Concurrent RDP connections hack – XP

by Toufiq Ali, NII Consulting
Before you read further make sure you back up all the original settings of the registry or set create a restore point of your system. I assume reader know what a windows remote terminal service is. If not please refer to http://en.wikipedia.org/wiki/Terminal_Services

In Windows XP when a remote user tries to connect using the Remote Desktop Connection (RDC) client in Windows XP, the local user is disconnected from his current session forcefully. RDC, unlike Terminal Server Services in Windows 2000, Server 2003 and Server 2008, is designed for only one session at a time.. This excerpt aims at making terminal services functionality of multiple user login from Windows server 2000, windows server 2003 etc in Windows XP. This would be very useful in environment where the network admin often troubleshoots problem on the network using RDC.

Keep reading as the hack unfolds to enable concurrent remote desktop connection sessions support in Windows XP using the following patched files.

  1. Download files.zip from the link given below on the system where you want to enable concurrent RDC connections.

Download files.zip
Windows XP SP1 and SP2: Windows XP RTM, SP1 and SP2.zip

Windows XP SP2: Windows XP SP2.zip

Windows XP SP3: Windows XP SP3.zip

Before you go ahead further, you should be in the safe mode (Press F8 during boot up). If you don’t want to prolong your wait to see this work,

1. goto ‘Start’ > ‘Run’ services.msc
2. Right click on Terminal services & goto Properties.
3. From the startup type drop down choose disable or simply stop the services.
4. Click on apply or Ok & exit the services.msc file.

2. Go to %windir%System32 and & rename the termsrv.dll to anything that you can remember.
3. Go to %windir%System32dllcache & rename the termserv.dll.

4. Copy the downloaded termsrv.dll in the following two locations
1. to %windir%System32
2. %windir%System32dllcache.

Note: when you copy the files Windows will pop up the Windows File Protection dialog box. Click the cancel button & then Yes to keep this copy of the patched file.

5. Now, download and run the concurrent_sessions.bat file. Click yes to add these values to the registry or you can run Registry Editor to manually add the following registry value:

[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTerminal ServerLicensing Core]
“EnableConcurrentSessions”=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
“EnableConcurrentSessions”=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
“AllowMultipleTSSessions”=dword:00000001

6. Click on Start Menu -> Run command and type gpedit.msc,

7. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services.

8. Enable Limit Number of Connections and set the number of connections to number of concurrent sessions you want to allow

9. Restart the terminal services on that system again. Also enable Remote Desktop from the System Properties’ Remote tab & check for Allow users to connect remotely to this computer.

10. Turn on Fast User Switching in Control Panel -> User Accounts -> Change the way users log on or off.

11. Restart the computer normally.

If the Windows XP computer is connected to a domain, every time you restart your computer Windows will set the value of the regkey “AllowMultipleTSSessions” to “0″. To ensure that multiple or unlimited Remote Desktop connection sessions is allowed in AD domain environment, the value data for “AllowMultipleTSSessions” has to be set to “1″ on system startup. To change the value, run the concurrent_sessions.bat every time the computer is started. Instead, put the concurrent_sessions.bat at C:Documents and SettingsAll UsersStart MenuProgramsStartup folder.

With the release of Service Pack 2 (SP2) for Microsoft Windows XP, SP2 has introduced a feature that limits concurrent TCP connection attempts that are possible to 10 per seconds. In Service Pack 1 or without Service Pack, there is no limit on concurrent TCP connection attempts. So if you have set the value of “Limit Number of Connections” in step 8 greater than 10 and you happen to run a SP2, you need to apply the patch to override the max limit. You can download the file from the following link.

Just for your information on disassembling the original & patched file following HEX code bits have being changed:

00022A17: 74 75
00022A69: 7F 90
00022A6A: 16 90

7 Comments

  1. Hey Thats gr8, i will chk this in a week’s time, however, if the Windows update is enabled, then the DLL’s will be replaced, and this wont work anymore,
    I would also like to knw, what exactly did u modify within TerServ.dll, and what tool did u use for the same,
    I normally use the Reshack.

    Let me know.

    Thanks
    Nitin Kushwaha

  2. Hi Nitin,

    Windows update wont interfere unless there is an update for termsrv.dll. The last three lines in the post are the location that have being changed for the hack to work.

    There are various tools that will let you do this, IDAPro, WIN32DASM (de-assembler), HIEW (editor) etc. Resource hacker cannot disassemble files.

    Cheers
    TAS

  3. hi. can u tell me please how i can set the “Limit number of connection” to 2 or 3, it doesen’d mind, from registry, or a bat command.

2 Trackbacks / Pingbacks

  1. Sixth SenseS » Checkmate » Concurrent RDP connections hack - XP - Blog on Digital …
  2. 10 Registry Hacks For Hardening Windows Xp Security | Safe GE Home Security

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.