Terminal Services Patch [Windows XP / Server 2k3]

[NewEraCracker]

Code: 

Terminal server No Restriction Patch 1.3 - Prefix #1
========================================

Just a compiled the script as normal - so it doesn't crash on non WinXP SP2 2180 Systems
- Antivirus poggie may detect  "TS_Free.exe" as suspicious...



Purpose:
	Remove all limitation of the Windows Remotedesktop/Terminalserver service 
	because of some 'restrictive' windows version like XP Home/XP Professional, 
	Small Business... or limits expose by licensing logic.

Usage:
	Backup C:\windows\system32, termsrv.dll,	winlogon.exe,	mstscax.dll.
	Start TS-Free-1.1.exe.
	Check patcher output for error. Reboot.

Changes:
	Files:
		termsrv.dll
		winlogon.exe
		mstscax.dll

	Registry:
		[HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server]
			"fDenyTSConnections"=0
			"TSAdvertise"=1
			"IdleWinStationPoolCount"=1
			"TSAppCompat"=0
			"TSEnabled"=1
			"TSUserEnabled"=0
		Licensing Core\
			"EnableConcurrentSessions"=0
		WinStations\RDP-Tcp\
			"fEnableWinStation"=1
			"MaxInstanceCount"=dword:ffffffff
		
		[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
		"AllowMultipleTSSessions"=1

Debugging:
	If patch is not working compare if the modified version of the 3 files is
	still in by comparing them with examdiff, Totalcommander or by windows onboard
	Filecompare ("FC.exe /?")
	

	The patch is only for 32-bit Windows. There currently no version for X64. Also
	It doesn't work on windows vista (critical bytepattern changed so patcher
	fails).
	I someone really needs a 64-bit version and can give me a remote desktop connection
	to the system contact me ;)





How it works:
	TS-Free-1.1.exe is an rar-sfx archive which will extract all files
	C:\windows\system32 and run TS_free.bat 
	TS_free.bat launches WPA-kill.exe that will remove the self checks from
	winlogon.exe to make it patchable (and as also disable the product
	activation check).
	Ts_free.exe is the main patch that will modify 
		termsrv.dll
		winlogon.exe
		mstscax.dll
	by a pattern search.
	Note: patching of mstscax.dll is no really important. It just allows you
	on XP Pro to connection with mstsc.exe to yourself (127.0.0.1)
	

Limitations/Known Bug:
	On WinXP I discovered to following bug in previous version(1.1) of this patch: 
	After termsrv.dll was patched following steps brings up a 'can't connect': 
	
	Login locally as user1 , switch user - WinKey+L (or taskmgr/user/rightclick) 
	Login locally as user2 , switch user - WinKey+L (or taskmgr/user/rightclick) 
	Login/reconnect locally as user2 => Error! 
	 
	Without patched termsrv.dll it works. 

	To solve this (at least on WinXP) a added to choice to apply/skip these so called
	'additional patches'. On WinXP they somehow cause the problem.
	They are related to the the 'Windows Version Info' constants VER_SUITE_TERMINAL and 
	VER_SUITE_SINGLEUSERTS.	On server system I think 'additional patches' really
	necessary because VER_SUITE_SINGLEUSERTS is not set. VER_SUITE_SINGLEUSERTS need to
	be set so terminalserver will branch in the 'patched' branch of the simple
	(termsrv.dll!CFullDesktopPolicy::UseLicense) license check.
	
	
	So far I've only test it on WinXP SP2.


How the patch works - how did I create it.
	
	Preparation:
		get the source of this patch it contains some more info's
		get debugsymboles for winlogon & termsrv
		http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx
		to add many useful label and comments to disassembling.
		Get Antiwpa2 patch enable decrypt in options and open winlogon.exe
		also press the apply button to remove self checks. 
	
	
	open termsrv.dll/winlogon.exe in ollydebug and look for references
	(ctrl+n) to
	Kernel32!GetVersionExW (ntdll.RtlGetVersion)
	VerSetConditionMask
	KERNEL32.VerifyVersionInfoW
	to get near to the version restricting function - now your on your own...
	
	In termsrv.dll	look for symbols like
	_fDenyTSConnectionsPolicy
	LicenseModeInit
	LCQueryAllowConcurrentConnections...
	
	
	For live debug open process with commandline <WINXP>system32\svchost -k DcomLaunch
	(Check commandline column in sysinternals process explorer to see it)

	
	So what about the dot's
	If it needs to seek to the beginning of some 
	certain function you to find some unique byte pattern (like a constant
	or a sequence of command/byte)  inside that function and then
	move to the beginning and write the patch data there. Seeking with a byte
	directly to the beginning is not so safe because all functions start
	with the same commands.	So if it seeks backward or forward to the beginning
	I output dots as control. Normally this should be 1 or 2 lines - if there are
	more it's probably didn't found the correct beginning (or beginning is already
	patched) the patch is applied at some wrong location and result is corrupt
	file.

AntiVirus alerts
	Some AntiVirus detect 'WPA_Kill.exe' as HackTool, Trojan or
	unwanted program. Well I don't know why the AV-Maker flag 
	'WPA_Kill.exe' this way, but it's definitly no virus or trojan.
	Probably they don't like the fact that it modified some byte in
	winlogon.exe or possibly violates M$-Eula or what ever. I don't know/care about.
	
	Lately I want to install 'TS-Free-1.2.exe' on a friend's PC and found it
	very annoy that the installed AVG-Virusscanner blocked access to 'WPA_Kill.exe'.
	Also there was no easy to find an userinterface to disable this AV
	and because	there was only little time I saw the quickest way in uninstalling 
	that AVG crap via controlpanel software.
	(Later I saw that this was good because AVG seems to have the weakest detection engine
	(refers only to 'Wpa_Kill.exe') so probably it won't be better for real malware.)
	
	I personly don't use any of this AntiVirus or Internet Security Babysitter software.
	Windows is slow & anony enough so I don't need any addition annoying software panic brake.
	(Just be caution when downloading keygen, cracks with emule or from so ads popluted
	Crack-Site. Don't trust AV Prg but trust ya feeling. Well to get this watch all kinds 
	of files with an Accii viewer to 'feel' weather this is normal(uncompressed) code or
	suspicious(compress/encrypted) code. Well that's how I started.)
	
	Anyway most ppl just use AV-Scanners and as I see that this can be annoying
	(or even wreak the system if the main patch is applied without to 'WPA_Kill'-prepatch and so winlogon.exe will crash...)
	So I decided to do that update and change some pattern that AV uses for their recognition.
	
	This is base on some list I found in a forum:
	
"AntiVir"					->	Trojan/Agent.JH.7		Detection: Scans sfx-rar-archive comment (+Importtable)
"ArcaVir"					->		<none>
"Avast"						->	Win32:Agent-AKC		Detection: Scans for "crackware2k@freenet.de...{ForegroundColor:&H00808081&}..."(size:0x20)
"AVG Antivirus"			->	Generic.DQD				Detection: Creates CRC for exe
"BitDefender"				->	Trojan.Agent.JH
"ClamAV"						->		<none>
"Dr.Web"						->	Tool.Wpakill			Current version does not detect it.
"F-Prot Antivirus"		->		<none>
"Fortinet"					->	W32/Agent.JH!tr
"Kaspersky Anti-Virus"	->	Trojan.Win32.Agent.jh	Detection: Creates CRC of first 0xA70 Bytes of CodeSection
"NOD32"						->	Win32/Agent.JH			Current version does not detect it.
"Norman Virus Control"	->		<none>
"UNA"							->		<none>
"VirusBuster"				->		<none>
"VBA32"						->	Trojan.Win32.Agent.jh


History:
1.3  BugFix mstscax.dll was incorrectly patched on WinXP SP3

1.21 Changes to avoid some false virus alerts of AntiVir,Avast,AVG,Kaspersky

1.2 choice to apply/skip additional patches

1.2 Pre Version
	 Info.txt added
 
1.1 Byte patterns updated for Longhorn

1.0 Initial Version

<CW2K>

Download:

Code: 

http://www.multiupload.com/BJOT8ADEXE

Code: 

I made an improvement to the Terminal Services Patch v1.3 and I'am naming it v1.4

There are 3 improvements:
1) The patch no longer has to be executed from %systemRoot%\system32
2) The patch no longer triggers the Windows File Protection (WFP) warning.
3) A new key (AllowRemoteRPC) is added to the Registry, see the URL below:
   http://www.pcreview.co.uk/forums/thread-2395421.php

How the patch works:
First 3 files (winlogon.exe, termsrv.dll, mstscax.dll) are copied into the current directory and patched there.
The WPA_Kill.exe is modified to patch winlogon.exe in the current directory, because in v1.3 the WPA_Kill.exe was hardcoded to %systemRoot%\system32 (very, very inflexible :/ )

Finally, a 3rd party 4KB utility (WFPdeprotect.exe) is used to avoid triggering the WFP when the 3 patched files are copied from the current directory to %systemRoot%\system32


Enjoy,
Slick Willy

Download:

Code: 

http://megaupper.com/files/00DLGCRJ/TerminalServicesPatch_v1.4.rar

I used 1.4 Version of patch and it works flawless
Enjoy webmasters

NewEraCracker Reviewed by NewEraCracker on 4th Aug 2010. Terminal Services Patch [Windows XP / Server 2k3] Terminal server No Restriction Patch 1.3 - Prefix #1 ======================================== Just a compiled the script as normal - so it doesn't crash on non WinXP SP2 2180 Systems - Antivirus poggie may detect "TS_Free.exe" as suspicious... Purpose: Remove all limitation of the Windows Remotedesktop/Terminalserver service Rating: 5