Main Webpage

Features

    Terminal Services Bulletin Board
    Links and Downloads
    Matthew Harris' Resume
    Contact the admin

Hacks

    Disable the X box on the Terminal Services Client
    Change the client version of the Terminal Services Client
    Add the clock to the taskbar through the registry
    Make all processes appear in the Task Manager through a registry hack
    Prevent disconnects and stabilize your terminal services connection
    Fix your TSAdmin application when it becomes nonfunctional on the taskbar
    Disable/Enable all terminal services logons through the registry

Scripts

    Restrict users to one session and reconnect them
    Share the redirected printer automatically
    Map your client's printer to an LPT port
    Rename client redirected printers
    Restrict users to only one terminal services session
    Automatically connect disconnected users back to their sessions
    Force software license compliance through a script
    How to reset all your TS sessions at once

Hard to Diagnose Problems

    Incorrect IE permissions can disable opening new IE windows

Changing the client version of the Terminal Services client


In this article, I'll discuss how you can customize the terminal services client to create a custom build version.

You can customize your client and use it with the TSVer utility that came with the Windows 2000 Resource Kit. TSVer can restrict what client builds can connect to your terminal server. Thus, if you use this tutorial to create a custom build of your client, you can restrict who can connect to your terminal server based on who you give your customized client to. You can download TSVer here and get more information about utilizing TSVer here

Due to the scope of this article, I won't go into the nitty-gritty details about the disassembly of mstscax.dll or how I determined what hex address to change. If you have questions pertaining to the disassembly, please feel free to e-mail me. If you are interested in disassembly, I would highly recommend W32DAsm. Extremely powerful disassembler and process debugger.

For this tutorial, I'm going to change a build 2600 RDP client into a build 2601. You can choose whatever number you'd like to change it into, just make the necessary changes as you see fit.

Prerequisites:
•The latest version of the RDP client, build 2600 or later
•Any hex editor that will tell you the current offset you are at in your file. I'm using Hacker's View (HIEW) in this article. It is shareware and will do the job just fine.

Step 1: Backup your main files
•After you have installed your client, make a backup copy of mstscax.dll. This is for good measure. It can be found in your %SystemRoot%\System32 directory.

Step 2: Check your mstscax.dll version
•Before we start hacking the mstscax.dll, we need to determine what version we are using.
•Find your mstscax.dll and right click on it, then click properties. Click on the version tab and check what the 'File Version' is. Most likely it is 5.1.2600.0 or something similar. See Figure 1, below, for a screenshot.


Figure 1. Mstscax.dll's version, 5.1.2600.0
Click the image for a larger version

•Make note of that version number. That number is the build number of the mstscax.dll, and a terminal server can detect that build number when you connect. Figure 2, shown below, is a screenshot of tsadmin.exe showing the client build of 2600.


Figure 2. TSAdmin's view of the client's build.
Click the image for a larger version

Step 3: Patch the mstscax.dll
•Now that you know the build number, use Table 1, below, to determine what the Hex Address of where you are going to patch.

Table 1.

Client Build Number

Hex Address

Hex Offset

5.1.2600.0 (Windows XP version)

6A634EEF

0x000342EF

5.1.2600.1106 (Windows XP SP1 version)

6A640EB4

0x00040EB4

5.1.2600.2180 (Windows XP SP2 version)

6A646834

0x00045C34

5.2.3718.0 (Windows Server 2003 RC2 version)

605F0ACA

0x0003FECA

5.2.3790.0 (Windows Server 2003 version)

60110B42

0x0003FF42

5.2.3790.1433 (Windows Server 2003 SP1 RC2 version)

6A648F7B

0x00048375

5.2.3790.1830 (Windows Server 2003 SP1 version)

6A648F7B

0x00048375


•For this tutorial, we are going to be looking at address 6A634EE9 of the mstsacax.dll.
•Now, start up your hex editor and go to the hex address you just looked up (in this case, 6A634EEF). In HIEW, the hex editor I'm using, I hit Enter once, to switch into hex editing mode, then hit F5 to use the goto function. I then typed in ".6A634EEF" (without the quotes). If the search properly executed, then you'll see a screen similar to Figure 3, shown below.


Figure 3. The unedited mstscax.dll.
Click the image for a larger version

•You'll notice at this point that the number 28 is highlighted. You'll also notice that the next number, located at 6A634EF0, is 0A. Just so you know, 0A28 is hex for 2600, which is the build number we are tying to hack.
•For this tutorial, I'm going to change the build from 2600 to 2601, so using my handy calculator, I determined that 2601 converted to hex is 0A29, which means I need to change the 28 to 29.
•Getting hack to HIEW, hit F3 to enter into editing mode, then change the 28, at hex address 6A634EEF, to 29. Hit F9 to save the changes, then hit F10 to exit HIEW. Figure 4, shown below, displays the end product.


Figure 4. The edited mstscax.dll.
Click the image for a larger version

•Now, put the hacked mstscax.dll back into your %SystemRoot%\System32 directory and then startup mstsc.exe. Connect up to your terminal server, and then bring up tsadmin.exe. Figure 5, shown below, is what you should see. You'll notice that tsadmin now recognizes the client build as 2601, rather than 2600, which means that our hack has worked.


Figure 5. TSAdmin's view of the client's build.
Click the image for a larger version

Well, that's about it. You've just finished hacking the mstscax.dll. And...no tutorial would be complete without a download, so here is the version I created (compressed):
MSTSCAX.zip