I needed to do some troubleshooting on a remote Windows XP Professional system which was running OpenSSH for Windows. I could log into the system remotely via Secure Shell (SSH), which gave me a command-line interface (CLI) to the system, but in this case I needed a graphical user interface (GUI) as well, since I suspected that some error messages were likely appearing on the user's screen that I couldn't see from the command prompt. But I wan't able to connect to the system using the Remote Desktop Protocol (RDP), since remote desktop support wasn't enabled on the user's computer. Since it was Saturday and no one was in the user's office, I needed to be able to enable that support myself from the CLI.
I could see that the system was not listening for connections on the Transmission Control Protocol (TCP) port used by RDP, i.e. port 3389.
C:\>netstat -a | find "3389" C:\>
Fortunately, one can use reg commands to configure
remote desktop support through the
Windows registry
from a command prompt.
First, you need to change the value for fDenyTSConnections
at HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server. The value
needs to be set to zero rather than one. You can check the current value
through a reg query command through a reg query command through a reg query command as shown below.
C:\>reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections REG_DWORD 0x1The 0x1 tells me the value is currently 1 (0x
just means the value that follows is a hexadecimal value, but "1" looks
the same in hexadecimal as decimal), indicating remote connections via RDP
are denied.
The value can be changed to zero with the reg add command,
which will permit RDP connections. To modify the registry with the
command, you will need to
open a command prompt with
administrator access. If you try to execute the command from an
account without administrator privileges, you will see the message
"ERROR: Access is denied."
C:\>reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f The operation completed successfully
The /d option allows you to specify the data to assign
to the registry key while the /f option forces an overwrite
of an existing value without prompting you as to whether you actually want
to overwrite the value. You also need to specify the type of value with the
/t option. In this case the value should be a double word value.
If you don't specify the /t option, the value will be set to
REG_SZ. You can see the options for the reg query
and reg add commands using reg query /? and
reg add /?.
I can then verify the value is set correctly with another reg
query command.
C:\>reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections REG_DWORD 0x0And I can verify that the system is now listening for remote desktop connections on port 3389 with the netstat command.
C:\>netstat -a | find "3389" TCP Jan:3389 Jan:0 LISTENING
I could then establish a remote desktop connection tunnelled through the
SSH connection. To configure the SSH client software,
PuTTY, to
tunnel a connection, for version 0.60 of the software, select the
relevant session, then click on SSH, then tunnels.
For the source port, you can put in an arbitrary value for a port on the
system on which you will be establishing a connection with PuTTY, e.g.
63389 (since port 3389 may already be in use on that system for connections
to it from another system, I'm picking 63389 for the port to use on the
system establishing the connection). In the destination field
you can use the loopback address, 127.0.0.1. Put the remote desktop port
on the destination field after that address, i.e. 127.0.0.1:3389.
For the choice of Local, Remote, or Dynamic, leave
the default value of Local selected. You can leave the IP protocol
version set to Automatic. Then click on the Add button.
I can then establish a remote desktop system from the laptop I'm using
to remotely troubleshoot the problem on the user's system by entering the
command mstsc /console /v 127.0.0.1:63389 at a command
prompt.
Note: If you aren't tunnelling the remote desktop connection through an SSH connection, if there is firewall software running on the remote system, you may have to configure the firewall software to allow the connections through. If you are tunnelling the remote desktop connection through an SSH connection, this may not be necessary. If the system is running the Microsoft-provided Windows Firewall software, you can use the command below to see if that firewall software is active.
C:\>netsh firewall show state Firewall status: ------------------------------------------------------------------- Profile = Standard Operational mode = Enable Exception mode = Enable Multicast/broadcast response mode = Enable Notification mode = Enable Group policy version = None Remote admin mode = Disable Ports currently open on all network interfaces: Port Protocol Version Program ------------------------------------------------------------------- 137 UDP IPv4 (null) 139 TCP IPv4 (null) 138 UDP IPv4 (null) 445 TCP IPv4 (null)
From the output above, I can see that the "operational mode" is "enable" meaning the Microsoft Windows Defender firewall software is active. I can also see that there is no rule allowing RDP connections on all networks. There may be a rule allowing RDP on specific networks, though, which you can check with a PowerShell command — see View RDP Firewall Rule using PowerShell.
You can use the command below to create an opening in the firewall that will allow remote desktop connections..
C:\>netsh firewall set portopening protocol = TCP port = 3389 name = "Remote Desktop Protocol" mode = ENABLE Ok.
If you want to allow connectivity from just one source system, e.g. a system with IP address 192.168.0.33, you could use a command similar to the following:
C:\>netsh firewall set portopening protocol = TCP port = 3389 name = "Remote Desktop Protocol" mode = ENABLE scope = CUSTOM 192.168.0.33 Ok.
If you wish to allow someone to login remotely with RDP using a
non-administrator account, unless the account has already been granted remote
access, you will need to add the account to the group allowed remote
access. You can do so by issuing the command
net localgroup "Remote Desktop Users" domainName\username
/add from a command prompt opened with administrator access, where
domainName is the name of the
Windows
domain, if the computer is part of a Windows domain, and username
is the account for which you wish to allow remote desktop logins. If the
computer is not part of a Windows domain or you just want to allow access
for a local account on the system, omit domainName and the
backslash that follows
it. E.g., for a domain account, Aragorn, in the domain MiddleEarth,
I could use the command below:
C:\Windows\System32>net localgroup "Remote Desktop Users" MiddleEarth\Aragorn /add The command completed successfully. C:\Windows\System32>
References:
Created: Saturday April 11, 2009 2:31 PM