No more MSTSC.exe /CONSOLE

by Shijaz Abdulla on 08.01.2008 at 08:51

Thats’ right. No more /console switch on the Windows Remote Desktop Connection tool, MSTSC.exe, starting from Windows XP Service Pack 3, Windows Vista Service Pack 1 and Windows Server 2008.

This is because of the design enhancements in Windows Vista and Windows Server 2008, by virtue of which you cannot connect to Session 0, which is the default session. Running services and user applications together in Session 0 poses a security risk because services in Session 0 run at elevated privileges and therefore can be targeted by malware that attack by attempting and exploiting a privilege escalation.

The new generation of the Windows operating system mitigates this security risk by isolating services in Session 0 and making Session 0 non-interactive to the user. In Windows Vista (and Windows Server 2008), only system processes and services run in Session 0. The first user logs on to Session 1. Subsequent users log on to subsequent sessions (Session 2, Session 3 etc). This means that services (like printer drivers loaded by spooler service, UMDF drivers, user/window interactive services, etc) never run in the same session as users’ applications and are therefore protected from attacks that originate in application code. [More info]

Session Zero in Windows XP/Windows Server 2003: The first user logs in to Session Zero itself.

Session Zero Isolation in Windows XP SP3/Windows Vista SP1/Windows Server 2008: First user’s Session is not within Session Zero, a separate session is created, thereby improving security.
Since there is no longer the ability to connect to Session 0, the /console switch is no longer required. But, what if I want to connect to Session 0 on a Windows Server 2003/XP or earlier machine using RDP 6.1? Let’s find out.

When I typed “mstsc /?” on my Windows Server 2008 machine, these are the options that are available to me:

Notice that the /console option is not available, but there is a /admin option. The /admin option lets you connect to Session 0 on a remote computer that doesn’t have Windows Vista SP1, Windows XP SP3 or Windows Server 2008 or later installed.

However, if you try to pull the /console switch on a Windows Server 2008 or Vista SP1 machine, you get an error “An unknown parameter was specified in the computer name field“.

I hope you found this post interesting – subscribe to my blog to get instant updates on new posts!

Trackback Permanent Link