[REQUEST] Terminal Server Patch for XP

[sickmorci]

Hi Everyone,

I found this great *FREE* utility that everyone can use to:

The beta 2055 release of XP PRO SP2 (yes i know its old) let you run two or more sessions (one local console and one or more remote desktop) concurrently. But this functionality was removed in the Final release. This patch will enable two or more concurrent sessions in Windows XP PRO Service Pack 2 (SP2) or later if you have FAST USER SWITCHING enabled, and your windows is NOT in a domain.

and best of all its FREE !

Site:

http://www.kood.org/terminal-server-patch/

Download Link:

http://www.kood.org/Termiserv_XPSP2_i386_1.0.exe

I dont have the skills to create the add-on and maybe someone skilled might be able to create this, which im sure many users will find useful

Thank you all

SickDog

[runningfool]

all the utility does is replace termsrv.dll in the system32 folder with a patched one, so a simpler solution might be to just replace this file on your install disk:

1. use a program like 7-zip or winrar to extract the above utility. one of the folders will contain the termsrv.dll

2. download a program called "eXPander" (search wincert, i think theres an old post somewhere about it, along with instructions on how to use it)

3. use eXPander to compress termsrv.dll. if done correctly, youll get a file called "TERMSRV.DL_"

4. find this file on your XP disk and overwrite it with the one you just created

5. continue with your disk as you normally would (rvm integrator, nlite, etc) and install windows XP.

please be cautioned: using this file may cause windows file protection to complain. also, this is not a truly patched file, but literally the same one from beta 2055 of XP SP2...meaning any security updates released for terminal services after SP2 came out will probably be nullified.

[eryen]

Terminal and Lanconection patch last version is 1.3. SP3 supported.

Basicly modify termsrv.dll.

I have read info. Talking about have to patch winlogon.exe too.

Optional mstscax.dll patches.

Also do not forget. This patch containes reverse enginenering.

I did not test it!

info.txt

Terminal server No Restriction Patch 1.3

========================================

Purpose:

Remove all limitation of the Windows Remotedesktop/Terminalserver service

because of some 'restrictive' windows version like XP Home/XP Professional,

Small Business... or limits expose by licensing logic.

Usage:

Backup C:\windows\system32, termsrv.dll, winlogon.exe, mstscax.dll.

Start TS-Free-1.3.exe.

Check patcher output for error. Reboot.

Changes:

Files:

termsrv.dll

winlogon.exe

mstscax.dll

Registry:

[HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server]

"fDenyTSConnections"=0

"TSAdvertise"=1

"IdleWinStationPoolCount"=1

"TSAppCompat"=0

"TSEnabled"=1

"TSUserEnabled"=0

Licensing Core\

"EnableConcurrentSessions"=0

WinStations\RDP-Tcp\

"fEnableWinStation"=1

"MaxInstanceCount"=dword:ffffffff

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"AllowMultipleTSSessions"=1

Debugging:

If patch is not working compare if the modified version of the 3 files is

still in by comparing them with examdiff, Totalcommander or by windows onboard

Filecompare ("FC.exe /?")

The patch is only for 32-bit Windows. There currently no version for X64. Also

It doesn't work on windows vista (critical bytepattern changed so patcher

fails).

I someone really needs a 64-bit version and can give me a remote desktop connection

to the system contact me

How it works:

TS-Free-1.3.exe is an rar-sfx archive which will extract all files

C:\windows\system32 and run TS_free.bat

TS_free.bat launches WPA-kill.exe that will remove the self checks from

winlogon.exe to make it patchable (and as also disable the product

activation check).

Ts_free.exe is the main patch that will modify

termsrv.dll

winlogon.exe

mstscax.dll

by a pattern search.

Note: patching of mstscax.dll is no really important. It just allows you

on XP Pro to connection with mstsc.exe to yourself (127.0.0.1)

Limitations/Known Bug:

On WinXP I discovered to following bug in previous version(1.1) of this patch:

After termsrv.dll was patched following steps brings up a 'can't connect':

Login locally as user1 , switch user - WinKey+L (or taskmgr/user/rightclick)

Login locally as user2 , switch user - WinKey+L (or taskmgr/user/rightclick)

Login/reconnect locally as user2 => Error!

Without patched termsrv.dll it works.

To solve this (at least on WinXP) a added to choice to apply/skip these so called

'additional patches'. On WinXP they somehow cause the problem.

They are related to the the 'Windows Version Info' constants VER_SUITE_TERMINAL and

VER_SUITE_SINGLEUSERTS. On server system I think 'additional patches' really

necessary because VER_SUITE_SINGLEUSERTS is not set. VER_SUITE_SINGLEUSERTS need to

be set so terminalserver will branch in the 'patched' branch of the simple

(termsrv.dll!CFullDesktopPolicy::UseLicense) license check.

So far I've only test it on WinXP SP2.

How the patch works - how did I create it.

Preparation:

get the source of this patch it contains some more info's

get debugsymboles for winlogon & termsrv

http://www.microsoft.com/whdc/devtools/deb.../symbolpkg.mspx

to add many useful label and comments to disassembling.

Get Antiwpa2 patch enable decrypt in options and open winlogon.exe

also press the apply button to remove self checks.

open termsrv.dll/winlogon.exe in ollydebug and look for references

(ctrl+n) to

Kernel32!GetVersionExW (ntdll.RtlGetVersion)

VerSetConditionMask

KERNEL32.VerifyVersionInfoW

to get near to the version restricting function - now your on your own...

In termsrv.dll look for symbols like

_fDenyTSConnectionsPolicy

LicenseModeInit

LCQueryAllowConcurrentConnections...

For live debug open process with commandline <WINXP>system32\svchost -k DcomLaunch

(Check commandline column in sysinternals process explorer to see it)

So what about the dot's

If it needs to seek to the beginning of some

certain function you to find some unique byte pattern (like a constant

or a sequence of command/byte) inside that function and then

move to the beginning and write the patch data there. Seeking with a byte

directly to the beginning is not so safe because all functions start

with the same commands. So if it seeks backward or forward to the beginning

I output dots as control. Normally this should be 1 or 2 lines - if there are

more it's probably didn't found the correct beginning (or beginning is already

patched) the patch is applied at some wrong location and result is corrupt

file.

AntiVirus alerts

Some AntiVirus detect 'WPA_Kill.exe' as HackTool, Trojan or

unwanted program. Well I don't know why the AV-Maker flag

'WPA_Kill.exe' this way, but it's definitly no virus or trojan.

Probably they don't like the fact that it modified some byte in

winlogon.exe or possibly violates M$-Eula or what ever. I don't know/care about.

Lately I want to install 'TS-Free-1.2.exe' on a friend's PC and found it

very annoy that the installed AVG-Virusscanner blocked access to 'WPA_Kill.exe'.

Also there was no easy to find an userinterface to disable this AV

and because there was only little time I saw the quickest way in uninstalling

that AVG crap via controlpanel software.

(Later I saw that this was good because AVG seems to have the weakest detection engine

(refers only to 'Wpa_Kill.exe') so probably it won't be better for real malware.)

I personly don't use any of this AntiVirus or Internet Security Babysitter software.

Windows is slow & anony enough so I don't need any addition annoying software panic brake.

(Just be caution when downloading keygen, cracks with emule or from so ads popluted

Crack-Site. Don't trust AV Prg but trust ya feeling. Well to get this watch all kinds

of files with an Accii viewer to 'feel' weather this is normal(uncompressed) code or

suspicious(compress/encrypted) code. Well that's how I started.)

Anyway most ppl just use AV-Scanners and as I see that this can be annoying

(or even wreak the system if the main patch is applied without to 'WPA_Kill'-prepatch and so winlogon.exe will crash...)

So I decided to do that update and change some pattern that AV uses for their recognition.

This is base on some list I found in a forum:

"AntiVir" -> Trojan/Agent.JH.7 Detection: Scans sfx-rar-archive comment (+Importtable)

"ArcaVir" -> <none>

"Avast" -> Win32:Agent-AKC Detection: Scans for "crackware2k@freenet.de...{ForegroundColor:&H00808081&}..."(size:0x20)

"AVG Antivirus" -> Generic.DQD Detection: Creates CRC for exe

"BitDefender" -> Trojan.Agent.JH

"ClamAV" -> <none>

"Dr.Web" -> Tool.Wpakill Current version does not detect it.

"F-Prot Antivirus" -> <none>

"Fortinet" -> W32/Agent.JH!tr

"Kaspersky Anti-Virus" -> Trojan.Win32.Agent.jh Detection: Creates CRC of first 0xA70 Bytes of CodeSection

"NOD32" -> Win32/Agent.JH Current version does not detect it.

"Norman Virus Control" -> <none>

"UNA" -> <none>

"VirusBuster" -> <none>

"VBA32" -> Trojan.Win32.Agent.jh

History:

1.3 BugFix mstscax.dll was incorrectly patched on WinXP SP3

1.21 Changes to avoid some false virus alerts of AntiVir,Avast,AVG,Kaspersky

1.2 choice to apply/skip additional patches

1.2 Pre Version

Info.txt added

1.1 Byte patterns updated for Longhorn

1.0 Initial Version

<CW2K>

Edited May 8, 2008 by eryen