Windows 11: Support For Termsrv.dll 10.0.26100.6713

by SLV Team 52 views
Windows 11: Support for termsrv.dll 10.0.26100.6713

Hey everyone!

We have a user who's running into a bit of a snag with the latest version of termsrv.dll on Windows 11, specifically version 10.0.26100.6713. It looks like the RDP Wrapper isn't quite playing nice with this version, and the listener state is showing as "not supported". Let's dive into the details and see what we can do to help get this sorted.

The Issue at Hand

The user, sebaxakerhtc, has updated their termsrv.dll on Windows 11 and is encountering an issue where the RDP Wrapper isn't recognizing the new version. This is a common problem when Windows updates termsrv.dll, as it can change the internal structure and signatures that RDP Wrapper relies on. When this happens, the RDP Wrapper might not be able to properly enable concurrent RDP sessions, which is a key feature for many of us.

Key Details

  • File Version: 10.0.26100.6713 (WinBuild.160101.0800)
  • Product Version: 10.0.26100.6713
  • SHA256: CF889A631540BA324E7DF43F560A4852E67DA9D631B5942A4CA0F194EA1AD353
  • Listener State: Not Supported

The user has helpfully provided the SHA256 hash of the file, which is super useful for verifying that we're all looking at the same version. The "Listener State: Not Supported" message from RDPConf.exe is the main indicator that the current RDP Wrapper configuration doesn't have the correct offsets or signatures for this specific build of termsrv.dll.

Diving Deeper: The Technical Details

To get RDP Wrapper working with a new version of termsrv.dll, we need to identify the correct memory offsets and signatures within the DLL. These offsets and signatures are like the roadmap that RDP Wrapper uses to patch the DLL in memory, allowing multiple RDP sessions.

Hex Blocks and Markers

Sebaxakerhtc has already done some great preliminary work by extracting hex blocks and markers from C:\Windows\System32\termsrv.dll. This is a crucial step in the process, as these hex dumps give us a peek into the internal structure of the DLL. By analyzing these dumps, we can try to pinpoint the areas that RDP Wrapper needs to modify.

termsrv_dump_10.0.26100.6713.txt

The user has also shared a file named termsrv_dump_10.0.26100.6713.txt, which contains the SHA256 hash and dumps for both the TermService and Listener components. This file is a goldmine of information, as it provides the raw data needed to generate the signatures for the rdpwrap.ini file.

What's in the Dump File?

The dump file likely contains two main sections:

  1. DUMP for TermService: This section contains the hex dump of the TermService component within termsrv.dll. The TermService is responsible for managing remote desktop services.
  2. DUMP for Listener: This section contains the hex dump of the Listener component, which is responsible for listening for incoming RDP connections.

By comparing these dumps with those from known working versions of termsrv.dll, we can identify the critical offsets and signatures that need to be updated in rdpwrap.ini.

RDPConf.exe Screenshot

The screenshot provided by sebaxakerhtc clearly shows the "Listener state: [not supported]" message. This confirms that the RDP Wrapper isn't correctly patching the termsrv.dll for this specific version. The screenshot also provides a visual confirmation of the file version, which is helpful for double-checking that we're all on the same page.

Crafting a Solution: Creating a Working rdpwrap.ini Entry

So, how do we go about adding support for this new version of termsrv.dll? The key lies in creating a working entry in the rdpwrap.ini file. This file is the configuration file for RDP Wrapper, and it contains the offsets and signatures needed to patch termsrv.dll.

Understanding rdpwrap.ini

The rdpwrap.ini file is structured into sections, each representing a specific version of termsrv.dll. Each section contains several key parameters, including:

  • Offsets: These are memory addresses within the DLL that need to be modified.
  • Signatures: These are byte sequences that RDP Wrapper uses to locate the correct memory locations to patch.

To create a new entry, we need to identify these offsets and signatures for the 10.0.26100.6713 version of termsrv.dll.

Steps to Create a Working Entry

Here’s a step-by-step guide on how we can create a working rdpwrap.ini entry:

  1. Analyze the Dumps: We need to carefully analyze the hex dumps provided in termsrv_dump_10.0.26100.6713.txt. This involves looking for patterns and sequences of bytes that are likely to be the signatures RDP Wrapper needs.
  2. Compare with Known Versions: A crucial step is to compare these dumps with those from older, supported versions of termsrv.dll. This helps us identify the differences and pinpoint the offsets that have changed.
  3. Identify Key Offsets: Look for offsets related to the number of allowed RDP sessions and the licensing checks. These are the most common areas that RDP Wrapper needs to patch.
  4. Create Signatures: Based on the hex dumps, create signatures that RDP Wrapper can use to reliably locate the correct memory locations. Signatures are typically represented as a sequence of hexadecimal bytes, with wildcards (?) used for bytes that can vary.
  5. Update rdpwrap.ini: Add a new section to rdpwrap.ini for the 10.0.26100.6713 version, including the identified offsets and signatures.
  6. Test: After updating rdpwrap.ini, restart the Remote Desktop Services and test if concurrent RDP sessions are working correctly.

Guidance and Collaboration

Sebaxakerhtc has already made a fantastic start by providing the necessary dumps and information. Now, it’s a matter of collaborating and sharing our findings to create a working rdpwrap.ini entry.

If you're familiar with analyzing hex dumps and creating signatures, your input would be invaluable! Feel free to dive into the termsrv_dump_10.0.26100.6713.txt file and share any insights you have.

Example Snippet for rdpwrap.ini

Here’s an example of what a typical entry in rdpwrap.ini might look like:

[10.0.26100.6713]
offsets=...
signatures=...
MaxUserSessions=...
...

We need to populate the offsets and signatures with the correct values for this specific version.

Community Assistance and Next Steps

This is where the community comes in! Let's work together to analyze the provided information and create a working rdpwrap.ini entry for termsrv.dll version 10.0.26100.6713.

How You Can Help

  • Analyze the Dumps: If you have experience with hex editors or disassemblers, please take a look at the termsrv_dump_10.0.26100.6713.txt file and share your findings.
  • Compare with Older Versions: Compare the dumps with those from older, supported versions of termsrv.dll to identify the key differences.
  • Share Your Knowledge: If you've successfully created rdpwrap.ini entries in the past, your expertise would be greatly appreciated.
  • Test and Report: Once we have a potential solution, we need people to test it on their systems and report their results.

Immediate Actions

  1. Download and Examine the Dump File: Start by downloading termsrv_dump_10.0.26100.6713.txt and examining its contents.
  2. Share Your Initial Thoughts: Post your initial observations and insights in the comments below.
  3. Collaborate on Signatures: Let's work together to identify the correct signatures and offsets.

Conclusion

Adding support for new versions of termsrv.dll can be a bit of a challenge, but with a collaborative effort, we can definitely get this sorted. Sebaxakerhtc has provided a great starting point with the necessary information, and now it’s up to us to dive in and get our hands dirty.

Let's roll up our sleeves, analyze those dumps, and get those concurrent RDP sessions working on Windows 11! Your contributions and expertise are highly valued, so please share your thoughts, findings, and any potential solutions you might have.

Thanks for being a part of this community, and let's make this happen! If you've got any questions or need clarification on anything, don't hesitate to ask. Let’s crack this nut together!