termsrv.dll Patch
This is a Guide how to activate multiple User-Logons over Remote Desktop Protokoll (RDP) for Windows Terminal Service.
Steps:
- Prepare
- Backup
- Stop Terminal Service
- Ownership and Rights
- Patch
- Revert Ownership and Rights
- Start Terminal Service
- When you fail
Prepare
you need:
- Your OS Version (Windows10 x64 Professional)
- %windir%\System32\termsrv.dll – Version –> Settings –> Details –> Version (10.0.19041.2673)
- Hex-Editor (may be HxD [^1] or imhex [^2])
- Hex-Replacements (for your specific termsrv.dll Version)
- Search 39 81 3C 06 00 00 0F 84 85 45 01 00
- Replace B8 00 01 00 00 89 81 38 06 00 00 90
- Offset 1E6A5
- CMD with Admin-Rights
[^1] https://mh-nexus.de/en/hxd/ [^2] https://github.com/WerWolv/ImHex
Backup
Befor you begin, make a backup.
> xcopy %windir%\System32\termsrv.dll %windir%\System32\termsrv.dll.backup /V /H /K /X /O /Y
/V: Verifies each file as it is written to the destination /H: Copies files with hidden and system file attributes /K: Copies files and retains the read-only attribute if present on the source /X: Copies file audit settings and SACL information (implies /o) /O: Copies file ownership and DACL information /Y: Suppresses prompting to confirm that you want to overwrite existing files * copying as a file [^2] more About xcopy on microsoft.com[^1]
[^1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy [^2] https://ss64.com/nt/xcopy.html
stop Terminal Service
first try to stop Terminal Service normal (net stop xxx), sometimes you need to kill Terminal Service
> net stop termservice
(yes/no)?: yes
failed to stop Remote Desktop Service
if normal stop fail, kill the service [^1]
>tasklist /svc | findstr /C:TermService
svchost.exe 1664 TermService
> taskkill /F /PID 1664
Process killed
> net stop termservice
[^1] https://www.windows-commandline.com/start-terminal-services-command-line/
Ownership and Rights
we need to change the file-owner to Administrator-Group and grant Full Rights to this Group
> takeown /F %windir%\System32\termsrv.dll /A
> icacls %windir%\System32\termsrv.dll /grant <Username>:F
takeown /F: Specifies the file name or directory name pattern /A: Gives ownership to the Administrators group instead of the current user more About takeown on microsoft.com[^1]
icacls /grant Grants specified user access rights, Permissions replace previously granted explicit permissions. more About takeown on microsoft.com[^2]
[^1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown [^2] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
Patch
open termsrv.dll in your Hex-Editor with Admin-Rights and use Search and Replace for Hex
Search 39 81 3C 06 00 00 0F 84 85 45 01 00
Replace B8 00 01 00 00 89 81 38 06 00 00 90
(Offset 1E6A5
, where the Replacement should be found on)
Save the file.
Revert Ownership and Rights
You should set the Admin-Group permission back to RX (Read – eXecute)
icacls %windir%\System32\termsrv.dll /grant <Username>:RX
and after them set the Owner back, too.
Open the File-Settings –> (Tab) Security –> (Button) Advanced –> Owner (Link) Change
The new and old Owner is “NT Service\TrustedInstaller”, confirm with ok and close the Dialog-Windows.
Start Terminal Service
if you did right and make no mistakes you can run Terminal Service again, with:
net start termservice
First connect
Connect to 127.0.0.2 instead of localhost or any else to reach your PC on loopback-Interface.
When you fail
boot in secure mode, delete the termsrv.dll and use the Backup instead.
No Backup
No Mercy!
Good Luck, Survivor!