Rdpwrap: Solution for version 10.0.17763.437

Thank you for the quick fix. I tested it on a few WIN10 VMs and it indeed works with termsrv.dlll version 10.0.17763.379.

Thanks, it's cool!

thank you, it works great!! just restart the PC after applying path.

Anti-virus won't let me open the RAR due to the issue with false positive on RDPConf.exe. Would someone please post just the INI file that includes the entries for 10.0.17763.437 x86 (32 bit).

How come I get all this crap from this download: ???
Acronis

suspicious

Alibaba

RemoteAdmin:Win32/RDPWrap.cab484ff

Avast

FileRepMalware

AVG

Win32:Malware-gen

Avira

HEUR/AGEN.1039416

ClamAV

Win.Malware.Winlock-6913733-0

CrowdStrike Falcon

win/malicious_confidence_80% (W)

Cybereason

malicious.869c85

Cylance

Unsafe

Endgame

malicious (moderate confidence)

F-Secure

Heuristic.HEUR/AGEN.1039416

FireEye

Generic.mg.b92886d757c740d5

K7AntiVirus

Trojan ( 0051918e1 )

K7GW

Trojan ( 0051918e1 )

Kaspersky

not-a-virus:RemoteAdmin.Win32.RDPWrap.h

McAfee

Artemis!B92886D757C7

McAfee-GW-Edition

BehavesLike.Win32.Generic.vc

Palo Alto Networks

generic.ml

Qihoo-360

Win32/Virus.RemoteAdmin.eb2

Rising

Trojan.Tiggre!8.ED98/N3#100% (RDM+:cmRtazoOYGc9tINFo3SaoIS2s1JH)

SentinelOne

DFI - Suspicious PE

Sophos AV

RDP Host Support (PUA)

Sophos ML

heuristic

Symantec

ML.Attribute.HighConfidence

Trapmine

malicious.high.ml.score

VBA32

Trojan.Nitol

ZoneAlarm
not-a-virus:RemoteAdmin.Win32.RDPWrap.h

Be careful with that files he uploaded. The uploader and most of the users who commented positive stuff all created their account in April 2019. Very suspicious.

Interesting ... I send the 'link' to VIRUSTOTAL ... (a RAR file) .. and it scans clean .... I download it and the RAR produces a few 'alerts' ... I extract it ... and I get shitload of alerts if I upload the extracted .EXE to VIRUSTOTAL ... something very strange going on here .... ????

Meanwhile ... if anyone has the 'ini parms' for 10.0.17763.437 (x86 & x64) offsets - please post them here in 'text' mode ... that's all I need !
Thanks in advance !

This worked for me (at least for x64) ...

[10.0.17763.437-SLInit]
bInitialized.x86 =CD798
bServerSku.x86 =CD79C
lMaxUserSessions.x86 =CD7A0
bAppServerAllowed.x86 =CD7A8
bRemoteConnAllowed.x86=CD7AC
bMultimonAllowed.x86 =CD7B0
ulMaxDebugSessions.x86=CD7B4
bFUSEnabled.x86 =CD7B8
bInitialized.x64 =ECAB0
bServerSku.x64 =ECAB4
lMaxUserSessions.x64 =ECAB8
bAppServerAllowed.x64 =ECAC0
bRemoteConnAllowed.x64=ECAC4
bMultimonAllowed.x64 =ECAC8
ulMaxDebugSessions.x64=ECACC
bFUSEnabled.x64 =ECAD0

[10.0.17763.437]
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=77A41
LocalOnlyCode.x64=jmpshort
SingleUserPatch.x64=1
SingleUserOffset.x64=3E520
SingleUserCode.x64=Zero
DefPolicyPatch.x64=1
DefPolicyOffset.x64=18025
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
SLInitHook.x64=1
SLInitOffset.x64=1ACDC
SLInitFunc.x64=New_CSLQuery_Initialize

bInitialized.x64 =ECAB0
bServerSku.x64 =ECAB4
lMaxUserSessions.x64 =ECAB8
bAppServerAllowed.x64 =ECAC0
bRemoteConnAllowed.x64=ECAC4
bMultimonAllowed.x64 =ECAC8
ulMaxDebugSessions.x64=ECACC
bFUSEnabled.x64 =ECAD0

(make sure to leave a 'blank' line at the end of the ini)

or for the recent whole ini file (x32 untested) go here:

https://github.com/stascorp/rdpwrap/files/3062713/rdpwrap.zip

https://github.com/stascorp/rdpwrap/issues/720#issuecomment-481588640

@FZappatta The file link does not work. Can you also post your full .ini file? I think most of us have x64 anyways. Do I need the same termserv.dll as you use?

How come I get all this crap from this download: ???
Acronis

suspicious

Alibaba

RemoteAdmin:Win32/RDPWrap.cab484ff

Avast

FileRepMalware

AVG

Win32:Malware-gen

Avira

HEUR/AGEN.1039416

ClamAV

Win.Malware.Winlock-6913733-0

CrowdStrike Falcon

win/malicious_confidence_80% (W)

Cybereason

malicious.869c85

Cylance

Unsafe

Endgame

malicious (moderate confidence)

F-Secure

Heuristic.HEUR/AGEN.1039416

FireEye

Generic.mg.b92886d757c740d5

K7AntiVirus

Trojan ( 0051918e1 )

K7GW

Trojan ( 0051918e1 )

Kaspersky

not-a-virus:RemoteAdmin.Win32.RDPWrap.h

McAfee

Artemis!B92886D757C7

McAfee-GW-Edition

BehavesLike.Win32.Generic.vc

Palo Alto Networks

generic.ml

Qihoo-360

Win32/Virus.RemoteAdmin.eb2

Rising

Trojan.Tiggre!8.ED98/N3#100% (RDM+:cmRtazoOYGc9tINFo3SaoIS2s1JH)

SentinelOne

DFI - Suspicious PE

Sophos AV

RDP Host Support (PUA)

Sophos ML

heuristic

Symantec

ML.Attribute.HighConfidence

Trapmine

malicious.high.ml.score

VBA32

Trojan.Nitol

ZoneAlarm
not-a-virus:RemoteAdmin.Win32.RDPWrap.h

You notice that you do not know what you are doing, I invite you to upload the zip file that is downloaded from the original installer to virustotal and compare and both come out with the same amount of false positives, first report before forming a chaos just for not knowing what what does.

https://github.com/stascorp/rdpwrap/releases

Ten cuidado con los archivos que subió. El cargador y la mayoría de los usuarios que comentaron cosas positivas crearon su cuenta en abril de 2019. Muy sospechoso.

It shows that you are paranoid, so if you do not like the help you receive, look and do it manually

El antivirus no me deja abrir el RAR debido al problema con falso positivo en RDPConf.exe. Alguien, por favor, publique solo el archivo INI que incluye las entradas para 10.0.17763.437 x86 (32 bits).

I went back to upload the file in zip

Nice try .... Lucky Defender tags it as malware and blocks downloading.

Looks like you don't know what your doing .... why didn't you just paste the ini update - so simple ...

This worked for me (at least for x64) ...

[10.0.17763.437-SLInit]
bInitialized.x86 =CD798
bServerSku.x86 =CD79C
lMaxUserSessions.x86 =CD7A0
bAppServerAllowed.x86 =CD7A8
bRemoteConnAllowed.x86=CD7AC
bMultimonAllowed.x86 =CD7B0
ulMaxDebugSessions.x86=CD7B4
bFUSEnabled.x86 =CD7B8
bInitialized.x64 =ECAB0
bServerSku.x64 =ECAB4
lMaxUserSessions.x64 =ECAB8
bAppServerAllowed.x64 =ECAC0
bRemoteConnAllowed.x64=ECAC4
bMultimonAllowed.x64 =ECAC8
ulMaxDebugSessions.x64=ECACC
bFUSEnabled.x64 =ECAD0

[10.0.17763.437]
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=77A41
LocalOnlyCode.x64=jmpshort
SingleUserPatch.x64=1
SingleUserOffset.x64=3E520
SingleUserCode.x64=Zero
DefPolicyPatch.x64=1
DefPolicyOffset.x64=18025
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
SLInitHook.x64=1
SLInitOffset.x64=1ACDC
SLInitFunc.x64=New_CSLQuery_Initialize

bInitialized.x64 =ECAB0
bServerSku.x64 =ECAB4
lMaxUserSessions.x64 =ECAB8
bAppServerAllowed.x64 =ECAC0
bRemoteConnAllowed.x64=ECAC4
bMultimonAllowed.x64 =ECAC8
ulMaxDebugSessions.x64=ECACC
bFUSEnabled.x64 =ECAD0

(make sure to leave a 'blank' line at the end of the ini)

or for the recent whole ini file (x32 untested) go here:
https://github.com/stascorp/rdpwrap/files/3062713/rdpwrap.zip

Yes!!! This works for me too! Thanks a lot!

Can you please explain your procedure? How did you find out those values? So I can do the same the next time a windows update breaks RDPWrap.

Updated INI link that works:

https://github.com/stascorp/rdpwrap/files/3062713/rdpwrap.zip

and the other thread it came from:

https://github.com/stascorp/rdpwrap/issues/720

Beware of 'Patch Tuesday' - it's not a matter of 'if' - it's a matter of 'when' MS breaks it again !

I'm just surprised that they haven't permanently broken it by now ....

You might want to take a look at this:

https://www.mysysadmintips.com/windows/clients/545-multiple-rdp-remote-desktop-sessions-in-windows-10

THE BEST FOR WIN 10 17763
THE REAL MVP!!!
THANKYOU

Thanks for the post FZappatta. Unfortunately didn't work for me on a machine with x86-32-bit Windows.

Can anybody confirm that the INI that FZappatta posted worked for them on an x86-32-bit machine?

Thanks for the post FZappatta. Unfortunately didn't work for me on a machine with x86-32-bit Windows.

Can anybody confirm that the INI that FZappatta posted worked for them on an x86-32-bit machine?

Worked on 64bit, after install dont forget to restart

@yesidtaz thanks the problem is resolved, but i am facing issue with single session per user is not working.

Please, send someone termsrv.dll for 10.0.17763.437.
I did not make backup(

Please, send someone termsrv.dll for 10.0.17763.437.
I did not make backup(

termsrv.zip

Hello, good morning friends, I put it to test in version 10.0.17763.437 and it works perfectly ... Here I leave the program with the patch activated, uninstall the current version and install the one that goes in the program and ready to enjoy.

I hope you help those who have not yet been able to solve the error.

Use the program already with the integrated patch, download it here RDP 1.6.2.zip

Thank you does not count anything if it worked.

OMG!!!

This worked. Thank you so so so so much. I've been looking online for a solution for the past hour. Thank you!

I have this status on my WIN10 but still not working multiple users

Have you tried restarting your machine. After any changes, it's advisable
to restart for the changes to kick in.

Also, have you dowloaded yesidtaz's RDP program. This fixed my issue.
Uninstall your current set up and then use his app to install.

On Thu, 11 Apr 2019 at 13:30, micvirik notifications@github.com wrote:

[image: image]
https://user-images.githubusercontent.com/49303682/55957289-3eb54f00-5c66-11e9-8dd7-47333e398e10.png

I have this status on my WIN10 but still not working multyple users

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/stascorp/rdpwrap/issues/729#issuecomment-482094348,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AtU38yYOfZNAPcm9FwbQFZT5DbDVY-7Rks5vfyrcgaJpZM4cobDi
.

@yesidtaz thanks the problem is resolved, but i am facing issue with single session per user is not working.

Correct, I am facing exactly this same problem, feature "single session per user" doesn't work, I had to uninstall the last Windows update in order to make it work again. I also wrote it here: https://github.com/stascorp/rdpwrap/issues/720#issuecomment-482073378

Let's hope someone finds a workaround soon.

Skúšali ste reštartovať počítač. Po všetkých zmenách je vhodné reštartovať zmeny, ktoré sa majú vykonať. Tiež ste si stiahli program RDP programu yesidtaz. Toto vyriešilo môj problém. Odinštalujte aktuálne nastavenie a potom nainštalujte aplikáciu.
...
Dňa Thu, 11 Apr 2019 o 13:30, micvirik @.*> napísal: [image: image] < https://user-images.githubusercontent.com/49303682/55957289-3eb54f00- 5c66-11e9-8dd7-47333e398e10.png > Mám tento stav na mojom WIN10, ale stále nefunguje multyple užívatelia - Dostávate to, pretože ste komentovali. Odpovedať na tento e-mail priamo, zobraziť na GitHub < # 729 (komentár) >, alebo stlmiť vlákno < https://github.com/notifications/unsubscribe-auth/AtU38yYOfZNAPcm9FwbQFZT5DbDVY-7Rks5vfyrcgaJpZM4cobDi >.

..................................

OK IT works! :) .... FIRST I uninstall the WRAP next i restart the machine then i Install the WRAP and last I restart it second times.... THEN ALL WORKS GREAT.

THX

works for me, thanks

FZappatta thank don't we need to stop and start something I forgot what? Never Mind I found it
Follow these steps:
Open CMD as Administrator
net stop termservice
Backup your rdpwrap.ini
Copy and overwrite with my rdpwrap.ini (C:\Program Files\RDP Wrapper)
Go back to the CMD Admin - net start termservice
Check with RDPconf

Tengo este estado en mi WIN10 pero todavía no funciona con varios usuarios

Hello friend must use the default RDP authentication

@yesidtaz agradece que el problema se haya resuelto, pero estoy enfrentando un problema con una sola sesión por usuario que no funciona.

Correcto, estoy enfrentando exactamente este mismo problema, la función "sesión única por usuario" no funciona, tuve que desinstalar la última actualización de Windows para que funcione de nuevo. También lo escribí aquí: # 720 (comentario)

Esperemos que alguien encuentre una solución en breve.

Hello friend must use the default RDP authentication

@yesidtaz thanks the problem is resolved, but i am facing issue with single session per user is not working.

Check here for the solution: https://github.com/stascorp/rdpwrap/issues/720#issuecomment-482462622

@yesidtaz thanks the problem is resolved, but i am facing issue with single session per user is not working.

Check here for the solution: #720 (comment)

Thanks, confirmed fix (SingleUserOffset.x64=1322C) for single session per user: https://github.com/stascorp/rdpwrap/issues/720#issuecomment-482462622

Can anyone explain these SingleUserOffset.x64 values?
The op with the repacked exe(anyone installing this is taking a huge risk) at the top of the thread supposedly had a value of:
SingleUserOffset.x64=3E520
This offset points to
000000018003E50A loc_18003E50A: ; CODE XREF: CRemoteTerminal::GetTerminalTypeExtended(_GUID *,ulong *,__MIDL___MIDL_itf_lsminterfacesdef_0000_0001_0004 *,_GUID *)+7Fj
.000000018003E51C mov rax, [rax+158h]
and changes it to
000000018003E51C mov rax, [rax+58h]

The other suggested value 1322C points to
loc_18001322C: ; CODE XREF: CSessionArbitrationDesktop::GetRequestForWinlogon(_TS_WINLOGON_REQUEST *,int *)+1B2j
000000018001322C test ebx, ebx
and changes it to
loc_18001322C: ; CODE XREF: CSessionArbitrationDesktop::GetRequestForWinlogon(_TS_WINLOGON_REQUEST *,int *)+1B2j
000000018001322C add ebx, ebx

Using the guide https://github.com/stascorp/rdpwrap/blob/master/res/rdpwrap-ini-kb.txt
The function you want to target is CSessionArbitrationHelper::IsSingleSessionPerUserEnabled and starts at 13450.
Looking for something that matches the pattern of being initialized with a 1, you would probably look at the value 133B7 which is a 1 that you can flip to a zero.
00000001800133B6 mov dl, 1

It is a guess, but that fits the pattern of the examples.

I am struggling to get RDPwrap working again.

I have run the uninstall, rebooted and run the install but RDPwrap is still not listening. I have tried to replace the termsrv.dll but seem unable to give permission to administrator in order to delete the current one. Every option seems to be greyed out when I try to change the permissions.

Am I doing something wrong?

Sorry, I did another reboot and it is working now. Thanks for the update.

Hello,

We had an update yesterday (yesterday we did the restart, maybe it was from earlier this week) and the problem came up again. Copying the new termsrv.dll makes the Remote Desktop Services service to crash and won't start. Any idea if the latest update broke this again? Thanks!

I follow all step described, everything normally "green", but it still kick logged user. :(
I have two accounts on remote system. Any clue? Ty

Thank youı friend. Good job

Version 10.0.17763.379 working...