To pay new versions (if it did not change significantly logic of the work of the corresponding code section), you must do the following:
0. Instructions are suitable for more or less educated, and most importantly, intelligent specialists who know how to think. Those who are accustomed to everything "copy" by Copy / Paste, it seems, will not cope and will be able to breed the "moans" and "inhibiting" that "Many Bukov", "difficult" or "niasilyl" by virtue of more fears and stereotypes of thinking rather than the complexity of the problem. This is their lot. Born crawling, as you know, can not fly. Do not give yourself to dry, Anon! Drink Jada or do business and start respecting yourself!
1. Download any - paid or free version Hiew
Even very ancient versions of the 90s are suitable, but if you need to patch x64, then we need 8.x (starting from the mid-2000x :)) better, of course, take fresh. The author of 25 years has been developing a product and there are few more than perfect creations of the skill of the programmer.
2. Take TERMSRV.DLL some supported version - the original and panned version. If there is no pursed - it is reasonable to assume that it is necessary to pursue it with the meaningful patcher do not stupid! Start thinking! Everything files Put in a separate folder or folder. No need to try to rule anything on a single copy in System32. Anyway, nothing will happen (the record is blocked in System32) and so make only the rams.
3. Compare patched and non-specific versions of the same DLL by any comparator of binary files. The Console FC Console Utility enters the Windows. The "FC / B TERMSRV.org Termsrv.crk\u003e differences.txt" leads to a profit. List of differences, and it is small there, rows for 20, will head to the Differences.txt file
Open the file text editor And, or, we leave open, or rewrite on a piece of paper from which bytes changed. Immediately impact and understand that all shifts and values \u200b\u200bof bytes, as well as below in the HIEW, are indicated in the hexadecimal system, but it should not "scare" this, because it will not even need to translate into decimal! (If you suddenly need, for general development - Windows Calculator to help.)
In the list we see (detect) 3 conventional blocks, where the addresses go in a row. The first block - 2 bytes at the very beginning of the EXE, by 140-C-Something-h (DLL has the same format as EXE, the only difference is that it is only procedures and functions for an external call - so-called. Exports, therefore, and directly fulfill it, renaming in the EX will not succeed). This is the data, the displacement premises fall on the header of the EX file. On these offsets are stored check sum Data code (without title), which Windows checks before launching, making sure that the file was not damaged and something does not bother, accurately, when trying to execute it. Let's go back to them later.
Next, a block of changes is approximately 10 bytes. This is, just what we will study. After it, there is another block of change - the 6th most recent bytes of EX-Shnik. The essence comes down to the fact that instead of "zerule", the author has driven his own name "DeepXW" into an empty place at the end. Low Bow for a patch and idea, but we repeat his "delights" when transferring a patch of a special reason, therefore, therefore, it can make anyone who has nothing to do with long winter evenings in the framework of the study "Ringing ordinary beecles into empty seats EXE files using HIEW. However, you can perceive it as a tribute to the author (just "there" no one reads).
3. Open original DLL In one HIEW window, panned - in the other (Start 2 copies of the HIEW! In general, much more convenient to use Far - Two Bras, as a file manager and the basis for the launch of "these your" HIEW). In both click F4 (Mode) and select Decode (F3). We will see a disassembly piece of the file from the start. There is nothing to watch there, for the HIEW "tries" to disassemble the EXE file header, and this is the data, and not code. There is nothing there to stare, and he shows you that it is completely normal, for it is necessary to think here, and not "copy"! We are going to once again and begin to think no need to try stupidly and literally to fulfill the instructions ...
4. In both HIEW (in turn, damn, we think ...) Press F5 (Goto) and we see that the input field appeared at the top. We drive the address of the first difference (from the second block!) Found in the difference file. For example, in Win7Sp1x86RUS, this addresses in the 19100H area, and in Vistasp2eng (x86 or x64 - xs), as I have seen a blog of the author - addresses around 65200h. We fall into place of the first corrected byte.
Data in this HIEW window have the form:
- In the first column - HEX offset - from the start of the file, or in the process memory, depends on the HIEW mode selected by Alt-F1 (Global-Local). Default shows Local \u003d as in memory if the HIEW can disassemble the data code format. In our case, this problem does not represent because the format of the EX file allows it to be easy to "figure it out." Therefore, you do not need to be afraid of seeing 06F2F8D51 there instead of the introduced 19153. Memory addressing is important for understanding the addressing of the process, as it will look when performing, accommodation for code analysis, if needed.
- In the second column there is a hexadecimal presentation of data code with a parse which code and what data to which instructions include. Therefore, then each line of different lengths. Showing so exclusively for your convenience. "In fact," (c) in the file itself, they are all "blinded" together - in a row that you can see in the "simple" mode viewing HEX data (F4-\u003e Hex), where "stupidly" to the left is shown by HEX bytes through spaces, And on the right - "Crakozyabry" from the ASCII table, which these bytes correspond - as in "any" old-good "HEX editor type Winhex whose screenshots you saw on" any "kulkhaqker" web site. We all all the time work with the same bytes as actually the computer does. The question is exclusively in their presentation and interpretation. When you copy the executable file from the disk to the disk - all data and no code, for no one performs anything. But it is necessary to specify Windows that this is an executable file, run it, as Windows disassembles its code and data and starts the code from a predetermined standard and header of the site, after which the code executable by the processor is read further by its structure and is divided again on code and data and so on.
In F4-\u003e DECODE mode, we, instead of "Krakoyar," shows bytes and "true meaning."
- In the third (right) and largest column (more precisely, a pair of columns) shows a disassembly section of code - text, so-called. "Mnemonic" presentation of this very code (assembler language), intended for any simplified and understandable perception for a "man of reasonable", with its wonderful analog associative thinking, extremely hard perceiving abstract "naked" code sequences.
5. By switching to the desired offset in the previous paragraph, we see that the cursor (sulfur is :)), shows the beginning of the 6-byte command (in x64 there may be more bytes) the relevant "disassembled" Instruction type CMP EAX,
If you take one line above and slightly lower, the type of type will be released:
MOV EAX,
CMP EAX,
JZ .06F30B25E.
Push EDI
PUSH 020.
Call .06f2e1440
Pop Ecx
To understand this design, it is not necessary to be "an assembler connoisseur", although it is recommended to have at least basic knowledge on the topic "Programming on any Zyayka". But the knowledge of English does not prevent anybody!
The first instruction (which does not patrol, it is "above the first difference") called MOV - what, sorry, the first association comes to mind from English? - That's right - Move - i.e. Move. The instructions arguments go in the second "podstolebce". EAX and EDI are so-called. 32-bit registers are single memory cells in the Poter itself, designed to store data during their processing. Almost all registers of the same type, there theoretically, it can be written anything, if only it got, but some of them are traditionally used to store these specific types (so as not to be confused), for example, EAX, EBX, ECX, EDX are used directly for "user data", Moreover, ECX traditionally goes as a meter (cycles for example), and ESI, EDI - as pointers of a certain current position in memory, addresses with which to work. And part of the registers hardware dependent and their "better not touch" - for example, the IP register automatically contains the address current instructionwhich the processor performs, and if you try to record some of your data there - the variable of your program, then the percentage will dumb to the instructions with this address and everything crashes. ESP - Indicates a stack - a sort of "bottle", in which who first climbed, the last will come out (Fist in Last Out), intended for temporary storage of data, which are not placed in registers, but it makes no sense to drive them back into memory, will be used soon. To work with the data, usually, a certain byte - 8bit, the word is 16bit, the long word - 32bit or double long word 64bit (for 64-bit processors) are placed from memory to the register. To work with short data, you can contact the parts of the register (eAX consists of AX - the bottom 16bit and AH and AL - parts of the AX itself), but this is outside our problem. Then a certain MAT transformation is made with the data in the register, after which the result is placed back into memory - in the tight of the one or another cell or any other, highlighted by the author (or its compiler) programs for accommodation.
In square brackets indicate addresses. If you need to take data from the memory cell on some address, and not the address itself, you just write the address in square brackets. The type design means that the data must be taken from the memory cell that has an address whose value is obtained by adding the value in the ESI + 324H register. In the assembler, it is customary to write more clearly, but the author of the Hiew was more convenient to show so possible for clarity. When entering the HIEW commands perfectly takes standard types of type designs, which is shown below.
Total we understand that this instruction takes the data (4BIT \u003d 32BIT) to the address and puts them into the EAX register. The following instruction ((which is already patches) - CMP. The first thing that comes to the mind of a lightweight, diligently I learning English at school is Compare. We are talking about comparison. Otherwise, the same thing as in the previous instruction. Address only neighboring. Instructions
CMP EAX,
Compares the contents of the EAX register and memory cell at the address. In the EAX register, the previous instruction drove the number from the neighboring cell. Now it is compared with a number from the cell. What is complicated, sorry ??? You can teach the ram! It is certainly simpler than the "multi-kilometer" objects from some kind of govnezub, stretching thousands of properties in which you can drown ...
What about the result? Compare compared, well, what is the sense, asks an attentive reader ... how to know, where the dog rummaged? And the result is stored in the special register flags flags. In this reserved register, each bit means a certain check box. In particular, there is a zero - Zero flag. If, as a result of the execution of the comparison instruction, it turns out that the numbers are equal, the checkbox will be crushed (1), if not, then dropped (0) (or the adrches, too lazy to look with a deposit - it does not matter). Similarly, there is another check box for more or less - SIGN. Flags are changed in the resulting instructions for changing them, and will remain in their position until they are changed as a result of the execution of other instructions affecting their condition. Therefore, after CMP, we can perform any other instructions depending on the status of the checkbox until you fulfill the one that changes it. The status of the flags is read by the instructions of the conditional transition and some other and the absence of these instructions becomes some other and the routine.
The next instruction is coming
JZ .06F30B25E.
Instructions that start on j [almost] all mean Jump - jump, i.e. Transition to another place. This instruction Refers to the instructions of the conditional transition and decrypted as JUMP if Zero - i.e. Go to the address, if it is the zero flag. If the checkbox is not worth it, "nothing will happen." As an argument, the transition address is given (they are different, relative or absolute, "far" or "close" in memory. Here the address is specified in the address space of the program, as it is configured by the EXE header, there is no sense, it only complicates. If The previous instruction revealed the equality of arguments, the transition will occur if not, the processor will not happen to the next instruction.
The following 2 instructions
Push EDI
PUSH 020.
We remember that in English Push means shove, push. Here it means to drive the numbers in a temporary storage stack. Frequently save the variables before entering the procedure, the PC inside the procedure, the registers can be used for other purposes, and using the stack you can save the values \u200b\u200bof the registers and transfer the arguments to the procedure that will pull them out from there after entering it, and the results will be blocked If so are available and required. The convenience is that it is not necessary to take care of the allocation of the address space for storing the time data of the essential volume. If you need to pass an array - just give it to the address in memory. All the elements of the array transmit no reason, it is only useless devaable memory and processor time, as it is done during bydlooding. (When you need to save the original copy of the array based on the logic of the work - this is another situation and the programmer itself consciously initiates copying the array for the purpose of replication.)
When working with a stack, the measure itself takes care of everything - the stack area is highlighted by the operating system during the hardware support for Proceas.
The first instruction will save the value of the EDI - pointer register to a certain area of \u200b\u200bmemory, and the second will stop there in advance predefined constant 20h. Probably, a certain argument of the procedure, but it does not matter to us because there is no need to make an analysis that the author of the patch did - we transfer the finished patch to another version of the program and this usually, just!
Next instruction
Call .06f2e1440
In English Call means calling, calling.
We are talking about the call procedure. There are no names in the procedure code procedures - there are addresses where their code is located. For convenience, disassemblers (including HIEW) can pull out the names of the procedures and functions from the imports and exports of the EXE files (the perspective is interacted there different programs And the "libraries" after compilation and procedures are given the names for which they can be called from another program, but internal procedures are not named after compilation). In the sources, the names, of course, were, but after compiling they could not ... only the place would be occupied. The processor does not need to know someone's names, he considers numbers ... Sometimes decompiors / disassembleram managed to pull out the names of the procedures from debugging information (if another Bydlooder forgot it to cut it off and swollen the size of the binary useless info) and this is helpful in analyzing the code, but in our case, even It does not care. We do not need to understand why this procedure is needed and what it does ... I remind you, we have a ready patch and if you manage to transferring "without adventure" to delve it and will not need.
Latest instructions
Pop Ecx
POP - Action Inverse Push - i.e. pull out the last drive in the value. In this case, in the ECX register. Probably this instruction needs to extract the result of the procedure, but we also do not care, incl. And because this instruction, like 2 Push-a above, and Call, after the patch do not change and are given for some general presentation and as a landmark of the patch. After the patch, all these instructions will remain in place, as well as everyone after them.
6. Now we take the panted termsrv.dll in another HIEW window, on the same address, we look at what instructions are there.
MOV EAX,
MOV EAX, 000000100
nop.
Mov, Eax
Push EDI
PUSH 020.
Call .06f2e1440
Pop Ecx
Differences are visible only in the second, third and fourth instructions.
Second Mov Eax, 000000100
Just enter a constant 100h (\u003d 256) in EAX register
Third nop.
The most "funny" \u003d nooperation - nothing does anything and forever. Why is she needed? And I need it to align synchronization by code data. The fact is that the dimensions of the original and panic code must completely coincide in the number of bytes and the border of the teams (along with their arguments). If something is shifted at least one byte, the processor will "not there," will perceive a certain argument of instructions, as a command, and bytes for him - as the arguments of this command, even if there is a different command code there. Everything will eat immediately and fatally. 99% that the program will fly with a fatal error. The NOP command has a 90H code and takes one byte. If there is an excess code that is not necessary or even harmful for the purposes of the patch, it can be replaced with arguments on so many NOPs in a row, how much byte it takes. Among hackers, this is called climbing or sunken. In fact, this is the only way to delete an excess code from the executable code, because it is not the text and any "cut out of the middle" "for the purpose of shortening" will immediately lead to what they will be shifted, will eat all the addresses and will not work at all. And the "worst" happens when the new code that needs to be replaced by the old one does not climb the "old" place ... Here he begins the headache from Hacker - how to pull it to get ...
Fourth Mov, Eax
Place the number from the EAX register in the memory cell
In principle, the third and fourth or third and second instructions can be changed in places - it will not change anything. But it is impossible to remove the NOP in any way because new commands along the length of the code per byte are less than old and such a discrepancy, if it does not parry the NOP-Ohm will immediately lead to the synchronization track.
Comparison "With the fact that it was" immediately puts everything in its place!
It was - to take a number from the cell, compare it with a number from the cell. If you are equal, then "somewhere" jump, if not, then go further and execute the procedure. In the context of the problem reminds this comparison of the number of permissible connections with the limit of permissible (i.e. 1 for workstation or 2 for server). The limit is stored in some constant, the address of which is specified in the comparison instructions.
What happened - to take a number from the cell, score on "this business" and immediately overwrite the value of the EAX constant register 100h (\u003d 256 - i.e., apparently, a new limit of 256 connections), then put this number in the cell
No one compares anything, the procedure that is called below will always be completed. In addition, in the cell, where, obviously, the limit of connections "forcibly" is written to a new limit \u003d 256 in case somewhere else in the other place of the program there are other checks of this limit. THAT'S ALL! It's hard to come up with something more primitive!
If we had to look for this place on our own, I would have to trace the debugger of the procedure of this DLL, as the author of the patch or disassemble everything like Ida and carefully study the code containing hundreds of thousands of instructions carefully. But we have everything ready! It's like a joke about the mechanic, who once threw a hammer and the car started, but the subtlety is that he knew where to knock and it costs a lot of work. (Just do not need about money here - shove them their ass! Especially in the aprison's a great holiday! For lovers "Earnings on the Internet" - there are specialized sites.)
Why the patch does not work on all subsequent versions - because the addresses change and the code (its arguments) changes slightly when compiling. This leads to a displacement of the desired code inside the EXE to other displacements, and if you search by signature (strict sequence of bytes), it may not find the Alarms have changed. Many addresses are also arguments of instructions and change the binary code to dispassability, despite the fact that it is all the same ... Do it manually! You have a head on my shoulders, not the "strict sequence of convolutions" ...
7. Now in the original TERMSRV.DLL version, which Patcher patches, you need to find some kind of unique, in the context of the program, the sequence of the byte near the place that needs to be poured to look for it in new version Termsrv.dll, that you want to pursue, but the patcher is not patching ...
It is necessary to watch on the disassembler, but to look for bytes to him appropriate, and if you choose something too "simple", then such a combination will meet when searching many times and it will be difficult to find the right place, it will be "sinking" among the heap of other similar. And we are extremely important "accuracy of getting", because if you pursue "not there", then it will not work, and then the Windows will hang ...
Select the instructions for the search string containing long fixed addresses cannot be. When compiling other versions, they most likely will be eaten and you will not find anything on them in the new version.
The whole procedure is where the check is happening, small, just a couple of dozen teams. For assembler is "nothing." HIEW will show you the conditional boundaries of the procedure as "bands" _ ^ _ ^ _ ^ _ ^ _ ^ _. Please note that at the beginning of the procedure there is an appeal to the address "import" procedure Windows API - CDEFPOLICY :: Query and Hiew This is an entitled (so the name of the function and won and wrote). This should be a good orientation for you, on the way to the right place. In addition, this "Kakbe hints" that maybe there is a different way to solve the problem, for example, finding a certain "secret" policy responsible for the behavior of Terminal Server. Those who wish can save the code by the debugger and search for how the variable or constant is initialized with the number of connections. But for the search string "code from CDEFPOLICY" is not suitable, because the address of the procedure in imports is most likely eats in the new version. I would try to search for bytes from the beginning of the procedure after CDEFPOLICY. There goes:
57 Push EDI
6A10 PUSH 010.
8BF1 MOV ESI, ECX
33DB XOR EBX, EBX
57 6A 10 8B F1 33 DB
At the end, you can add more E8 Call instruction code, going next, but not its argument (next bytes), for this address and it will be changed when compiling new versions.
Such a sequence gives me when searching in Hiew (F7-SEARCH)
Total 3 coincidence, and the CDEFPOLICY call is visible in context in just one case - in the first. If you also have a place found, write its address from the first column (after pressing Alt-F1 - Global!) "On a piece of paper" and try to patch.
If the code has changed so much that nothing finds, we are looking for other unique sequences, incl. Holded in adjacent procedures and try to look for them. Task - Find the desired codewhere "everything coincides in meaning", not a sequence, we think about it and look at the context, trying to search for CDEFPOLICY :: Query in the new version. You can search for text CDEFPOLICY :: Query in new.dll, you will find a string (several times), but not a place where it is referred to. Such a method sometimes helps to find the desired using F6 (Reference) in the HIEW and I managed to find the right place in the DLL from Win7Sp1x86rus for the sake of the experiment, but not the fact that everywhere will succeed, even more so with other programs).
8. Now you need to take the dermsrv.dll of the version you need to patch. We launch the third copy of the HIEW, open the new DLL in it "(in order to easily switch between all three and compare visually). We find the right place, as described slightly higher or go to the address, which wrote "on a piece of paper" (a piece of paper - a friend of a programmer in this glossy world, where you get hard drives, knocks out traffic jams and hang OS).
We analyze the code below CDEFPOLICY :: Query and easily find the right place similar to:
CMP EAX,
JZ .06F30B25E.
We understand that the address, but if he has changed, for example, this is the address you need and operate in the future right.
9. If you were convinced that I found exactly what it is necessary, look at the cursor to the CMP instruction and boldly press the F3-EDIT. The "gray" cursor will change to the "normal" (for the display text mode) - substitution. It should indicate the same CMP instruction.
Click on Tab (or F2) and the assembler instruction entry dialog will appear.
Enter instructions there
MOV EAX, 100
Then enter. On the main screen it will be seen that bytes "from the instruction" changed and some of them became the "golden" (yellow). At the same time, the instructions below "moved" and in the right column opposite them shows "Belibred" - not at all what was there before.
The command input dialog over the main window continues to "hang" and wait for the input of new instructions, showing some kind of next, incorrectly interpreted, due to the addressing congress, instruction.
This instruction does not pay the slightest attention and drive the following.
VBE NOP and press ENTER
Mostly windows yellow lit up next string with code 90.
Synchronization will be restored and the next command will again be JZ. It will be offered to change the instructions input dialog.
Drive there
Mov, Eax
If instead of 320 in the CMP command there was a different address, then drive it out!
Press ENTER. After that, the code will light up the code in 3 row, to the right of which should be the manual MOV, EAX (or not 320, and the number that was driven).
We check that I did not move the synchronization of data code. The next instruction should be Push EDI (or other if the code has changed greatly and you had a different instruction to the patch there - it should stay in my place and correctly interpreted, which indicates that everything is OK next to her).
When everyone knocked, press ONC. The instructions input dialog will disappear, but it can be called again at any time (in editing mode) by pressing Tab. All modified bytes will have yellow. Check out that everything looks correctly, nowhere has not covered. Nobody will check for you here, no "protection against fools" of any rank and no title. Nobody will not consider the regalia. What they did - they got. Nault - it will hang and work will not.
If all OK is pressing F9 (Update). Changes will be recorded in the file on the disk and the modified bytes will change the color to the usual (Cyan).
10. Now you need to correct the checksum of the EXE. Do it before madness boring, look HIEW will make this work for you and do almost nothing to do. Click F8 (Header). The "gray unwasp" window appears with the "decoding" of the parameters of the header of the EXE file.
Click F3 (edit). On top of the "non-bright" window appears "color" purple. It lists all the header parameters indicating their addresses and values. With a boring face leaf closer towards an end and find the checksum parameter there. It is indicated on the right (actually the check summary) in the hexadecimal and decimal expression remaining "to inheritance" from the original non-handed file. We press F3 again and, about a miracle, the string is painted in yellow and the checksum changes its value. We can believe the HIEW, and we can find on the forums or in books and calculate manually. If "everything is satisfied with" clamp F9 (Update). Window flashes, everything disappears ... This is the end, thinks the uninimal reader. But when dust is falling, the checksum turns out to be correct. Inspective can again go to the mentioned dialogue and compare Checksum with carefully saved to execution in the bakap on a piece of paper. You can leave the HIEW on ESC and move to the testing step of your share.
11. Having received a panted file, you can try to replace the termsrv.dll in the target OS.
Due to the protective mechanisms of Windows from changing system files, as well as ban on recording running programs Sharing Violation) will need to stop the Terminal Services service (see in the comments of other users above) and replacing copies of the DLL in "WinSXS" ITP, so that unauthorized Windows even think about attempts to restore an uneteced version.
If everything works, then you have become a kulkhakker or made the first conscious step on this path. No one bothers you to pick and learn further, making the world better and kinder. In nete there are many instructions and whole thematic forums for those who want to think their heads, and not only consume a multiplying porn from the matrix.
Do not score a list of modified bytes (you can get it with the help of all the same "" FC / B File1 file2 ") for other, less sophisticated users, here and / or on other resources, make good neighbor, as the Lord bequeathed and glorify His name in the annals of hacker history.
According to the list of changes, you can make .CRK file (for patches that understand this ancient format), or manufacture Patch.exe with the help of any patch maker, koi, over the years of evolution, have written dozens and hundreds. Just choose then "with windows support Vista / 7 "For old, though good-suitable, but do not know anything about Escalate Privileges, and Windows will not stupidly allow them anything to patch in Windows / System or Program Files. In the instructions, mention the requirement of stopping the terminals service, or using patches on files in individual folders, followed by the submenu in System32 by the users themselves. In any case, publish a list of changes, do not burn on "Lavra", the perspective to someone may have to fuck manually and info will find an alternative solution. The author's patcher does all this automatically, including work with WinSXS - watched the code, but find such a patchmaker so that all this takes into account, it will be thought not just.
There is a very convenient opportunity to make from ordinary windows 7 The semblance of a terminal server with the ability to connect and work on one computer to several RDP users. It may be relevant in small office To work in 1C via RDP. Several people will easily be able to work on an ordinary computer.
The fact is that the remote desktop in server versionsWindows, the default supports two simultaneous connections to troubleshoot and control the computer. Other users can connect simultaneously until you have the necessary client access licenses for this server and the machine can cope with it, i.e. It has enough resources.
In order to allow multiple users to work with one computer at the same time, you need to remove this limit. To do this, the DeepXW command has created a universal patch. The patch makes changes to the TERMSRV.DLL file, which is located in% Systemroot% \\ System32 \\.
Fashion first
Patch supports:
- Windows XP SP2 SP3;
- Vista SP1 SP2;
- Windows 7;
- Windows Server 2008 SP1 / SP2.
A window will appear, as in the picture above, where you can patch Termsrv.dll to remove the restriction of the remote desktop sessions, or restore the source file at any time (path to backup file: \\ Windows \\ System32 \\ Termsrv.dll.Backup). After applying the patch, restart the computer and you can start work.
To check the removal of the restriction, leave the open session of one user on the computer where you applied the patch, and from the other machine, try to connect to the computer remotely from another user. If everything went successfully, both users will be active in the system, each at its session.
Original: "http://www.techspot.com/guides/485-windows-concurrent-sessions/"
To date, there are 2 more ways to make from Windows 7 SP1 terminal. The first with a patch to the TERMSRV.DLL library, the second without. It is preferable to use the second way, but if something does not work, you can use the first. Now in more detail about these methods.
Method of the second
You can do everything manually, who understands it, can make it based on the contents of the archive. IN cMD file All actions that will be manufactured with the system are described. For those who do not want to understand this, there is an Install.cmd script. To install a patch, you need to run it on behalf of the administrator
That's all. You can check, connect. Need to create accounts Users, do not forget to resolve the connection to the remote desktop:
Method Third
Windows XP Professional and Windows XP Media Center Edition (MCE) Have a connection service remote Desktop (RDP)which allows you to remotely connect the computer, access and control from another computer or host. However, cars on the operating system Windows XP. Allow simultaneous connect to a remote desktop Only one user who was connected to it, without several sessions remote Desktop Connections or support support.
Whenever the remote user connects through the client to remote desktop (RDC) To connect to the host Windows XP.The local user is turned off with the console lock, or without its permission. Remote DesktopUnlike the Terminal Services Server in Windows Server 2003 and Server 2008, it is designed for a disposable user, regardless of whether it is a local or remote user.
Here hack to unlock one limit which allows several simultaneous Remote Desktop. Connection sessions in Windows XP Professional and Media Center Edition using either a prolonged termserv.dll or old progressive termserv.dll assembly version 5.1.2600.2055, so that an unlimited number of users can simultaneously connect to a computer using a remote desktop.
- Download a copy of the prolonged, which will remove the restrictions remote connection To the desktop disconnected for your windows version XP:
Windows XP SP3: TERMSRV.DLL (version 5.1.2600.5512)
To obtain the Termsrv.dll information, the patch typically has the following HEX codes bits that are overwritten into the following values:
00022A17: 74 75
00022A69: 7F 90
00022A6A: 16 90
- Restart the computer and download the information in safe mode by clicking F8. During the boot and select safe mode . This step is needed only if you are in this moment Use Windows Terminal Services or remote Desktop Services, Protection file System Must be skipped, otherwise the following error message appears to restore the original Termsrv.dll.
3. Purge B. % Windir% System32 And do backup (or rename) termsrv.dll. .
4. Mix or delete termserv.dll. in folder % WINDIR% SYSTEM32 DLLCACHE.
5. Copy loaded termsrv.dll. in % Windir% System32 , % Windir% servicepackfiles i386 (if any) and % WINDIR% SYSTEM32 DLLCACHE .
6. Point download and run to merge the registry values \u200b\u200bin Registery, or you can start the registry editor manually and add the following registry options:
"EnableConCurrentSessions" \u003d DWORD: 00000001
"ALLOWMULTSSESSIMS" \u003d DWORD: 00000001
7. Click on the button Start -> Perform And enter the command gpedit.msc. , click ENTER To open the Group Policy Editor.
8. Purge B. Computer Configuration. -> Administrative templates -> Windows components -> Terminal services .
9. Turn off limit the number of connections and set the number of connections in 3 (or more). The setting allows more than one use of the computer simultaneously.
10. Follow Remote Desktop on the Deleted System Properties tab by selecting the switch Allow users to remotely connect to this computer. .
11.Cound fast user switching in Control panels -> user accounts -> Changing user login or shutdown .
12. Upload a computer as usual.
I note if you cannot replace or rewrite the TermServ.dll file - access is denied or file error, turn off the "Termine Services" in the "Services" section of the Administration Control Panel. In addition, each connected physical connection must have its own user account in the target computer, and authentication should be conducted with the appropriate username and password of credentials.
To delete and return to the original TERMSRV.DLL, simply delete the corrected version, as well as rename the backup back to the "Termsrv.dll". If the terminal services are included and operating, you need to do it in a safe mode,.
If the computer S. Windows XP. connected to the domain, in local network, Windows There will be a value of Regkey "AllowMultiPletSessions" in "0" every time the computer will not be restarted. In order for a multiple or unlimited number of sessions of remote connection to the desktop, it is allowed in the AD domain environment, the data value for "ALLOWMULTSESSSESSIONS" that must be set to "1" with each system start. To change the value, just restart tS_Multiple_sessions.Bat. Each time you start the computer. Also put tS_Multiple_sessions.Bat. in C: Documents and Settings All Users Main Menu Programs Startup Folders so that it will automatically run to the first user with administrator rights. Another solution is to install additional service or key definition in the registry branch HKEY_LOCAL_MACHINE SOFTWARE. Microsoft Windows. CurrentVersion Run.Through which the batch file is automatically bootable, and this is useful if the computer will not register with anyone, but still requires an employee to allow unlimited connections to a remote desktop to work.
Another thing, if the user closes remote compounds Instead of completing a session when he or she tries to log in again, an error message appears with a TCP / IP event. To solve this problem, download and install Windows XP TCP / IP, restricting the connection and event ID 4226 patch, and install the connection at least 50.
This assembly is built on the original form of Microsoft Windows XP Professional SP3 Russian version, with all the updates! Multi-loading disc. FREE DOWNLOAD -
Fix disadvantages of RDP. Using RDP Wrapper Library
At table operating systems Microsoft has some limitations associated with the work of the remote desktops. So first, the support for the server part (RDP Host) is only in the senior editions of Windows (not lower Professional). In the home editors, this functionality is disabled, so it is impossible to connect to younger Windows versions to RDP.
And secondly, the number of parallel RDP sessions is limited. Only one simultaneous connection via RDP is allowed, and when you try to open the second RDP session, the system will issue a message that the system already contains one user and prompts it to throw it out.
Bypassing these restrictions will allow the project RDP Wrapper Library by Stas.RDP Wrapper works as a layer between Service Manager (Service Control Manager, SCM) and remote desktops. At the same time, in contrast to other solutions of this kind, it does not change the file termsrv.dll. (Library used by the Remote Desktop Services service), which allows not fear windows updates.
In Windows 8 / 8.1, as well as previous versions Microsoft client OS, only supported one simultaneous incoming RDP connection. This means that only one user (one session), local or remote, can simultaneously connect to Windows 8 through a remote desktop. In most cases, this is enough, but sometimes I would like to be able to simultaneously work several users at once in our own sessions. A good example can be a computer as a Media Center, when video is played in the console session, and at the same time you need to remotely work with the system without interrupting video on TV.
Council.Remote RDP access does not work at home (Home) Windows editions, you need to edit Pro or Enterprise.
When you try to open the second RDP session to a computer with Windows 8, a message appears that the system has already been logged in the system and its session can be completed.
Council. Previously in the properties of the computer on the Remote Access tab (Remote), you need to add accounts for the necessary users in local group Remote Desktop Users. Local administrators remote RDP. Access is allowed by default. After incorporation RDP access in the properties of the system, Windows Firewall Automatically enables the rules allowing the incoming traffic to port 3389. Sometimes the presence of this rule should be checked manually.
For example, in the server version of Windows, two simultaneous administrative connections with individual sessions are supported (in the case of an organization on windows database Server Terminal RDS Server, this number can be even greater).
However, on the Internet, you can find a special patch that allows you to bypass this limitation. Thanks to this patch, several users will simultaneously connect to the RDP to a computer with Windows 8 / Windows 8.1.
Important. The use of this patch is essentially a violation license Agreement And the terms of use of Microsoft products. Therefore, all the operations described below you perform on your risk.
So, the patch involves the replacement of the original system File % Systemroot% \\ System32 \\ Termsrv.dll (The library used by the Remote Desktop Services service).
- Windows 8 - TERMSRV.DLL-WIN8.Zip
- Windows 8.1 - TERMSRV.DLL-WIN8.1.Zip
Before replacing the system library, create a backup of the TERMSRV.DLL file with the command:
Copy C: \\ Windows \\ System32 \\ TERMSRV.DLL TERMSRV.DLL_OLD
Now, if something goes wrong, you can always return to the initial configuration, replacing the current file with the original TERMSRV.DLL_OLD.
Download the library archive for your version of Windows.
In Windows 8, you first need to change the following keys in the registry branch HKLM \\ SYSTEM \\ CURRENTCONTROLSET \\ CONTROL \\ TERMINAL SERVER \\:
- fDenytsConnections(DWORD) - 0 (The key allows on the computer)
- fsingLesessionPeruser. (DWORD) - 0
The same operation can be performed from the command line:
REG Add "HKLM \\ SYSTEM \\ CURRENTCONTROLSET \\ CONTROL \\ TERMINAL SERVER" / V FDENYTSCONNECTIONS / T REG_DWORD / D 0 / F REG ADD "HKLM \\ SYSTEM \\ CURRENTCONTROLSET \\ CONTROL \\ TERMINAL SERVER" / V FSINGLESSIONUUSER / T REG_DWORD / D 0 / F
Then go to the catalog C: \\ Windows \\ System32finding a file. termsrv.dll. and open its properties.
By default, the owner of this file is TrustedInstaller And even the administrator has no right to replace it. 
Let us turn to the tab Security And click the button Edit.. In the Access List, find a group of local administrators and provide it with full rights to file ( Full Control) And save the changes.
The next step before replacing the library file, open the service management console ( services.msc.) and stop the service Remote Desktop Services.
Copy the TERMSRV.DLL file from the downloaded archive for its version of Windows in the catalog % Systemroot% \\ System32 \\ (with replacement).
Note. Archive for Windows 8.1. Contains two files 32_termsrv.dll. and 64_termsrv.dll., for the 32nd and 64-bit version of Windows 8.1, respectively. Unpack the archive and rename the file for your version of the system in TERMSRV.DLL
After replacing the file, run the Remote Desktop Services service and try to create two RDP sessions with a probated machine under different accounts. If you are all done correctly, two independent sessions of the remote desktop should be opened.
Council. It may be necessary to restart the computer.
Important! Using the probated version of Termsrv.dll has a number of shortcomings. The main of which is when installing the next update of Windows 8.1 / 8, this file can be replaced. Accordingly, it will be necessary to use the Hex editor to patch a new file using the Hex editor, or search on the Internet a ready-made modified file for your Windows Builder.
As a solution that is resistant to replacing the TERMSRV.DLL file when installing Windows Updates, you should use Open Open Source Solution RDP Wrapper Library(Available on Github), which does not rule the TERMSRV.dll file, and is a layer between the Terminal Services and SCM service. You can read more about the use of RDP Wrapper Library.
