Terminal Server Patch 1.2

Terminal server No Restriction Patch 1.2
========================================

Purpose:
Remove all limitation of the Windows Remotedesktop/Terminalserver service
because of some ‘restrictive’ windows version like XP Home/XP Professional,
Small Business… or limits expose by licensing logic.

Usage:
Backup C:\windows\system32, termsrv.dll,    winlogon.exe,    mstscax.dll.
Start TS-Free-1.1.exe.
Check patcher output for error. Reboot.

Changes:
Files:
termsrv.dll
winlogon.exe
mstscax.dll

Registry:
[HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server]
«fDenyTSConnections»=0
«TSAdvertise»=1
«IdleWinStationPoolCount»=1
«TSAppCompat»=0
«TSEnabled»=1
«TSUserEnabled»=0
Licensing Core\
«EnableConcurrentSessions»=0
WinStations\RDP-Tcp\
«fEnableWinStation»=1
«MaxInstanceCount»=dword:ffffffff

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
«AllowMultipleTSSessions»=1

Debugging:
If patch is not working compare if the modified version of the 3 files is
still in by comparing them with examdiff, Totalcommander or by windows onboard
Filecompare («FC.exe /?»)

The patch is only for 32-bit Windows. There currently no version for X64. Also
It doesn’t work on windows vista (critical bytepattern changed so patcher
fails).
I someone really needs a 64-bit version and can give me a remote desktop connection
to the system contact me 😉

How it works:
TS-Free-1.1.exe is an rar-sfx archive which will extract all files
C:\windows\system32 and run TS_free.bat
TS_free.bat launches WPA-kill.exe that will remove the self checks from
winlogon.exe to make it patchable (and as also disable the product
activation check).
Ts_free.exe is the main patch that will modify
termsrv.dll
winlogon.exe
mstscax.dll
by a pattern search.
Note: patching of mstscax.dll is no really important. It just allows you
on XP Pro to connection with mstsc.exe to yourself (127.0.0.1)

Limitations/Known Bug:
On WinXP I discovered to following bug in previous version(1.1) of this patch:
After termsrv.dll was patched following steps brings up a ‘can’t connect’:

Login locally as user1 , switch user – WinKey+L (or taskmgr/user/rightclick)
Login locally as user2 , switch user – WinKey+L (or taskmgr/user/rightclick)
Login/reconnect locally as user2 => Error!

Without patched termsrv.dll it works.

To solve this (at least on WinXP) a added to choice to apply/skip these so called
‘additional patches’. On WinXP they somehow cause the problem.
They are related to the the ‘Windows Version Info’ constants VER_SUITE_TERMINAL and
VER_SUITE_SINGLEUSERTS.    On server system I think ‘additional patches’ really
necessary because VER_SUITE_SINGLEUSERTS is not set. VER_SUITE_SINGLEUSERTS need to
be set so terminalserver will branch in the ‘patched’ branch of the simple
(termsrv.dll!CFullDesktopPolicy::UseLicense) license check.

So far I’ve only test it on WinXP SP2.

How the patch works – how did I create it.

Preparation:
get the source of this patch it contains some more info’s
get debugsymboles for winlogon & termsrv
http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx
to add many useful label and comments to disassembling.
Get Antiwpa2 patch enable decrypt in options and open winlogon.exe
also press the apply button to remove self checks.

open termsrv.dll/winlogon.exe in ollydebug and look for references
(ctrl+n) to
Kernel32!GetVersionExW (ntdll.RtlGetVersion)
VerSetConditionMask
KERNEL32.VerifyVersionInfoW
to get near to the version restricting function – now your on your own…

In termsrv.dll    look for symbols like
_fDenyTSConnectionsPolicy
LicenseModeInit
LCQueryAllowConcurrentConnections…

For live debug open process with commandline <WINXP>system32\svchost -k DcomLaunch
(Check commandline column in sysinternals process explorer to see it)

So what about the dot’s
If it needs to seek to the beginning of some
certain function you to find some unique byte pattern (like a constant
or a sequence of command/byte)  inside that function and then
move to the beginning and write the patch data there. Seeking with a byte
directly to the beginning is not so safe because all functions start
with the same commands.    So if it seeks backward or forward to the beginning
I output dots as control. Normally this should be 1 or 2 lines – if there are
more it’s probably didn’t found the correct beginning (or beginning is already
patched) the patch is applied at some wrong location and result is corrupt
file.

History:

1.2 choice to apply/skip additional patches

1.2 Pre Version
Info.txt added

1.1 Byte patterns updated for Longhorn

1.0 Initial Version

<CW2K>