An update to this post (that covers Windows 10) is now available here.
You are checking the helpdesk and a new problem rolls in. You know the solution but you (the administrator) will need to login. You immediately remote into the machine only to see that the user is showing a presentation or actively using it.
Do you:
A) Call the user and have them log off so that you can start fixing the problem. The problem will get fixed but the user is interrupted for 20 minutes.
B) Wait until later in the day and hope the user isn’t using their computer. The problem will get fixed at the end of the day but the user had to deal with it all day.
C) Use RDP and log into the computer. The user is able to continue the presentation. You are able to fix the problem in the background. Everybody is happy!
The answer is C!
“That’s wrong!”, you say! “Client OSs can’t have concurrent RDP sessions. When you try, you get an ugly message and the current logged in user is logged out!”
If Server can, the client can! All we have to do is trick it! How? Let’s find out!
Starting off, I am going to make two assumptions. One – you are an administrator of these remote machines. Two – you can already RDP into these machines when no user is logged on. If you aren’t sure or haven’t configured these settings, see this article on where to locate these settings.
Next: Download the CRDP zip file. The script and files came from Mike Garcen and can be found here. Once downloaded, extract the contents into a folder within your local profile.
Third Step: Download SysInternal PSTools. Copy PSEXEC.EXE from the download and paste it in the CRDP folder (under your local profile).
Last step! Create a batch file in the root of your profile named CRDP.bat. Paste these three lines into it:
xcopy “%USERPROFILE%\CRDP\*” \\%1\C$\Windows\Temp\CRDP\ /y
“%USERPROFILE%\CRDP\psexec.exe” \\%1 C:\Windows\Temp\CRDP\install.cmd multi
mstsc /v:%1
That’s it! Now, you can press Windows Key + R. Then type CRDP COMPUTERNAME
XCOPY will copy over all of the files and PSXEC will execute the script. After it has finished, you will be asked to login with your administrative account. Just to show you how awesome this is, take a look at these screenshots.
A Standard User Logged On
An Administrator Logged on at the Same Time (Notice the Task Manager).
Zoomed in Task Manager Showing User Sessions:
Pretty awesome right! Now you can work on a computer at the same time as a standard user!! There are some caveats to this method. First, it currently only works on Windows 7. I’ve seen some Windows 8 methods but they are quite shady. Second, Microsoft released an update to patch Remote Desktop Connection. This update (2984972) broke this tool. You can remove this update by running wusa /uninstall /quiet /norestart /kb:2984972 . A big thanks to TenNine for researching that problem!
Install.cmd script already partially modified for non-english versions of Windows 7. Lines 156-157:
REM Update: Mikinho, changed from “Remote Desktop Services” for globalization
NET START TermService
But there are one more line to be changed. On line 100 instead of
ICACLS %SystemRoot%\System32\termsrv.dll /Grant Administrators:F
must be
ICACLS %SystemRoot%\System32\termsrv.dll /Grant *S-1-5-32-544:F
because on non-english versions of Windows 7 name of Administrators group is localized too.
(sorry for my english, it’s not very good, i know 🙂 )
Thank you Ivan!
What RDP client is being used in the photos? Looks like something other than RDP.
The first screenshot showing a logged on user is not RDP – it is a VNC like program named NetSupport. That screenshot is used just to show that a user was physically logged into the machine. The following screenshot is RDP. The last screenshot is RDP but showing just the taskmgr. It shows that two users are actively logged into the computer.
That’s a pity that CRDP doesn’t work anymore due to Microsoft patches…
Agreed Gianluigi.
RDP Wrapper was updated today, check it out. Now it supports latest update KB3000850 for Windows 8.1.
https://github.com/binarymaster/rdpwrap/releases/
Hello,
You may try RDP Wrapper Library (by Stas’M) which leaves termsrv.dll untouched
http://stascorp.com/load/1-1-0-63
Regards
Thanks for the link! I will check it out.
RDP Wrapper really rocks!
Just checked, it can trick even Starter and Home Basic editions. And it doesn’t violate license agreement, because it doesn’t change system files and working as separate application, granting such powerful remoting features.
Also it’s fully open source, I found it here:
https://github.com/binarymaster/rdpwrap
Thanks Robert! I am glad that you like it! I still haven’t had a chance to try it yet so I can’t fully endorse it.
Hm… just downloaded it. Bitdefender not like.
C:\Users\xxx\Desktop\rdpwrap-master\rdpwrap-master\src-x86-x64-Fusix\rdpw32.dll Gen:Trojan.Heur.LP.fu8@aSxXyvbi Moved to Quarantine
That is why I haven’t tried it yet. Need to spin up an isolated network one day and see what happens.
Obviously a false positive. You can build it from source.
And of course, you can check its behaviour in the test environment. I’m pretty sure that it’s safe.
So looks like I got it going. It took a while to search it up and figure out how to fix things up, it gets a little bit more complicated but here is the deal.
The problem starts happening when Windows Update installs KB2984972. This updates the RDP service and breaks what we try to do here. So this needs to be removed, but we need to do it remotely (obviously). With psexec and wusa we can, but there is a catch – you must reboot. The command can do the reboot on its own or not, i have included the switch “/norestart” because if people are using the computer you don’t want it to just reboot on them. If you’re okay with it rebooting you can remove that switch.
Here is the command: “psexec.exe \\RemoteComputerName wusa /uninstall /quiet /norestart /kb:2984972”
Once complete you should get a response saying error code 3010 which should mean it was successful.
Call up your user and say they should reboot their machine because the unicorn in their computer needs some rest.
After the reboot, run CRDP just like before, and it should work!
Let me know how it goes for you guys. I don’t have much time to play around and see if we can work around the reboot, but if you guys figure anything out please share.
Great fine TenNine! Here is the KB from MS on that update: http://support.microsoft.com/kb/2984972
You can run wusa /uninstall /quiet /norestart /kb:2984972 as a run once shutdown script or with SCCM as well. A reboot would be required as the SXS folder needs to copy back the files that were originally changed.
Do we need this update though? Is it critical?
It is classified as a security update but not as a critical update.
I’m successfully able to use the script on a users machine finally. Now though if I have to use it again on the same machine I get the message “Another user is already logged in”
Am I doing something wrong with the script?
I believe you are having the same issue that Brian is – on new machines, I haven’t been able to use CRDP with reliable results.
Seems that MS latest patch cycle has broken the ability to use this
Thanks for the update Brian.
Has anyone found a work around? Windows Update broke my CRDP.
I haven’t yet Brad – when I do – I will update this post.
To confirm we are seeing the same thing, the RDP connection closes immediately right after connecting.
Joseph you may want to update the original post.
Check the bottom of the post! I updated it with your notes. Thank you again!
I think I almost have this working. Only thing is I’m still getting the message about another user being logged into this computer and that other user needs to log off.
Any help with my error? All of my paths look to be good.
C:Users\[my username]>copy “C:\Users\[my username]\CRDP\*” \\[clients username]\C$\Windows\Temp\CRDP\ /y
C:\Users\[my username]\CRDP\32_rdpclip.exe
C:\Users\[my username]\CRDP\32_termsrv.dll
C:\Users\[my username]\CRDP\64_rdpclip.exe
C:\Users\[my username]\CRDP\34_termsrv.dll
C:\Users\[my username]\CRDP\CRDP.bat
C:\Users\[my username]\CRDP\Install.cmd
C:\Users\[my username]\CRDP\PsExec.exe
7 Files(s) copied
C:\Users\gblevins1>”C:\Users\gblevins1\CRDP\psec.exe \\[clients username] C:\Windows\Temp\CRDP\install.cmd multi
The filename, directory name, or volume label syntax is incorrect.
Can you browse to \\REMOTECOMPUTERNAME\C$\Windows\Temps\CRDP? Do you see the install.cmd in that folder?
No I haven’t tried anything since the last time
Yes its in there.
Any progress?
If I could get this to work it would be awesome. I get this when trying to run the script
C:\Users\jmerwin>xcopy ô\\C:\Users\jmerwin\CRDP\*ö \\hs-super-mh\C$\Windows\Temp
\CRDP\ /y
File not found – *ö
0 File(s) copied
Does the CRDP folder exist in C:\Users\jmerwin\CRDP\?
Justin,
Try deleting the quotation marks in your batch file and re-adding them. I had the same issue because I copied/pasted straight from the site.
Thank you Eric! I forget about how the script editor can change those characters.
Still doesn’t work. I think I’m giving up and just install tightvnc on all the machines.
Here is my batch file
xcopy “%USERPROFILE%\CRDP\*” \\%1\C$\Windows\Temp\CRDP\ /y
“%USERPROFILE%\CRDP\psexec.exe \\%1 C:\Windows\Temp\CRDP\install.cmd multi
mstsc /v:%1
Here is my error from the command
C:\Users\jmerwin>xcopy ô\\C:\Users\jmerwin\CRDP\*ö \\hs-super-ds\C$\Windows\Temp
\CRDP\ /y
File not found – *ö
0 File(s) copied
In that same prompt, can you browse to \\hs-super-ds\C$\Windows\Temp?
Where is the closing quote for the beginning quote in the line beginning with:
“%USERPROFILE%
Thanks Jimmy for finding that! I corrected it.
that got things copying but I still get the error of another user logged in you need to log that user off.
Stumbled across this website while looking up GPO stuff and found this script, brilliant stuff! I was in the same boat about getting the effect reversed though so I made a little change to the CRDP script and added in an uninstall script, hope you don’t mind! Shared below for others:
CRDP script (change LOCATION as required):
xcopy “\\LOCATION\Tools\CRDP\*” \\%1\C$\Windows\Temp\CRDP\ /y
\\pc1045\Tools\CRDP\psexec.exe \\%1 C:\Windows\Temp\CRDP\install.cmd multi
start /wait mstsc /v:%1
\\LOCATION\Tools\CRDP\psexec.exe \\%1 C:\Windows\Temp\CRDP\Uninstall.cmd
Uninstall script (Some bits reused from original install script):
@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
SET SET_CURRENTBUILD=”7601″
SET SET_CSDBUILDNUMBER=”1130″
SET SET_VERSION=%SET_CURRENTBUILD%.%SET_CSDBUILDNUMBER%
:STOPTERMINALSERVICES
ECHO Stopping Remote Desktop Services
NET stop TermService /y
:BACKUPTERMSRVDLL
REM Note: Checks for the backup of the .dll, if found it deletes the new one
REM copies the backup and then deletes it. This is important as the install
REM script checks for the backup file and if found, doesn’t copy a new .dll over
echo %SystemRoot%\System32\termsrv.dll.%SET_VERSION%.bak
IF /I EXIST %SystemRoot%\System32\termsrv.dll.%SET_VERSION%.bak (
DEL %SystemRoot%\System32\termsrv.dll
)
COPY “%SystemRoot%\System32\termsrv.dll.%SET_VERSION%.bak” “%SystemRoot%\System32\termsrv.dll”
IF ERRORLEVEL 0 DEL %SystemRoot%\System32\termsrv.dll.%SET_VERSION%.bak
:STARTTERMINALSERVICES
ECHO Starting Remote Desktop Services
NET START TermService
:EDITREGKEY
REM Note: Reverses the Reg key change
REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fSingleSessionPerUser /t REG_DWORD /d 1 /f
ENDLOCAL
EXIT /B
Hope that helps others 🙂 And thanks again for the original script! Saves so much heart ache and tears… haha.
Thanks for posting your script! I am glad that this article helped!
Hi Joseph Thank you for the share but I am unable to do the needed.
I am currently using windows 8 and 8.1
Thank you for your help in advance
Hi Kelly – just an update, I am working on a Windows 8.1 version of this script.
Hey Joseph — First of all thanks for this site. I’ve just recently discovered it; and now there are a couple more tasks on my to-do list that I want to try out in my environment!
Are you still working on a W8.1 version for this script? I’ve tried the current version unsuccessfully. Everything seems to work; the files are being copied successfully, PsExec (latest version) executes and runs install.cmd, but when I actually connect with mstsc to the client I enter my Domain Admin credentials and get the dreaded “A user is currently …” prompt.
Please tell me you have good news?
Cheers
No problem at all! I am glad these guides help you!
That project got put to the side for a little bit. I will try to finish it up soon though!
I would also really like a Windows 8.1 version of this script.
Joseph — Did you make any progress on the 8.1 version of the script.
I hope this doesn’t end up as a double post, but my previous reply doesn’t show.
Cheers
I worked on it for a while but kept killing the RDP service. After the summer, I will have to get back to it – it is slowing up my 8.1 deployments.
Is there a way to reverse this process? It isn’t really a usable feature unless we can reverse it as it is a security hole in the work environment if used. If this can be reverse, this will prove to be a much more useful tool! Thanks!
Matt left a comment below that should help you undo the features. Let me know if you still have issues after seeing his suggestion.
Hi Joseph, thanks for the quick reply.
I tried that and it does work. I must have misunderstood the intentions of Matt when i first read his comment.
However, the best way would be to enable the multiple sessions when you want to use it, and disable it when you are done. I suppose you could use the same psexec in the same script (towards the end) to copy over a .reg file and run it, so after the script fully runs and pops up the mstsc window for you to connect. I am not well versed in scripting so I am a little too lazy to figure that one out.
But, I couldn’t let it slide either, so a quick batch file you can run after you are done will fix things up real quick. Here is what it does:
set /p cmname=Enter Remote Computer Name:
sc \\%cmname% start RemoteRegistry
REG ADD “\\%cmname%\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fSingleSessionPerUser /t REG_DWORD /d 1 /f
sc \\%cmname% stop RemoteRegistry
So when running it, it will ask you for the computer name… then it will enable the remote registry so you can make the change in the key Matt found in the script. I put in the key we wanted enabled to 1. Once that goes through the sc command will turn off the remote registry (this is how we have it currently set in our environment, i did not want to enable the service on every machine i work on so i turned it back off to be a little more secure)
This should make it easy to use the CRDP script to be able to remote into a computer and once your work is done us this to reverse the registry key Matt mentioned. Maybe not the most cleanest way but it works.
Cheers
The best method is the one that works! Thank you for sharing your method!
Also one more thing I forgot to mention in terms of completely reversing everything. Apart from the registry you’ll obviously need to remove the termsvr.dll
Since the script already makes a backup of it, it isn’t too complicated to set it back. You just need to restart Remote Desktop Services, delete the new termsvr.dll and rename the backed up one to “termsvr.dll”. That should set it up so as if nothing ever happened.
First of all, I want to state that this is one of my favorite admin tools. However, we have discovered a drawback. After CRDP is used it always connects as a second session. This is becoming problematic for when someone wants to log onto their previous session remotely. For example, if someone was using the console, goes to a different location, and remotes into their desktop then they are connected under a second session. Is there a way to reverse the CRDP so that we can avoid this? I’m looking through the script right now and it seems that if I change some reg keys to disallow multiple logins it should undo this, but I don’t want to start hacking at the registry without being sure of what I’m doing.
Thanks Matt! It is one of my favorite tools as well. 🙂
That is an interesting (and unexpected) quirk. Setting those registry keys to delete/reverse themselves would disable CRDP though. If you modify the script to undo the settings, email it to me (or post it here).
The main issue is that any one user can have multiple sessions. I dug into the script a bit and found that when it adds a reg key for terminal server it uses (lines 142-144):
:SETSINGLESESSIONSETTING
ECHO Setting fSingleSessionPerUser to %SINGLESESSION%
REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fSingleSessionPerUser /t REG_DWORD /d %SINGLESESSION% /f
The /d is the value of the key, which seems to be using a variable called %SINGLESESSION%. This variable is defined earlier in the script and it looks like it is supposed to default to 1 (single session only) unless the multi variable is added, but in all the computers we have used the script on it has set the value to 0 (multiple sessions). Since I don’t ever want to have multiple sessions enabled, I removed the %SINGLESESSION% variable and replaced it with a 1, which has solved the problem for me.
Thank you for posting this Matt! One of my goals is to write this script in PowerShell. When I do, I will add an option to include your change.
sir is this like multi pc? 1 cpu 2 monior/kb/mouse? can it do it? thanks
It isn’t – this is made to allow you to use a computer at the same time someone else is.
sir is this like multi pc? 1 cpu 2 monitor/kb can do this?
To quote Butt-head: This is the coolest thing I have ever seen.
But it is failing. 🙁
I am getting the old “the current user will be logged off” message. What have I done wrong?
It is an awesome trick!
What is your client OS (the OS of the machine you are connecting to)?
Windows 7 Pro x64
I wasn’t able to replicate this issue – are your machines running SP1?
Didn’t work for me either. Somebody has left out some important detail because I followed the instructions to the letter. Why doesn’t this work as advertised?
Hey Leonard – what OS are you using? It should work fine for Windows 7 (x86 or x64) Enterprise/Professional.
Actually I got it to work shortly after my post but the website seemed to be inaccessible so I wasn’t able to respond.
I took each line of the process and found that the failure was occurring at the copying of the CRDP folder (xcopy “%USERPROFILE%\CRDP\*” \\%1\C$\Windows\Temp\CRDP\ /y). I found that the folder was never getting copied to my target system.
I took the liberty to copy the folder as it was stated to my target system. Then I stepped through each of the next two lines, substituting my target machine for the %1 value. From there it worked, so I don’t know why the folder was not able to be copied to the target machine.
In my environment, I would simply use GPO to copy that folder structure to all of my systems and eliminate that part of the process.
I showed this to my boss and to my surprise, he was less than surprised and thought it was a waste of time as well as a potential security risk somehow. Can anyone address the security concerns?
I had a hosting issue yesterday – sorry about that!
Your boss’s reaction is surprising! Only users with RDP access can use this tool – normally, these users are admins on the machine. I don’t see any security issues with using it.
Got the same problem back again. It is telling me that the other user needs to log off. Frustrating. Taking more time to get this to work than just having the person get off and let me on. Is there some log file or something to find out why this is so inconsistent? I do not have the latitude from my company to be “playing” with things to get them to work. What can possibly be the issue?
Leonard,
I tried to reply to your post below but it won’t let me so I’m posting here. If your CRDP script is failing at that line you posted, you likely don’t have admin shares turned on, since the script is copying to the C$ admin share. Otherwise your %1 variable is not properly assigned.
Thanks for the reply Matt! I was thinking a permissions issues as well.
Leonard – let us know what you find!
Below is a capture of the batch file when executed. What is the deal with the 3rd line?
C:\Windows\system32>C:\Users\administrator\CRDP\psexec.exe \\192.168.19.117 C:\Windows\Temp\CRDP\install.cmd multi
The filename, directory name, or volume label syntax is incorrect.
Tried this again and still not working. How is it possible to populate the “%1% variable on the first line of the batch file, when the RDP connections console hasn’t even been brought up yet? Every time I run the script there is nothing in the %1% variable except “\\”.
That’s why I can’t get connected without having to have the other side log off. The contents of the CRDP folder are not getting copied to the destination computer. How is this suppose to work?
Just to make sure we are on the same page. You have the CRDP batch file saved to your local profile. You are then going to Start – Run and typing CRDP COMPUTERNAME. EX: CRDP JOSEPH-PC
This works because the computername is the first parameter. This fills in the %1 variable.
This is probably one of the coolest things Ive done in a while. Using this, I can remote in to a machine that a user currently logged into and work on a machine without ever having to ask the user to log off or interrupt what they are doing by taking over their session. I did have to do some modification to the script however to make it work for our environment. Because we log in with standard user accounts and right click, “Runas admin” for things that need elevated rights, I neeed a way to run the script as admin and still be able to input the computer name. Below is the modified batch file. Feel free to use this if you need a way to right click and “runas admin”. Just remember to change the 2 lines “\\msi\Execute\Software\Microsoft\CRDP\” to your server and share where the CRDP folder is located.
——————————————————
@echo off
:InputBox
set input=
set heading=CRDP
set message=Enter the computer name below
echo wscript.echo inputbox(WScript.Arguments(0),WScript.Arguments(1)) >”%temp%/input.vbs”
for /f “tokens=* delims=” %%a in (‘cscript //nologo “%temp%/input.vbs” “%message%” “%heading%”‘) do set input=%%a
md “\\%input%\C$\windows\temp\CRDP”
copy \\msi\Execute\Software\Microsoft\CRDP\* \\%input%\C$\windows\temp\CRDP
\\msi\Execute\Software\Microsoft\CRDP\psexec.exe \\%input% C:\CRDP\install.cmd multi -s
mstsc /v:%input%
Cool script Steven! I’m surprised that they let you use this tool. I know that your work can be a little weird about non-built-in tools. 🙂
Tested and it seems to work fine on LAN. Does not seem to work outside of LAN – so unable to access remote clients via Internet. Should it be able to do this?
I’m glad you got it to work on your LAN! It saves me so much time.
I just tried it on an internal private network on my Hyper-V setup and it seemed to work “externally” to internally. Both IP ranges were private ranges though. Let me know what you find out with your issue!
It is very nice article, really love it, but before I try it I would try Remote desktop central, the free version is for 25 pc, but SURE is a nice trick 😉
thankx Joseph
Not a problem Silvio! Remote Desktop Central looks pretty cool!
One thing you may want to mention, the remote computer has to be running Win 7 SP1 or later. Of course the computer that I tried to connect to first didn’t have SP1 installed for some reason.
I didn’t even think about mentioning that but I will now. Thank you!
That will be a HUGE time saver!
I am glad you like it! Between that and remotely PXE booting machines for imaging, I barely have to move anymore. 🙂