Listener is not listening on Win 10 Home (build 14997+)

[aiugrivef]

Hello,

Thank you for rdpwrap!

Unfortunately, on Windows 10 Home edition, it is not working anymore since Insider build 15002.
Rdpwrap is fully updated and says "fully supported", but Listener state is "not listening" for some reason.

Thank you!

[binarymaster]

Support for 15007 has been added in 5814e3f, try again.

[aiugrivef]

Hello,

I have updated and tested again on 15007, without success.

It is not working on a Home edition, here is what RDPConf is displaying:

• wrapper: installed
• service: running
• listener: not listening

[johanatan]

I am experiencing the same thing on a fresh WIndows 10 Home install.

[johanatan]

i.e., Listener state: not listening

[binarymaster]

Try this way, maybe it will help: #45 (comment)

(i.e. fully uninstall and install again)

[aiugrivef]

Hello, I have tried again several times today, and it is not working.

I am nowhere near as good as you are, but it looks like M$ have changed their SLC method again starting with 15002...
15002 have public symbols, but I am not good enough to understand them sorry...

[wfmde]

I have the same problem with 15002. Reinstall does not solve the problem.

[CaptainThrowback]

I'm experiencing the same issue on 15007. Already tried a reinstall.

[binarymaster]

Issue confirmed in 10.0.15007.1000.

[binarymaster]

Interesting observation about file sizes between builds:

Build	x86 size	x64 size
10.0.14971.1000	840 KB	998 KB
10.0.14986.1000	840 KB	998 KB
10.0.14997.1001	? KB	1002 KB
10.0.15002.1001	847 KB	1002 KB
10.0.15007.1000	847 KB	1002 KB
10.0.15014.1000	847 KB	1002 KB

So there's something new added in 14997.

[aiugrivef]

Hello,
Same issue with 15014 and 15019 :-(

[aiugrivef]

Hello,
I have tried to debug the TermService, but I am not skilled enough :(
According to me, it looks like the patching of the global variables (bRemoteConnAllowed...) is done well, but this is not enough: the service does not start listening on RDP port.

Maybe there is a new variable?
Maybe the fact that CSQLQuery::Initialize() is not executed is blocking the service launch?

I fear this issue will be worse once Microsoft releases its next public version (probably in 1 month or so) - could you help me to fix this issue please?

[binarymaster]

Maybe the fact that CSQLQuery::Initialize() is not executed is blocking the service launch?

@aiugrivef Win 10 Pro have no problems with RDPWrap, so I think there is something other.

[CaptainThrowback]

Having the same issue on 15048. Windows 10 Home Preview.

[binarymaster]

Having the same issue on 15048.

Not big surprise.

[TicTac9k1]

Win 10 Home does not support RDP at all I think.

[binarymaster]

Win 10 Home does not support RDP at all I think.

O RLY?

This is plain Windows 10 (core) (not build 15002+ though).

[shoffmeister]

/me too

On a Windows 10 Home Insider Build, Version 1703, Build 15063.0 ("systeminfo"),

OS Name:                   Microsoft Windows 10 Home
OS Version:                10.0.15063 N/A Build 15063
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free

I continue to get

Listener State: Not listening
from RDPConf.exe, although my build is flagged as fully supported. RDPCheck.exe will not connect (to 127.0.0.2)

I have tried

git pull
update.bat
uninstall.bat
install.bat

The irritating part here is "[+] Successfully installed.", where as earlier it complains

[-] This version of Terminal Services is not supported.
Try running "update.bat" or "RDPWInst -w" to download latest INI file.
If it doesn't help, send your termsrv.dll to project developer for support.

File termsrv.dll in %WINDOWDIR%\System32 has a size of 992,256 bytes

[shoffmeister]

With respect to "send your termsrv.dll to project developer for support" - what is the preferred means?

[zen-engineer]

I have experienced the same issue as @shoffmeister

Win 10 build 15063.15 - attached termserv.dll

Here is my termserv.dll:
termsrv.zip

[*] Installing...
[*] Terminal Services version: 10.0.15063.0
[-] This version of Terminal Services is not supported.
Try running "update.bat" or "RDPWInst -w" to download latest INI file.
If it doesn't help, send your termsrv.dll to project developer for support.
[+] TermService found (pid 1096).
[*] No shared services found.
[*] Extracting files...
[*] Downloading latest INI file...
[+] Latest INI file -> C:\Program Files\RDP Wrapper\rdpwrap.ini
[+] Extracted rdpw64 -> C:\Program Files\RDP Wrapper\rdpwrap.dll
[*] Configuring service library...
[*] Checking dependencies...
[*] Checking CertPropSvc...
[*] Checking SessionEnv...
[*] Terminating service...
[*] Starting TermService...
[*] Configuring registry...
[*] Configuring firewall...
Ok.

[+] Successfully installed.

But It's not successfully installed:

[linzyjx]

As novice can only pay close attention. I hope you can solve it at an early date.

[binarymaster]

I hope you can solve it at an early date.

[zen-engineer]

Hi.
I am not sure what this means? Does this mean that the issue is not possible to resolve?

[binarymaster]

This means it is not so easy to resolve.

[zen-engineer]

Is it possible to provide any technical details so perhaps we can try and contribute to getting this solved?

[binarymaster]

Is it possible to provide any technical details so perhaps we can try and contribute to getting this solved?

Okay, so this is we already know:

• build 10.0.14986.1000 have no issue
• build 10.0.15002.1001 introduced the issue

It means the latter build has changed something in the code - it may be termsrv.dll, but may be not.

So, it will require to set up two (virtual) machines with these two different Windows 10 Home builds (Pro is not affected). Then enable kernel debugger with serial output, and try to investigate where the behaviour differs (with RDP Wrapper installed).

If we find the actual reason of the listener problem, then it will be possible to fix it.

[shoffmeister]

The "Fully supported" is a bit confusing, to be honest, although I now understand this to only to refer to successful hot-patching of the termsrv.dll PE image.

I am not sure whether I'd be up-to-speed to support here; I don't have good tooling (no IDA Pro, for instance) and no awareness / mental model of the peculiar things that happen in terminal server licensing, and do not know the enabling strategy used by rdpwrap.

FWIW, wouldn't it make sense to religiously check the return value of all API calls, e.g. at

WriteProcessMemory(GetCurrentProcess, SignPtr, @Patch[I][0], Length(Patch[I]), bw);

I am not sure whether Delphi has acquired a compiler warning switch which flags these scenarios, sorry.

Anyway, thank you very much for acknowledging the issue, for the service - and happy hunting!

[foobar167]

Copying rfxvmt.dll file into Windows\System32 works for me.
Thank you, sDunkan!

[tblog1234]

Copying rfxvmt.dll file into Windows\System32 works for me as well. Just make sure to use command prompt with Administrator mode to copy. Regular copy wont work.

[mer30hamid]

Copying rfxvmt.dll file into Windows\System32 worked for me too, but I have windows 10 32 (1709) home edition, I used the x86 dll from here:
#229 (comment)

[lars18th]

Hi,

As you know without the correct File Permissions, the file "rfxvmt.dll" isn't properlly loaded.
So, I present a guide for setting the correct ICLs using the Command-Line. You will get it usefull when connecting through SSH to your system when you have lost the RDP connection.

In this guide, "PCADDR" is the name of you PC, and "user" is the username you use in the login (it needs to have administrator privileges!):

net stop TermService

copy c:\rfxvmt.dll c:\windows\system32\
cd c:\windows\system32\
takeown.exe /A /F rfxvmt.dll
icacls.exe rfxvmt.dll /grant "PCADDR\user:F"

icacls.exe rfxvmt.dll /inheritance:d
icacls.exe rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
icacls.exe rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

icacls.exe rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
icacls.exe rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

icacls.exe rfxvmt.dll /remove "BUILTIN\Administrators"
icacls.exe rfxvmt.dll /grant "BUILTIN\Administrators:RX"

icacls.exe rfxvmt.dll /remove "PCADDR\user"

net start TermService

If you use another locale different that English, then "BUILTIN\Administrators" will be "BUILTIN\something" where "something" is name group in this language.

In general the guide does: Copy the file to the right location. Take own of the new file. Grant explicit privileges to the user (temporal). Remove inherited privileges. Set correct owner and generic permissions. Remove the explicit privileges of the user (this is required because when you remove the privileges for the Administrators Group then you lost acccess).

Perhaps someone likes to craete an script for doing all tasks automatically.
Regards!

[XUnderShadow]

confirmed script is working
small fix to set pcaddr and user at the top for easier editing

set PC_NAME=
set USER_NAME=

net stop TermService

copy c:\rfxvmt.dll c:\windows\system32
cd c:\windows\system32
takeown.exe /A /F rfxvmt.dll
icacls.exe rfxvmt.dll /grant "%PCADDR%\%USER_NAME%:F"

icacls.exe rfxvmt.dll /inheritance:d
icacls.exe rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
icacls.exe rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

icacls.exe rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
icacls.exe rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

icacls.exe rfxvmt.dll /remove "BUILTIN\Administrators"
icacls.exe rfxvmt.dll /grant "BUILTIN\Administrators:RX"

icacls.exe rfxvmt.dll /remove "%PCADDR%\%USER_NAME%"

net start TermService

[eLenoAr]

Attention with the var PC_NAME you are using at the top and in your commands [%PCADDR%]!
set PC_NAME= in your script is supposed to be set PCADDR=

[XUnderShadow]

set PC_NAME=
set USER_NAME=

net stop TermService

copy c:\rfxvmt.dll c:\windows\system32
cd c:\windows\system32
takeown.exe /A /F rfxvmt.dll
icacls.exe rfxvmt.dll /grant "%PC_NAME%\%USER_NAME%:F"

icacls.exe rfxvmt.dll /inheritance:d
icacls.exe rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
icacls.exe rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

icacls.exe rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
icacls.exe rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

icacls.exe rfxvmt.dll /remove "BUILTIN\Administrators"
icacls.exe rfxvmt.dll /grant "BUILTIN\Administrators:RX"

icacls.exe rfxvmt.dll /remove "%PC_NAME%\%USER_NAME%"

net start TermService

[YenHaEncore]

Hi all !

I have the same issue (not listening) with last update 16299, i have download new rfxvmt.dll (thx sDunkan) and make a batch file with XUnderShadow's code but it don't work for me.

I've try to grant privileges to everyown, uninstall, update and install, not working too.

Somebody have a solution for me ?

Thanks you in advance

[AlexeiScherbakov]

You can try my dlls https://github.com/stascorp/rdpwrap/files/1545652/dlls.zip in #368

[YenHaEncore]

Works perfect ! Thanks you AlexeiScherbakov

[texNICKru]

Hi all !
Do not work terminal server on Win10 x86 16299.125 one language (
And please check offset patch for x86

[10.0.16299.15]
LocalOnlyPatch.x86=1
LocalOnlyOffset.x86=A8E08
LocalOnlyCode.x86=jmpshort
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=8FD01
LocalOnlyCode.x64=jmpshort
SingleUserPatch.x86=1
SingleUserOffset.x86=39215
SingleUserCode.x86=nop
SingleUserPatch.x64=1
SingleUserOffset.x64=1C774
SingleUserCode.x64=Zero
DefPolicyPatch.x86=1
DefPolicyOffset.x86=3DC89
DefPolicyCode.x86=CDefPolicy_Query_eax_ecx
DefPolicyPatch.x64=1
DefPolicyOffset.x64=12D85
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
SLInitHook.x86=1
SLInitOffset.x86=461BD
SLInitFunc.x86=New_CSLQuery_Initialize
SLInitHook.x64=1
SLInitOffset.x64=22D5C
SLInitFunc.x64=New_CSLQuery_Initialize

In this termsrv.dll not DefPolicyOffset.x86=3DC89.
I find 3B81200300000F84 on offset 3D089. May be mistake misspell?
termsrv(2).zip

[binarymaster]

I find 3B81200300000F84 on offset 3D089. May be mistake misspell?

Offsets are relative to image base address, not from start of file.

[texNICKru]

Thanks!!! Now working)

[binarymaster]

Fixed in v1.6.2 release.

[sfhurt]

Microsoft forced an update today for Windows 10 that broke the listener. W10 V 1709, build 16299.125. 32bit laptop that I use for interfacing to some signal generators. I've tried to go through all of the thread above but haven't found a solution. uninstalled and reinstalled v1.6.2, copied over rfxvmt.dll and termserv.dll with no luck.

[OneCrazyRussian]

Can't confirm on 16299.248, seems ok on both configurations for me (one is with manual rfxvmt.dll extraction and another is with automatic rfxvmt.dll extraction). They show up with different service versions but both seem to work

[sunriseydy]

It seems not works on Win10 x64 1803 Home, with "not listening" and "not supported", also tried the rfxvmt.dll.

[vgerald]

RDPwrap stopped working after 8.1 installing updates. Microsoft Windows [Version 6.3.9600]

when I try to replace the rfxvmt.dll, I get the below error. How do I replace it?

[Rebelpyr7]

@vgerald Take a look at the issue below. There's a fix action there that doesn't requiring you to replace any .dll files.

#418

[vgerald]

#418
Solved! - Thanks @Rebelpyr7
the updates to rdpwrap.ini file mentioned by @amrgb ==> show it as supported.
replacing the termsrv.dll ==> shows the listener state as 'Not listening'

[Rebelpyr7]

@vgerald Glad I could help, I was messing around with this way too much today before I tried the simplest fix which ended up working.