I needed to do some troubleshooting on a remote Windows XP Professional system which was running OpenSSH for Windows. I could log into the system remotely via Secure Shell (SSH), which gave me a command-line interface (CLI) to the system, but in this case I needed a graphical user interface (GUI) as well, since I suspected that some error messages were likely appearing on the user's screen that I couldn't see from the command prompt. But I wan't able to connect to the system using the Remote Desktop Protocol (RDP), since remote desktop support wasn't enabled on the user's computer. Since it was Saturday and no one was in the user's office, I needed to be able to enable that support myself from the CLI.
I could see that the system was not listening for connections on the Transmission Control Protocol (TCP) port used by RDP, i.e. port 3389.
C:\>netstat -a | find "3389" C:\>
Fortunately, one can use
reg commands to configure
remote desktop support through the
from a command prompt.
First, you need to change the value for
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server. The value
needs to be set to zero rather than one. You can check the current value
reg query command through a
reg query command through a
reg query command as shown below.
C:\>reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server fDenyTSConnections REG_DWORD 0x1
0x1 tells me the value is currently 1 (
just means the value that follows is a hexadecimal value, but "1" looks
the same in hexadecimal as decimal).
The value can be changed with the
reg add command.
C:\>reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSCo nnections /t REG_DWORD /d 0 /f The operation completed successfully
/d option allows you to specify the data to assign
to the registry key while the
/f option forces an overwrite
of an existing value without prompting you as to whether you actually want
to overwrite the value. You also need to specify the type of value with the
/t option. In this case the value should be a double word value.
If you don't specify the
/t option, the value will be set to
REG_SZ. You can see the options for the
reg add commands using
reg query /? and
reg add /?.
I can then verify the value is set correctly with another
C:\>reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTS Connections ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server fDenyTSConnections REG_DWORD 0x0
And I can verify that the system is now listening for remote desktop connections on port 3389 with the netstat command.
C:\>netstat -a | find "3389" TCP Jan:3389 Jan:0 LISTENING
I could then establish a remote desktop connection tunnelled through the
SSH connection. To configure the SSH client software,
tunnel a connection, for version 0.60 of the software, select the
relevant session, then click on
For the source port, you can put in an arbitrary value for a port on the
system on which you will be establishing a connection with PuTTY, e.g.
63389 (since port 3389 may already be in use on that system for connections
to it from another system, I'm picking 63389 for the port to use on the
system establishing the connection). In the destination field
you can use the loopback address, 127.0.0.1. Put the remote desktop port
on the destination field after that address, i.e.
For the choice of Local, Remote, or Dynamic, leave
the default value of Local selected. You can leave the IP protocol
version set to Automatic. Then click on the Add button.
I can then establish a remote desktop system from the laptop I'm using
to remotely troubleshoot the problem on the user's system by entering the
mstsc /console /v 127.0.0.1:63389 at a command
Note: If you aren't tunnelling the remote desktop connection through an SSH connection, if there is firewall software running on the remote system, you may have to configure the firewall software to allow the connections through. If you are tunnelling the remote desktop connection through an SSH connection, this may not be necessary. If the system is running the Microsoft-provided Windows XP firewall software, you can use the command below to see if that firewall software is active.
C:\>netsh firewall show state Firewall status: ------------------------------------------------------------------- Profile = Standard Operational mode = Enable Exception mode = Enable Multicast/broadcast response mode = Enable Notification mode = Enable Group policy version = None Remote admin mode = Disable Ports currently open on all network interfaces: Port Protocol Version Program ------------------------------------------------------------------- 137 UDP IPv4 (null) 139 TCP IPv4 (null) 138 UDP IPv4 (null) 445 TCP IPv4 (null)
From the output above, I can see that the "operational mode" is "enable" meaning the Microsoft Windows XP firewall software is active. I can also see that there is no rule allowing RDP connections.
You can use the command below to create an opening in the firewall that will allow remote desktop connections..
C:\>netsh firewall set portopening protocol = TCP port = 3389 name = "Remote Des ktop Protocol" mode = ENABLE Ok.
If you want to allow connectivity from just one source system, e.g. a system with IP address 192.168.0.33, you could use a command similar to the following:
C:\>netsh firewall set portopening protocol = TCP port = 3389 name = "Remote Des ktop Protocol" mode = ENABLE scope = CUSTOM 192.168.0.33 Ok.
Created: Saturday April 11, 2009 2:31 PM