Remotely Enabling Remote Desktop Protocol From the Command Line

Note: these instructions pertain to enabling remote desktop support on a system from a command prompt. For instructions for enabling remote desktop support for a system within a domain from a domain controller, see Remotely Enabling Remote Desktop Protocol from Domain Controller.

I needed to do some troubleshooting on a remote Windows XP Professional system which was running OpenSSH for Windows. I could log into the system remotely via Secure Shell (SSH), which gave me a command-line interface (CLI) to the system, but in this case I needed a graphical user interface (GUI) as well, since I suspected that some error messages were likely appearing on the user's screen that I couldn't see from the command prompt. But I wan't able to connect to the system using the Remote Desktop Protocol (RDP), since remote desktop support wasn't enabled on the user's computer. Since it was Saturday and no one was in the user's office, I needed to be able to enable that support myself from the CLI.

I could see that the system was not listening for connections on the Transmission Control Protocol (TCP) port used by RDP, i.e. port 3389.

C:\>netstat -a | find "3389"

C:\>

Fortunately, one can use reg commands to configure remote desktop support through the Windows registry from a command prompt.

First, you need to change the value for fDenyTSConnections at HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server. The value needs to be set to zero rather than one. You can check the current value through a reg query command through a reg query command through a reg query command as shown below.

oreilly.com - Your tech ebook super store
C:\>reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
    fDenyTSConnections  REG_DWORD       0x1

The 0x1 tells me the value is currently 1 (0x just means the value that follows is a hexadecimal value, but "1" looks the same in hexadecimal as decimal), indicating remote connections via RDP are denied.

The value can be changed to zero with the reg add command, which will permit RDP connections. To modify the registry with the command, you will need to open a command prompt with administrator access. If you try to execute the command from an account without administrator privileges, you will see the message "ERROR: Access is denied."

C:\>reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

The operation completed successfully

The /d option allows you to specify the data to assign to the registry key while the /f option forces an overwrite of an existing value without prompting you as to whether you actually want to overwrite the value. You also need to specify the type of value with the /t option. In this case the value should be a double word value. If you don't specify the /t option, the value will be set to REG_SZ. You can see the options for the reg query and reg add commands using reg query /? and reg add /?.

I can then verify the value is set correctly with another reg query command.

C:\>reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
    fDenyTSConnections  REG_DWORD       0x0

And I can verify that the system is now listening for remote desktop connections on port 3389 with the netstat command.

C:\>netstat -a | find "3389"
  TCP    Jan:3389               Jan:0                  LISTENING

I could then establish a remote desktop connection tunnelled through the SSH connection. To configure the SSH client software, PuTTY, to tunnel a connection, for version 0.60 of the software, select the relevant session, then click on SSH, then tunnels. For the source port, you can put in an arbitrary value for a port on the system on which you will be establishing a connection with PuTTY, e.g. 63389 (since port 3389 may already be in use on that system for connections to it from another system, I'm picking 63389 for the port to use on the system establishing the connection). In the destination field you can use the loopback address, 127.0.0.1. Put the remote desktop port on the destination field after that address, i.e. 127.0.0.1:3389. For the choice of Local, Remote, or Dynamic, leave the default value of Local selected. You can leave the IP protocol version set to Automatic. Then click on the Add button.

I can then establish a remote desktop system from the laptop I'm using to remotely troubleshoot the problem on the user's system by entering the command mstsc /console /v 127.0.0.1:63389 at a command prompt.

Note: If you aren't tunnelling the remote desktop connection through an SSH connection, if there is firewall software running on the remote system, you may have to configure the firewall software to allow the connections through. If you are tunnelling the remote desktop connection through an SSH connection, this may not be necessary. If the system is running the Microsoft-provided Windows Firewall software, you can use the command below to see if that firewall software is active.

C:\>netsh firewall show state

Firewall status:
-------------------------------------------------------------------
Profile                           = Standard
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = None
Remote admin mode                 = Disable

Ports currently open on all network interfaces:
Port   Protocol  Version  Program
-------------------------------------------------------------------
137    UDP       IPv4     (null)
139    TCP       IPv4     (null)
138    UDP       IPv4     (null)
445    TCP       IPv4     (null)

From the output above, I can see that the "operational mode" is "enable" meaning the Microsoft Windows Defender firewall software is active. I can also see that there is no rule allowing RDP connections on all networks. There may be a rule allowing RDP on specific networks, though, which you can check with a PowerShell command — see View RDP Firewall Rule using PowerShell.

You can use the command below to create an opening in the firewall that will allow remote desktop connections..

C:\>netsh firewall set portopening protocol = TCP port = 3389 name = "Remote Desktop Protocol" mode = ENABLE
Ok.

If you want to allow connectivity from just one source system, e.g. a system with IP address 192.168.0.33, you could use a command similar to the following:

C:\>netsh firewall set portopening protocol = TCP port = 3389 name = "Remote Desktop Protocol" mode = ENABLE scope = CUSTOM 192.168.0.33
Ok.

If you wish to allow someone to login remotely with RDP using a non-administrator account, unless the account has already been granted remote access, you will need to add the account to the group allowed remote access. You can do so by issuing the command net localgroup "Remote Desktop Users" domainName\username /add from a command prompt opened with administrator access, where domainName is the name of the Windows domain, if the computer is part of a Windows domain, and username is the account for which you wish to allow remote desktop logins. If the computer is not part of a Windows domain or you just want to allow access for a local account on the system, omit domainName and the backslash that follows it. E.g., for a domain account, Aragorn, in the domain MiddleEarth, I could use the command below:

C:\Windows\System32>net localgroup "Remote Desktop Users" MiddleEarth\Aragorn /add
The command completed successfully.


C:\Windows\System32>

References:

  1. Remote Desktop Protocol
    Wikipedia, the free encyclopedia
  2. Windows Registry
    Wikipedia, the free encyclopedia
  3. Remotely Enabling Remote Desktop Protocol from Domain Controller
    MoonPoint Support

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Saturday April 11, 2009 2:31 PM