Windows/Enable Remote Desktop remotely
What to do when remote desktop is not enabled on a Windows XP host and the machine is not in close enough proximity to warrant walking over to enable it. Do it remotely with psexec.
Prerequisites
- psexec from the Sysinternals
- A windows XP host with a network connection
Howto
Remote login
First we need to get a connection to the host in question with the psexec tool. And then check if the Terminal Server service is already running.
psexec \\<IPorHostName> -u Administrator cmd
should produce something along the lines
PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com Password: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
Once on the remote host sc can tell if the services is enabled or not.
sc query termservice
Generally the service is running as we can see from the below output. SERVICE_NAME: termservice
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
However the service is not listening yet configured to listen on the default port of 3389.
netstat -an | findstr LISTEN
Shows all kind of other ports being open but not 3389
TCP 0.0.0.0:135 0.0.0.0:0 LISTEN TCP 0.0.0.0:445 0.0.0.0:0 LISTEN TCP 127.0.0.1:1033 0.0.0.0:0 LISTEN TCP 127.0.0.1:5152 0.0.0.0:0 LISTEN TCP 127.0.0.1:5354 0.0.0.0:0 LISTEN TCP 127.0.0.1:11880 0.0.0.0:0 LISTEN
Enable Remote Destkop with the registry
To enable the Remote Desktop service completly two registry entries have to be touched.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSEnabled /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Restart TermService
For good reason the Remote Desktop service can not be restarted or killed. However there is a way around it. Using tasklist to find the PID to be killed.
tasklist /svc | findstr TermService
yields something like the below
svchost.exe <PID> DcomLaunch, TermService
The pid is used to kill the process
taskkill /f /pid <PID>