Termsrv.dll Patch Windows Server 2016 < Bonus Inside >

This is a comprehensive guide on patching the termsrv.dll file on Windows Server 2016.

⚠️ Important Disclaimer Modifying system DLLs voids Microsoft support for the modified file and carries a risk of system instability. Always create a full system backup or a System Restore point before proceeding. This modification technically violates Microsoft’s Remote Desktop Services licensing terms if you do not own the appropriate RDS CALs (Client Access Licenses). This guide is intended for educational and lab/administrative convenience purposes only.

Conclusion

Patching termsrv.dll on Windows Server 2016 is crucial for maintaining server security and RDS functionality. By understanding the process and following best practices, administrators can ensure their servers remain up-to-date and resilient against potential threats. Always proceed with caution when applying updates and take necessary precautions to protect your server environment.

The "interesting feature" associated with patching termsrv.dll

on Windows Server 2016 is the ability to bypass the default limit on simultaneous Remote Desktop (RDP) sessions By modifying this specific system library, users can enable Multiple Concurrent RDP Sessions

on a single machine without requiring a Remote Desktop Services (RDS) license server or Client Access Licenses (CALs). Key Aspects of the termsrv.dll Breaking the Session Limit

: By default, Windows Server allows only two concurrent administrative RDP sessions. Patching termsrv.dll

removes this hardcoded restriction, allowing many users to log in simultaneously Workstation-Style Behavior

: This patch is often used to make a Server OS (or even a Pro desktop version) behave like a terminal server, facilitating multi-user environments for small teams without the overhead of official RDS roles. System Integrity Risks

: Because this involves modifying a core Windows file, system updates or tools like sfc /scannow

will often detect the change as "file corruption" and revert it to the original, unpatched version Security & Compliance

: While technically possible, this method is a violation of Microsoft's licensing terms and can introduce security vulnerabilities by using unofficial third-party scripts to modify protected system files. termsrv.dll patch windows server 2016

For a safer, official way to manage session limits, you can adjust settings within the Local Group Policy Editor

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections officially configure session limits using Group Policy instead?

Patching termsrv.dll on Windows Server 2016 is typically done to enable multiple concurrent Remote Desktop (RDP) sessions without purchasing Remote Desktop Services (RDS) Client Access Licenses (CALs).

Warning: This process modifies system files and may violate Microsoft's Licensing Terms. It is highly recommended to perform a full system backup or create a system restore point before proceeding. Manual Patching Steps

If you choose to perform this manually, you will need to take ownership of the file and replace specific hex strings. Stop Remote Desktop Services: Open Services.msc.

Locate Remote Desktop Services, right-click it, and select Stop. Take Ownership of termsrv.dll: Navigate to C:\Windows\System32\.

Right-click termsrv.dll -> Properties -> Security -> Advanced. Change the Owner to your administrator account.

Close and reopen the properties to grant your account Full Control permissions. Backup the Original File: Copy termsrv.dll and rename the copy to termsrv.dll.bak. Edit the File with a Hex Editor: Open termsrv.dll in a tool like HxD Hex Editor.

Search and Replace: You must find specific hex strings based on your exact Windows build version. For many Windows Server 2016 versions, the common target is changing: 39 81 3C 06 00 00 0F 84 XX XX XX XX

B8 00 01 00 00 89 81 38 06 00 00 90 (Note: The exact string varies by build; check community repositories for your specific build number). Restart Services: Save the file.

Go back to Services.msc and Start the Remote Desktop Services. Automated Alternatives This is a comprehensive guide on patching the termsrv

Because manual hex editing is prone to error and gets overwritten by Windows Updates, many users prefer automated scripts:

TermsrvPatcher (GitHub): This TermsrvPatcher repository provides a PowerShell script to automate the process and includes a Scheduled Task to re-apply the patch automatically after Windows Updates.

RDPWrap (RDP Wrapper Library): While often flagged by antivirus as a "hacktool," this is a popular open-source project that acts as a layer between the Service Control Manager and Terminal Services, meaning it doesn't modify the original termsrv.dll file directly. Maintenance Considerations

Windows Updates: Major updates often replace termsrv.dll, which will break your patch. You will likely need to re-apply the patch or update your script after every "Patch Tuesday".

Registry Verification: Ensure that HKLM\System\CurrentControlSet\Control\Terminal Server\fSingleSessionPerUser is set to 0 if you want a single user to be able to open multiple sessions.

Do you need to find the specific hex string for your particular build number (e.g., Build 14393)?

fabianosrc/TermsrvPatcher: Patch termsrv.dll so that multiple ... - GitHub

Patching termsrv.dll on Windows Server 2016 is a technique used to bypass the default limitation that allows only two concurrent Remote Desktop Protocol (RDP) sessions. While Windows Server naturally supports more sessions through the Remote Desktop Services (RDS) role, it requires valid Client Access Licenses (CALs); patching is often an unofficial workaround to avoid these licensing requirements or to enable concurrent sessions on non-server editions. Technical Mechanism of the Patch

The patch targets specific binary instructions within the termsrv.dll file (located in C:\Windows\System32) that check for session limits.

Byte Modification: Typically, a hex editor or script is used to find a specific pattern of bytes—such as 39 81 3C 06 00 00—and replace them with a sequence like B8 00 01 00 00 89 81 38 06 00 00 90.

Logical Bypass: This modification effectively forces the internal check for "maximum allowed sessions" to always return a value that permits additional users, rather than triggering a "disconnect existing user" prompt. Conclusion Patching termsrv

Service Interaction: For the patch to take effect, the Remote Desktop Service (TermService) must be stopped, and the administrator must take ownership of the system file from TrustedInstaller to gain write permissions. Popular Tools and Methods Several community-developed tools automate this process: Patching Microsoft's RDP service yourself - Sam Decrock

Step 2: Take Ownership and Grant Permissions

You cannot modify termsrv.dll because Windows protects it. You must claim ownership.

1. Navigate to the system folder: C:\Windows\System32\
2. Locate termsrv.dll.
3. Right-click the file > Properties > Security tab.
4. Click Advanced at the bottom.
5. At the top, where it says "Owner:", click Change.
6. Type your Administrator username (or "Administrators") and click Check Names, then OK.
7. Click Apply and OK to close the Advanced window.
8. Back in the Security tab, click Edit. Select the "Administrators" group and check Full Control in the "Allow" column. Click OK.

2. How the Patch Works (Technical Explanation)

The patch does not convert Windows Server 2016 into a fully licensed RDS farm. Instead, it neuters the specific function call that checks the current session count against the allowed maximum (usually stored in termsrv.dll as a constant or via a call to TSIsConcurrentSessionLimitExceeded).

In Windows Server 2016 (build 1607, 14393, and later updates), the key modification involves finding a specific byte pattern in the DLL and replacing a conditional jump instruction (jnz, jne, etc.) with a NOP (No Operation) or a direct jmp. This effectively tells the server: "Always allow the connection, regardless of current session count."

Common hex patterns targeted for Windows Server 2016 (varies by patch level):

• Search for 8B 81 38 06 00 00 39 81 3C 06 00 00 0F 9F C2 and change 0F 9F C2 to B2 01 90.
• Alternatively, patching the TermDebugLog function or CSLQuerySessionData calls.

Because Microsoft releases cumulative updates that modify termsrv.dll, the exact memory offset changes frequently. That is why generic "termsrv.dll patchers" often fail after a Windows Update—they rely on hardcoded offsets that may shift.

Steps (64-bit):

1. Stop the Service (as Administrator):

   net stop TermService
   

2. Take Ownership (replace trustedinstaller):

   takeown /f C:\Windows\System32\termsrv.dll
   icacls C:\Windows\System32\termsrv.dll /grant "%USERNAME%:F"
   

3. Patch the DLL – find the hex pattern:

   • Open termsrv.dll in a hex editor (e.g., HxD).
   • Search for: 39 81 3C 06 00 00 0F 84
   • Replace with: 39 81 3C 06 00 00 0F 85 (changes JE to JNE).
   • Alternatively, use an automated patcher (e.g., RDP Wrapper).

4. Restart the Service:

   net start TermService
   

5. Allow multiple sessions via GPEDIT:
   Computer Config > Admin Templates > Windows Components > Remote Desktop Services > RD Session Host > Connections → Set "Limit number of connections" to 999999.

The Ultimate Guide to the termsrv.dll Patch for Windows Server 2016: Unlocking Multiple RDP Sessions

Considerations and Best Practices

• Backup Before Updates: Always create a system backup before applying updates, especially if you're unsure about their impact on custom configurations or line-of-business applications.
• Test Updates: If possible, test updates on a development or staging server before applying them to production environments.
• Reboot Requirement: Some updates, especially those affecting core components like termsrv.dll, may require a server reboot to take effect.