Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for 10.0.17134.706 and 10.0.17134.437 #741

Closed
skakyn34 opened this issue Apr 12, 2019 · 28 comments
Closed

Fix for 10.0.17134.706 and 10.0.17134.437 #741

skakyn34 opened this issue Apr 12, 2019 · 28 comments

Comments

@skakyn34
Copy link

For 10.0.17134.437 you need:

  1. Run Notepad as an administrator > open ini file C:\Program Files\RDP Wrapper\rdpwrap.ini
    and paste text:

[10.0.17763.437-SLInit]
bInitialized.x86 =CD798
bServerSku.x86 =CD79C
lMaxUserSessions.x86 =CD7A0
bAppServerAllowed.x86 =CD7A8
bRemoteConnAllowed.x86=CD7AC
bMultimonAllowed.x86 =CD7B0
ulMaxDebugSessions.x86=CD7B4
bFUSEnabled.x86 =CD7B8
bInitialized.x64 =ECAB0
bServerSku.x64 =ECAB4
lMaxUserSessions.x64 =ECAB8
bAppServerAllowed.x64 =ECAC0
bRemoteConnAllowed.x64=ECAC4
bMultimonAllowed.x64 =ECAC8
ulMaxDebugSessions.x64=ECACC
bFUSEnabled.x64 =ECAD0

[10.0.17763.437]
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=77A41
LocalOnlyCode.x64=jmpshort
SingleUserPatch.x64=1
SingleUserOffset.x64=3E520
SingleUserCode.x64=Zero
DefPolicyPatch.x64=1
DefPolicyOffset.x64=18025
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
SLInitHook.x64=1
SLInitOffset.x64=1ACDC
SLInitFunc.x64=New_CSLQuery_Initialize

There must be an empty line at the end!
2. uninstall update kb4493509.
Open CMD and run command:
wusa /uninstall /kb:4493509
and reboot.
3. For disable updates I'm use utility
https://www.sordum.org/9470/windows-update-blocker-v1-1/
If your system is automatically updated you will lose access again.

For 10.0.17134.706 you need:

  1. Run Notepad as an administrator > open ini file C:\Program Files\RDP Wrapper\rdpwrap.ini
    and paste text:

[10.0.17134.706-SLInit]
bServerSku.x64 =F1378
lMaxUserSessions.x64 =F137C
bAppServerAllowed.x64 =F1380
bInitialized.x64 =F2430
bRemoteConnAllowed.x64=F2434
bMultimonAllowed.x64 =F2438
ulMaxDebugSessions.x64=F243C
bFUSEnabled.x64 =F2440

[10.0.17134.706]
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=92521
LocalOnlyCode.x64=jmpshort
SingleUserPatch.x64=1
SingleUserOffset.x64=1511C
SingleUserCode.x64=Zero
DefPolicyPatch.x64=1
DefPolicyOffset.x64=10E78
DefPolicyCode.x64=CDefPolicy_Query_edi_rcx
SLInitHook.x64=1
SLInitOffset.x64=22F5C
SLInitFunc.x64=New_CSLQuery_Initialize

There must be an empty line at the end!
2. uninstall update kb4493464.
Open CMD and run command:
wusa /uninstall /kb:4493464
and reboot.
3. For disable updates I'm use utility
https://www.sordum.org/9470/windows-update-blocker-v1-1/
If your system is automatically updated you will lose access again.

Many thanks to the developers for your work!
Огромное спасибо разработчикам за ваш труд!

@skakyn34 skakyn34 reopened this Apr 12, 2019
@jaggeri
Copy link

jaggeri commented Apr 12, 2019

Thanks!!

Tested - fully functional for Windows 10 Version 1803 (OS Build 17134.706) with termsrv.dll 10.0.17134.706 after a reboot.

But I did not have to uninstall KB449344 yet to get it working. Will continue testing this aspect in case of a delayed trojan.

I have disabled Windows Update in Computer Management Services, to avoid more sneaky gollum updates.

From now on only manual Win 10 updates on a test system first!!

@RoosterIllusion
Copy link

First time using the guide, but I got a different value for SingleUserOffset. That one was the most changed from the guide, so I took a guess.

This works for me without messing with windows updates. I don't see anything negative in the event logs.

[10.0.17763.437]
; Patch CEnforcementCore::GetInstanceOfTSLicense
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=77A41
LocalOnlyCode.x64=jmpshort
; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled
SingleUserPatch.x64=1
SingleUserOffset.x64=133B7
SingleUserCode.x64=Zero
; Patch CDefPolicy::Query
DefPolicyPatch.x64=1
DefPolicyOffset.x64=18025
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
; Hook CSLQuery::Initialize
SLInitHook.x64=1
SLInitOffset.x64=1ACDC
SLInitFunc.x64=New_CSLQuery_Initialize

@gpt-gmbh
Copy link

YOU ARE THE BEST!!!! THX A LOT

@dutchman1971
Copy link

dutchman1971 commented Apr 12, 2019

With the new ini updates available, is it still necessary to uninstall kb4493509 and keep it from installing?

@ZeljkoManjkas
Copy link

Do you have parametars for x86?

@jiayaoO3O
Copy link

When my system is 10.0.17763.292, I can use the Single session per user function, but when my system is 10.0.17763.437,I use your settings, I can't use the Single session per user function, so is there a Some locations are still not set correctly?Here is my 10.0.17763.292 setup information:
[10.0.17763.292]
; Patch CEnforcementCore::GetInstanceOfTSLicense
LocalOnlyPatch.x86=1
LocalOnlyOffset.x86=AFAD4
LocalOnlyCode.x86=jmpshort
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=77A11
LocalOnlyCode.x64=jmpshort
; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled
SingleUserPatch.x86=1
SingleUserOffset.x86=4D665
SingleUserCode.x86=nop
SingleUserPatch.x64=1
SingleUserOffset.x64=1322C
SingleUserCode.x64=Zero
; Patch CDefPolicy::Query
DefPolicyPatch.x86=1
DefPolicyOffset.x86=4BE69
DefPolicyCode.x86=CDefPolicy_Query_eax_ecx
DefPolicyPatch.x64=1
DefPolicyOffset.x64=17F45
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
; Hook CSLQuery::Initialize
SLInitHook.x86=1
SLInitOffset.x86=5B18A
SLInitFunc.x86=New_CSLQuery_Initialize
SLInitHook.x64=1
SLInitOffset.x64=1ABFC
SLInitFunc.x64=New_CSLQuery_Initialize
;.---------------------------
[10.0.17763.292-SLInit]
bInitialized.x86 =CD798
bServerSku.x86 =CD79C
lMaxUserSessions.x86 =CD7A0
bAppServerAllowed.x86 =CD7A8
bRemoteConnAllowed.x86=CD7AC
bMultimonAllowed.x86 =CD7B0
ulMaxDebugSessions.x86=CD7B4
bFUSEnabled.x86 =CD7B8

bInitialized.x64 =ECAB0
bServerSku.x64 =ECAB4
lMaxUserSessions.x64 =ECAB8
bAppServerAllowed.x64 =ECAC0
bRemoteConnAllowed.x64=ECAC4
bMultimonAllowed.x64 =ECAC8
ulMaxDebugSessions.x64=ECACC
bFUSEnabled.x64 =ECAD0
;.---------------------------

@jiayaoO3O
Copy link

what the hell ? I suddenly found this feature Single session per user available again, thanks : )

@dsvolkov
Copy link

Just changing ini file solves the issue for me (without uninstalling patch). For 10.0.17134.706

@Kbotz
Copy link

Kbotz commented Apr 12, 2019

dsvolkov: "Just changing ini file solves the issue for me (without uninstalling patch). For 10.0.17134.706"

Same here. No cumulative patch uninstall needed for 10.0.17134.706 on my W10 Home x64 laptop.

@joebeem
Copy link

joebeem commented Apr 13, 2019

Thanks. This worked for me without needing to uninstall updates on 10.0.17134.437

@sailendra00
Copy link

please help me i cant solve this problem

@culturevo
Copy link

Thanks for helping with my remote desktop problem. By the way, when a remote connection is terminated, automatic logoff is done. What should I do?

@kkingstoun
Copy link

Hi, It works for me:
[10.0.17134.706]
LocalOnlyPatch.x86=1
LocalOnlyOffset.x86=ADAB8
LocalOnlyCode.x86=jmpshort
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=92521
LocalOnlyCode.x64=jmpshort
SingleUserPatch.x86=1
SingleUserOffset.x86=36B1C
SingleUserCode.x86=nop
SingleUserPatch.x64=1
SingleUserOffset.x64=1511C
SingleUserCode.x64=Zero
DefPolicyPatch.x86=1
DefPolicyOffset.x86=33579
DefPolicyCode.x86=CDefPolicy_Query_eax_ecx
DefPolicyPatch.x64=1
DefPolicyOffset.x64=10E78
DefPolicyCode.x64=CDefPolicy_Query_edi_rcx
SLInitHook.x86=1
SLInitOffset.x86=475DD
SLInitFunc.x86=New_CSLQuery_Initialize
SLInitHook.x64=1
SLInitOffset.x64=22F5C
SLInitFunc.x64=New_CSLQuery_Initialize

[10.0.17134.706-SLInit]
bServerSku.x64 =F1378
lMaxUserSessions.x64 =F137C
bAppServerAllowed.x64 =F1380
bInitialized.x64 =F2430
bRemoteConnAllowed.x64=F2434
bMultimonAllowed.x64 =F2438
ulMaxDebugSessions.x64=F243C
bFUSEnabled.x64 =F2440

@maxysadm
Copy link

Hi folks! I Have done it but it won't work..
Still shows Listener State Not Listening
RDP
Any help for a noob? :(

@Kbotz
Copy link

Kbotz commented Apr 19, 2019

Hi folks! I Have done it but it won't work..
Still shows Listener State Not Listening
Any help for a noob? :(

Note that the code skakyn posted 8 days ago was for 10.0.17134.706 for x64 systems. Is yours a x64 setup? If not, check what kkingstoun posted 5 days ago in this same thread and try that instead.

If that isn't the issue preliminarily, and having no background history specific to your setup or personal experience, I would suggest you uninstall RDP Wrapper and start anew with a clean working baseline, then move forward from there. If you've hardened your system in any way to improve security via gpedit or directly in the registry, revert those changes back to their basic, default settings. Also temporarily turn off your firewall. Then after RDP Wrapper is uninstalled, make sure you can connect with a basic RDP handshake on default port 3389. Once that is established, redeploy RDP Wrapper -- again advisably on the default RDP port to keep things as simple as possible initially.

When (re)installing the utility, make sure you're running install.bat with the administrative privileges (some choose to run RDPWinst first but I'm not sure if this is actually necessary). Then go ahead and append the new code to the ini config file, again as administrator, and ensure this ini file is placed in the proper programs files directory. Also be sure you are copying the correct code for termsrv.dll 17134.706 - and not 17763.437 - and that you are leaving an empty line at the end of the text. Next run RDPCheck to confirm the handshake process is working correctly, then RDPConf to validate this further while choosing your preferred interface options. You may want to try different authentication (security) modes in the configuration interface to see if that might help. If necessary, reboot your system.

Only after this is done and everything is working soundly (RDP Configuration interface reflects all green) would I turn on your firewall, custom configure your RDP port and harden connection security as desired.

@Kbotz
Copy link

Kbotz commented Apr 19, 2019

@maxysadm PS

You may also want to check the following link: https://github.com/fre4kyC0de/rdpwrap

There you can find the appropriate version code to add to your ini file. Remember to reboot your system afterwards and make sure to leave a space at the end of your ini file (important!).

@msap12
Copy link

msap12 commented Apr 24, 2019

Help making the wrapper work on ver 10.0.17134.437-SLInit would be appreciated

@Kbotz
Copy link

Kbotz commented Apr 24, 2019

@Kbotz
Copy link

Kbotz commented Apr 24, 2019

@Aradzh
Copy link

Aradzh commented Apr 26, 2019

Solution of skakyn34 in the beggining of thread is working for me for 10.0.17763.437 without uninstalling. Very important point is (Without empty line in the end of ini file it is not working :))

There must be an empty line at the end!

@po016255
Copy link

po016255 commented Apr 26, 2019

First time using the guide, but I got a different value for SingleUserOffset. That one was the most changed from the guide, so I took a guess.
This works for me without messing with windows updates. I don't see anything negative in the event logs.
[10.0.17763.437]
; Patch CEnforcementCore::GetInstanceOfTSLicense
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=77A41
LocalOnlyCode.x64=jmpshort
; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled
SingleUserPatch.x64=1
SingleUserOffset.x64=133B7
SingleUserCode.x64=Zero
; Patch CDefPolicy::Query
DefPolicyPatch.x64=1
DefPolicyOffset.x64=18025
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
; Hook CSLQuery::Initialize
SLInitHook.x64=1
SLInitOffset.x64=1ACDC
SLInitFunc.x64=New_CSLQuery_Initialize

This doesn't work

That is just not true. I am using it just fine. I only use it with one session per user and that works perfectly fine. If people want to say something is wrong, pull out a hex editor and suggest what the offset should be. I can say for sure that the offsets people got from the first post suggesting offsets aren't even targeting the methods the guide tells you to target, so it is either a different way of doing it, or not correct at all. He never offered an explanation for the offsets. Anyone can use the guide and look at the DLL in IDA to see what these offsets are and intelligently say they are wrong if they are wrong, no need to just speculate. I admit the guide wasn't clear for the SingleUserOffset.x64 offset because it had no examples, that could be wrong. But if you think it is wrong, say what is right based on looking in the dll, not just blindly claiming some other offset is the solution that other people are saying doesn't work either. Many people are just having issues loading the updated ini, so it is hard to take a random person's word for it when they say it doesn't work.

The sure fire way I found to update the ini is to replace the existing one and just reboot. It will either work or the terminal service will fail to start if something is wrong, but you know it is actually using the new ini and you aren't having some other kind of issue.

@kildareway
Copy link

When my system is 10.0.17763.292, I can use the Single session per user function, but when my system is 10.0.17763.437,I use your settings, I can't use the Single session per user function, so is there a Some locations are still not set correctly?Here is my 10.0.17763.292 setup information:
[10.0.17763.292]
; Patch CEnforcementCore::GetInstanceOfTSLicense
LocalOnlyPatch.x86=1
LocalOnlyOffset.x86=AFAD4
LocalOnlyCode.x86=jmpshort
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=77A11
LocalOnlyCode.x64=jmpshort
; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled
SingleUserPatch.x86=1
SingleUserOffset.x86=4D665
SingleUserCode.x86=nop
SingleUserPatch.x64=1
SingleUserOffset.x64=1322C
SingleUserCode.x64=Zero
; Patch CDefPolicy::Query
DefPolicyPatch.x86=1
DefPolicyOffset.x86=4BE69
DefPolicyCode.x86=CDefPolicy_Query_eax_ecx
DefPolicyPatch.x64=1
DefPolicyOffset.x64=17F45
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
; Hook CSLQuery::Initialize
SLInitHook.x86=1
SLInitOffset.x86=5B18A
SLInitFunc.x86=New_CSLQuery_Initialize
SLInitHook.x64=1
SLInitOffset.x64=1ABFC
SLInitFunc.x64=New_CSLQuery_Initialize
;.---------------------------
[10.0.17763.292-SLInit]
bInitialized.x86 =CD798
bServerSku.x86 =CD79C
lMaxUserSessions.x86 =CD7A0
bAppServerAllowed.x86 =CD7A8
bRemoteConnAllowed.x86=CD7AC
bMultimonAllowed.x86 =CD7B0
ulMaxDebugSessions.x86=CD7B4
bFUSEnabled.x86 =CD7B8

bInitialized.x64 =ECAB0
bServerSku.x64 =ECAB4
lMaxUserSessions.x64 =ECAB8
bAppServerAllowed.x64 =ECAC0
bRemoteConnAllowed.x64=ECAC4
bMultimonAllowed.x64 =ECAC8
ulMaxDebugSessions.x64=ECACC
bFUSEnabled.x64 =ECAD0
;.---------------------------

Thank you so much! I finally got it working with your ini file changes.

@ithkfrog
Copy link

First time using the guide, but I got a different value for SingleUserOffset. That one was the most changed from the guide, so I took a guess.

This works for me without messing with windows updates. I don't see anything negative in the event logs.

[10.0.17763.437]
; Patch CEnforcementCore::GetInstanceOfTSLicense
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=77A41
LocalOnlyCode.x64=jmpshort
; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled
SingleUserPatch.x64=1
SingleUserOffset.x64=133B7
SingleUserCode.x64=Zero
; Patch CDefPolicy::Query
DefPolicyPatch.x64=1
DefPolicyOffset.x64=18025
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
; Hook CSLQuery::Initialize
SLInitHook.x64=1
SLInitOffset.x64=1ACDC
SLInitFunc.x64=New_CSLQuery_Initialize

This work for me and the issue of always sign-in a new session also resolved! Thanks a lot!

@msap12
Copy link

msap12 commented May 10, 2019

Does anyone have both the x86 and x64 ini file info for version *.437

@ZeljkoManjkas
Copy link

This ini works on 3 Windows 10 10.0.17763.437 x86 computers.
rdpwrap.zip

I don't have x64 computers with this version.

@houpuli
Copy link

houpuli commented May 14, 2019

Just changing ini file solves the issue for me (without uninstalling patch). For 10.0.17134.706

same for me. just changing the ini file already did the job. (need to execute
net stop TermService
net start TermService
in cmd though )

Thanks for the info!

@zhangyoufu
Copy link

@RoosterIllusion

SingleUserOffset.x64=133B7 is incorrect for 10.0.17763.437, 133B7 is the second argument passed to RtlAcquireResourceShared.

13469 in CSessionArbitrationHelper::IsSingleSessionPerUserEnabled looks good for me.

@sebaxakerhtc
Copy link

Duplicate of #720

@sebaxakerhtc sebaxakerhtc marked this as a duplicate of #720 Jan 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests