termsrv.dll Patch

This is a Guide how to activate multiple User-Logons over Remote Desktop Protokoll (RDP) for Windows Terminal Service.

Steps:

  1. Prepare
  2. Backup
  3. Stop Terminal Service
  4. Ownership and Rights
  5. Patch
  6. Revert Ownership and Rights
  7. Start Terminal Service
  8. When you fail

no Backup?

Prepare

you need:

[^1] https://mh-nexus.de/en/hxd/ [^2] https://github.com/WerWolv/ImHex

Backup

Befor you begin, make a backup.

> xcopy %windir%\System32\termsrv.dll %windir%\System32\termsrv.dll.backup /V /H /K /X /O /Y

/V: Verifies each file as it is written to the destination /H: Copies files with hidden and system file attributes /K: Copies files and retains the read-only attribute if present on the source /X: Copies file audit settings and SACL information (implies /o) /O: Copies file ownership and DACL information /Y: Suppresses prompting to confirm that you want to overwrite existing files * copying as a file [^2] more About xcopy on microsoft.com[^1]

[^1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy [^2] https://ss64.com/nt/xcopy.html

stop Terminal Service

first try to stop Terminal Service normal (net stop xxx), sometimes you need to kill Terminal Service

> net stop termservice
(yes/no)?: yes
failed to stop Remote Desktop Service

if normal stop fail, kill the service [^1]

>tasklist /svc | findstr /C:TermService
svchost.exe                   1664 TermService

> taskkill /F /PID 1664
Process killed

> net stop termservice

[^1] https://www.windows-commandline.com/start-terminal-services-command-line/

Ownership and Rights

we need to change the file-owner to Administrator-Group and grant Full Rights to this Group

> takeown /F %windir%\System32\termsrv.dll /A
> icacls %windir%\System32\termsrv.dll /grant <Username>:F

takeown /F: Specifies the file name or directory name pattern /A: Gives ownership to the Administrators group instead of the current user more About takeown on microsoft.com[^1]

icacls /grant Grants specified user access rights, Permissions replace previously granted explicit permissions. more About takeown on microsoft.com[^2]

[^1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown [^2] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

Patch

open termsrv.dll in your Hex-Editor with Admin-Rights and use Search and Replace for Hex

Search 39 81 3C 06 00 00 0F 84 85 45 01 00 Replace B8 00 01 00 00 89 81 38 06 00 00 90 (Offset 1E6A5, where the Replacement should be found on)

Save the file.

Revert Ownership and Rights

You should set the Admin-Group permission back to RX (Read – eXecute)

 icacls %windir%\System32\termsrv.dll /grant <Username>:RX

and after them set the Owner back, too.

Open the File-Settings –> (Tab) Security –> (Button) Advanced –> Owner (Link) Change

The new and old Owner is “NT Service\TrustedInstaller”, confirm with ok and close the Dialog-Windows.

Start Terminal Service

if you did right and make no mistakes you can run Terminal Service again, with:

net start termservice

First connect

Connect to 127.0.0.2 instead of localhost or any else to reach your PC on loopback-Interface.

When you fail

boot in secure mode, delete the termsrv.dll and use the Backup instead.

No Backup

No Mercy!

Good Luck, Survivor!