This is the website of an IT geek, technologist, freelance writer, photographer, musician, rock climber, classic mini enthusiast, iPad and Mac zealot.
You have been warned.

How To Enable RDP on Windows 2003 Command Line

Submitted by daemonchild on Wed, 2011-09-14 - 15:57
daemonchild's picture

Imagine that you've managed to connect to a Windows 2003 server via the command line, but that it isn't running Remote Desktop. Sounds a little odd I know, but as a dedicated user of Metasploit this will happen to you, believe me. It took some time to work out how to enable the Remote Desktop functionality from the command line. No amount of Googling seemed to provide a solution, so I've got one for you here.

You're going to need to gain access to an Administrative (or better System) shell on the server. I'll describe how this might look elsewhere on this site, but let's assume that you've done this. I also show you how to add a new user here.
.

Let's just check whether Remote Desktop Services are available:

c:\ net start

(output cut for brevity)

Good. So the Terminal Services service is started. However, this supports the desktop running locally on the server as well as remote connectivity. So let's check whether the service is listening on port 3389:


c:\ netstat -an

(output cut for brevity)

Right, so we've confirmed that it's not listening. We need to enable the remote connectivity portion of the service and restart it. If we had access to the desktop (rendering this article pointless) then we could go to Control Panel -> System -> Remote and turn on Remote Desktop. The command line equivalent is as follows:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d "0x0"

After this we need to kill the existing Terminal Server process. This isn't trivial because, as I said before, it's actually propping up the live desktop on the server. We hunt out the task ID of the process:

tasklist /svc | findstr /C:TermService

Now. This is important. If - and only if - the svchost.exe only lists TermService you can proceed. If there is more than one entry following it, then you'll break things. The only way to safely get RDP running will be to reboot the server. Hey, if you're authorised to do this, then go for it.

taskkill /F /PID [from previous]
net start "Terminal Services"

Finally, let's see whether we managed to get RDP listening:

c:\ netstat -an

(output cut for brevity)

Tags: 
security
windows
Hello