you want to use it without multiuser.

    Anyways, I have attached what RDPwrap uses to "fix" RDP. Can binary patches be developed easily from this information or is working knowledge of IDA needed?

    [6.1.7601.22843]
    SingleUserPatch.x86=1
    SingleUserOffset.x86=1A655
    SingleUserCode.x86=nop
    SingleUserPatch.x64=1
    SingleUserOffset.x64=17F96
    SingleUserCode.x64=Zero
    DefPolicyPatch.x86=1
    DefPolicyOffset.x86=19E25
    DefPolicyCode.x86=CDefPolicy_Query_eax_esi
    DefPolicyPatch.x64=1
    DefPolicyOffset.x64=17D6E
    DefPolicyCode.x64=CDefPolicy_Query_eax_rdi


    [6.1.7601.22843]
    ; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled
    ; Imagebase: 6F2E0000
    ; .text:6F2FA64F lea eax, [ebp+VersionInformation]
    ; .text:6F2FA655 inc ebx <- nop
    ; .text:6F2FA656 push eax ; lpVersionInformation
    ; .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch
    ; .text:6F2FA661 mov [esi], ebx
    ; .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x)
    SingleUserPatch.x86=1
    SingleUserOffset.x86=1A655
    SingleUserCode.x86=nop
    ; Imagebase: 7FF75A80000
    ; .text:000007FF75A97F90 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation
    ; .text:000007FF75A97F95 mov ebx, 1 <- 0
    ; .text:000007FF75A97F9A mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch
    ; .text:000007FF75A97FA2 mov [rdi], ebx
    ; .text:000007FF75A97FA4 call cs:__imp_GetVersionExW
    SingleUserPatch.x64=1
    SingleUserOffset.x64=17F96
    SingleUserCode.x64=Zero
    ; Patch CDefPolicy::Query
    ; Original
    ; .text:6F2F9E25 cmp eax, [esi+320h]
    ; .text:6F2F9E2B jz loc_6F30B6D6
    ; Changed
    ; .text:6F2F9E25 mov eax, 100h
    ; .text:6F2F9E2A mov [esi+320h], eax
    ; .text:6F2F9E30 nop
    DefPolicyPatch.x86=1
    DefPolicyOffset.x86=19E25
    DefPolicyCode.x86=CDefPolicy_Query_eax_esi
    ; Original
    ; .text:000007FF75A97D6E cmp [rdi+63Ch], eax
    ; .text:000007FF75A97D74 jz loc_7FF75AA4182
    ; Changed
    ; .text:000007FF75A97D6E mov eax, 100h
    ; .text:000007FF75A97D73 mov [rdi+638h], eax
    ; .text:000007FF75A97D79 nop
    DefPolicyPatch.x64=1
    DefPolicyOffset.x64=17D6E
    DefPolicyCode.x64=CDefPolicy_Query_eax_rdi
     
  6. mickrussom

    mickrussom MDL Novice

    May 17, 2010
    17
    9
    0
    I've found RDP wrapper of late to be rubbish (crashy and or leading to the inability to RDP). I wish they would provide the necessary patch hints along with their stuff.
     
  7. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,354
    2,026
    210
    Man, it must be you being rubbish, or your setup!
    You have it all in plain text. Feel free you butcher the dll yourself
     
  8. mickrussom

    mickrussom MDL Novice

    May 17, 2010
    17
    9
    0
    I dont mind butchering the DLL from whatever information is in RDP wrap. I got locked out of a machine remotely already two times at different patch levels and I would prefer to butcher the DLL and have an upate replace termsrv - I can still get in remotely. When RDP wrap fails, RDP is toast. You can do remote surgery but without RDP its painful.

    So if anyone has a howto take rdpwraps information and butcher the DLL, please let me know and Ill do it myself.
     
  9. BreakBalls

    BreakBalls MDL Novice

    Mar 14, 2016
    4
    0
    0
    #330 BreakBalls, Jun 10, 2017
    Last edited: Jun 10, 2017
    So, still nobody wrote about Win 8.1 x86 termsrv 6.3.17415 full patch. Let me be the first one :)


    3B81200300000F842AD50000 B80001000089812003000090

    837DF8007419 837DF800EB19

    8D44242843 8D44242890

    Enjoy!
     
  10. avengermsoft

    avengermsoft MDL Novice

    Jul 17, 2017
    1
    0
    0
    x64 6.3.9600.18692 please ?
     
  11. RangerXus

    RangerXus MDL Novice

    Jul 19, 2017
    5
    3
    0
    @avengermsoft

    Microsoft patch KB4022720 for Windows 8.1 broke the previous termsrv.dll concurrent patch.
    The previous version of termsrv.dll was 6.3.9600.17415.
    The new version after KB4022720 is 6.3.9600.18692.

    Interesting that the patch for 6.3.9600.17415 still works for 6.3.9600.18692. The patch just needs to be applied at a different location.
    I assume you know how to stop termservice, take ownership of termsrv.dll, make a backup copy of termsrv.dll, and use a hex editor.

    The following is for Windows 8.1 PRO x64. termsrv.dll versions 6.3.9600.17415 and 6.3.9600.18692. It has been tested by me to work on both versions.

    Search for: 39 81 3C 06 00 00 0F 84 D3 1E 02 00 and replace with: B8 00 01 00 00 89 81 38 06 00 00 90

    The following is for Windows 8.1 PRO x86. termsrv.dll versions 6.3.9600.17415 and 6.3.9600.18692. It has NOT been tested by me.

    Search for: 3B 81 20 03 00 00 0F 84 2A D5 00 00 and replace with: B8 00 01 00 00 89 81 20 03 00 00 90

    As a side note, the open source utility RDPWrap has been updated to also support termsrv.dll 6.3.9600.18692 for Windows 8.1.
    For Windows 10 users, it appears that the new Creators build has broken RDPWrap for Windows 10 Home edition. It still works for Windows 10 PRO to enable multiple concurrent RDP sessions. No word yet if the developer is going to find a solution to the changes the Creators build introduced in Home edition. It may be that Microsoft is putting an end to Home users being able to RDP into their computers. Hex patching may also no longer be feasible for Windows 10 Home Creators build and beyond.

    Credit for the patch code belongs to contributors on "www mysysadmintips com" and "forums mydigitallife net" . Thanks to anyone and everyone who has helped identify and share termsrv.dll patches to all of us over the years.
     
  12. RangerXus

    RangerXus MDL Novice

    Jul 19, 2017
    5
    3
    0
    @mickrussom

    I too prefer to patch than use RDPWrap and as long as new patches are created and shared I will continue to use them. I don't see anything wrong with RDPWrap after reviewing the source code, but I have never actually used it. I just prefer to keep things simple and keep things as vanilla as possible.

    I looked at the RDPWrap.ini file to see if there was a way to translate the RDPWrap patch code to a simple hex patch. But since RDPWrap appears to be an interface to termsrv.dll and not a patcher for termsrv.dll I'm not sure it is possible to create a hex patch from the RDPWrap patch codes. It uses a different approach than just patching code. At least for me I decided it was not worth the effort to pursue further. But if you figure out a way to create hex patches from the RDPWrap patch codes I hope you will share it with the rest of us.
     
  13. RangerXus

    RangerXus MDL Novice

    Jul 19, 2017
    5
    3
    0
    I'm not going to argue about this. I prefer a simple hex patch on an original MS DL. you prefer installing a program, modifying the registry so the service Terminal Services actually calls rdpwrap.dll instead of termsrv.dll, and etc., etc., etc. There are usually mutiliple ways to get things done. Doesn't mean only one way is right and all the other ways are wrong. Different people have different preferences and opinions on the best way for them. It's nothing to argue about or fight over.
     
  14. tstolik

    tstolik MDL Junior Member

    Jan 18, 2011
    62
    5
    0
    what is the last updated version for Win7 is now for x32 and x64?
     
  15. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    7,897
    10,733
    240
    @ tstolik you are in wrong section so search first before post ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. JimB3

    JimB3 MDL Novice

    Aug 12, 2017
    1
    0
    0
    I also prefer to patch the DLL manually. The x64 codes shown below worked for me.

    I would also like to report that the same substitution also works for version 18708. To explicitly summarize in the format of the original post below:

    Microsoft Patch KB4025335 (or KB4034681) for Windows 8.1 broke the previous termsrv.dll concurrent patch.
    The previous version of termsrv.dll was 6.3.9600.18692.
    The new version after KB4022720 is 6.3.9600.18708.

    The following is for Windows 8.1 PRO x64. termsrv.dll versions 6.3.9600.18708. It has been tested by me to work.

    Search for: 39 81 3C 06 00 00 0F 84 D3 1E 02 00 and replace with: B8 00 01 00 00 89 81 38 06 00 00 90


    I have not tried or verified x86, so I will not include the text below here.

    Thanks!



     
  17. m2tas

    m2tas MDL Novice

    May 2, 2009
    6
    2
    0
    For 6.3.9600.18923 x64 version search and replace "39 81 3C 06 00 00 0F 84 23 23 02 00" with "B8 00 01 00 00 89 81 38 06 00 00 90".
     
  18. l33tissw00t

    l33tissw00t MDL Addicted

    Dec 6, 2012
    819
    520
    30
    @binarymaster