No more MSTSC.exe /CONSOLE

by Shijaz Abdulla on 08.01.2008 at 08:51

Thats’ right. No more /console switch on the Windows Remote Desktop Connection tool, MSTSC.exe, starting from Windows XP Service Pack 3, Windows Vista Service Pack 1 and Windows Server 2008.

This is because of the design enhancements in Windows Vista and Windows Server 2008, by virtue of which you cannot connect to Session 0, which is the default session. Running services and user applications together in Session 0 poses a security risk because services in Session 0 run at elevated privileges and therefore can be targeted by malware that attack by attempting and exploiting a privilege escalation.

The new generation of the Windows operating system mitigates this security risk by isolating services in Session 0 and making Session 0 non-interactive to the user. In Windows Vista (and Windows Server 2008), only system processes and services run in Session 0. The first user logs on to Session 1. Subsequent users log on to subsequent sessions (Session 2, Session 3 etc). This means that services (like printer drivers loaded by spooler service, UMDF drivers, user/window interactive services, etc) never run in the same session as users’ applications and are therefore protected from attacks that originate in application code. [More info]

Session Zero in Windows XP/Windows Server 2003: The first user logs in to Session Zero itself.
 


 
Session Zero Isolation in Windows XP SP3/Windows Vista SP1/Windows Server 2008: First user’s Session is not within Session Zero, a separate session is created, thereby improving security.
Since there is no longer the ability to connect to Session 0, the /console switch is no longer required. But, what if I want to connect to Session 0 on a Windows Server 2003/XP or earlier machine using RDP 6.1? Let’s find out.

When I typed “mstsc /?” on my Windows Server 2008 machine, these are the options that are available to me:


Notice that the /console option is not available, but there is a /admin option. The /admin option lets you connect to Session 0 on a remote computer that doesn’t have Windows Vista SP1, Windows XP SP3 or Windows Server 2008 or later installed.

However, if you try to pull the /console switch on a Windows Server 2008 or Vista SP1 machine, you get an error “An unknown parameter was specified in the computer name field“.

I hope you found this post interesting – subscribe to my blog to get instant updates on new posts!


Trackback Permanent Link

57 Responses to No more MSTSC.exe /CONSOLE

  1. Anonymous says:

    try saving the session to a .rdp file and then:

    mstsc /admin bla.rdp

    works fine!

  2. Anonymous says:

    This is a strange workaround, but it works.

  3. Shijaz says:

    Workaround for what? You’re still using /admin.

  4. Anonymous says:

    Is there a way to remotely connect to the old console session in Windows 2008 and Vista SP1?

  5. Shijaz says:

    Yes. You use the /admin switch to connect to an existing session on a remote machine.

    In short, you can do everything you did with /console except connecting to session 0.

  6. Anonymous says:

    The whole point of being able to connect to the console is to start a (usually time-consuming) task and then disconnect and be able to walk over to the console later on.

    I can appreciate the new security model, but this is another case where MS developers don’t consider the ramifications. *sigh*

  7. Tim says:

    Nice post. I just discovered this this morning after updating to XP SP3. MS seems to have failed to update the Remote Desktops MMC. It seems to still try to to use the /console flag and thus fails to conenct to session 0 on remote systems running server 2003.

  8. Shijaz says:

    Hi Tim,

    The Remote Desktops MMC is part of the Windows Server 2003 AdminPak. The MMC snap-in is not a Windows XP feature and hence is not addressed by the Windows XP Service Pack.

    Shijaz

  9. Anonymous says:

    Thanks for your post! I routinely remote into console on our Windows 2003 server to start timed jobs and I kept disconecting expecting the session to stay logged in (as is the case with a console session) only to see it logged off! The work around I found, is to login as a user on your 2003 server, then FROM that server go to Run and type mstsc -v:localhost /f -console
    Your back at console, baby!!

  10. Gustavo says:

    I have the same Remote Desktops snap-in issue. Afeter applying WXP SP3, I was unable to access the console of my W2k3 Servers. Only regular remote desktops connections are available… I am very dissapointed… again.

  11. Shijaz says:

    Gustavo,

    If you’ve read and understood my post, you will know how to connect to console of your Windows 2003 servers using the RDP that comes with Windows XP SP3.

  12. Hobbit says:

    FAIL

  13. Kevin says:

    THANK YOU! Just installed SP3 and went to get on my servers remotely (which I must run @ console since they’re specific application servers and can’t have multiple logins).

    You saved my day.
    Kevin, Univ of MS

  14. Kevin Felker says:

    You saved my day.

  15. Brad Thompson says:

    Thank you for the post. All the comments were great, too!
    I had heard grumbles from colleagues who were using Vista but I was running XP, and thought I was safe.

  16. Anonymous says:

    Thanks for the excellent tip.

  17. Jason Boche says:

    I’m one of the users who had a nice collection of RDP /console connections in the MMC. The MMC does not allow a connection parameter of /admin to be passed in the server name, so now the MMC can’t be used. This stinks. If MS would have updated the code behind the MMC, I would have been content even though I’d have to update all my connections. Seems MS had made the choice for me.

    Jas

  18. Anonymous says:

    Dameware I guess. I can understand the security side of it but it makes it unusable in alot of instances for me now.

  19. Esse Quam Videri says:

    I found this tip to be helpful since I just upgraded to SP 3 on XP and noticed I was not getting in on session 0.

  20. Anonymous says:

    Do you think this has anything to do with Microsoft controlling access to virtual servers? In a virtual environment the console switch is used all the time. I wonder if this will impact access to servers via VMWare’s Virtual Infrastructure Client/ Virtual Center Console? It could be another way they are trying to interfere with other virtual systems?

  21. Shijaz says:

    No, this shouldn’t affect the way virtualization software gives you access to the console.

  22. lef says:

    I can’t even connect to Windows 2003 Server with or without the /admin. It is probably because of this TS Gateway crap (i don’t need it) at SSL port 443, but unfortunately it does still not connect, even if I turn it off. It only says I ought to speak to my network administrator, and that is… me! The servers are OK.

  23. Chris Knight says:

    Also note that the /admin change breaks the ability to use Remote Web Workplace on SBS 2003 to gain console access to the SBS server + any additional servers you have on the SBS network. See my blog post for details on workarounds.

    Great explanation BTW.

  24. Shijaz says:

    Thanks Chris.

    I’m sure the SBS admins here will find your blog entry useful!

  25. Anonymous says:

    I have Vista Ultimate w/ SP1 and I cannot use the /admin flag. mstsc /? only shows /console. But this only connects to a user session, not the console session.

  26. Anonymous says:

    Thanks. mstsc /admin works fine.

  27. Anonymous says:

    I just got around to installing SP3 (Sep ’08) and it took a little while to figure this out.
    I was using the “connect to console:i:1″ line in the .rdp file, versus the /console switch.
    I have DOZENS of .rdp files that now have to be changed, so instead of changing all the files, I created a new file extension type called “.rdc” and copied the .rdp properties over to it (when prompted), and then (from advanced options) edited the “Connect” action to add the /admin switch after “mstsc.exe”.
    Now I have .RDP for typical Terminal Server functions and .RDC (Remote Desktop Console) for console files.
    The last step is to rename the console .rdp files to .rdc and I’m done.
    The change is simple, global and helps differentiate between the two actions for cleaner administration.

    -GWATA

  28. Anonymous says:

    /admin is NOT the same as /console. I uninstalled XP SP3 and now things are back to normal.

  29. Anonymous says:

    The Remote Desktops MMC appears to use MSTSC.exe. I replaced MSTSC.EXE with MSTSC.EXE Version 5.1 from an XPsp2 machine and both applications now work with the /console switch. There was no need to uninstall XPsp3.
    SteveK

  30. Anonymous says:

    I Posted that I replaced the XPsp3 MSTSC.EXE with MSTSC.EXE Version 5.1 from an XPsp2 machine and both applications now work with the /console switch. There was no need to uninstall XPsp3. I ALSO replaced the MSTSCAX.DLL, MSTSHST.DLL, and MSTSMMC.DLL with the XPsp2 copies. These are all located in SYSTEM32. SteveK

  31. Peter says:

    Non-server OS only support one TS session when connecting with MSTSC, when I connect I only connect to the console (session 0).
    No need to use the /console or /admin parameter.

    Server OS support three TS sessions plus console.

    Terminal server OS support more sessions, unlimited I guess.

  32. David Sampson says:

    Hey Thanks, Upgraded to SP3 a few days ago and just bumped into the no console problem at an annoying time. Admin works gr8 for me,

    Thanks.

    Also thx to steve fo suggesting to roll back the files, think im gonna try that!

    ;-)

  33. nospam092809393939 says:

    If you want to disconnect and keep your tasks running I think you can use this command:

    %windir%System32tscon.exe 0 /dest:console

    coincidentally, it is a method to disconnect from the session without the “logon” screen appearing on the computer your connected to.

  34. Anonymous says:

    Thanks! First google result and worked like a charm :)

  35. SherwinX says:

    Nice post.. thanks guys — Just found out this morning about the problem in cosole mode RDC and the “mstsc -v:servername/f -console” works for me

  36. Rod Montrose - AVIDwireless says:

    Thank-you for solving this! It works great connecting my XP SP3 to Server 2003.

  37. Rod Montrose - AVIDwireless says:

    Thanks – I appreciate you finding this and documenting this so I can Google and find it. This works great with my XL SP3 and Windows Server 2003.

  38. Anonymous says:

    just COPY MSTSC*.* FROM A 2003 SERVER if you want to retain session 0 functionality.. or RDESKTOP from a linux box or a mac.
    works fine for me.

  39. Anonymous says:

    You da man!! Saved me. However the weird thing happens on my computer is, it doesn't give any errors with /console option! And I am able to connect to 1 windows2k3, but failed to the rest with the old /console option.

  40. Anonymous says:

    Top Man! /admin saved me from the thoughtless Richmond boys!

  41. Anonymous says:

    Thanks for the tip!!! After upgrading to SP3 I lost the /console switch and couldn't figure how to RDP into session 0 on my server 2003 box's. This saves me as we have one specific app that will only open in the console and it's much easier to do from my desk that having to go to the server room every time!

  42. Pingback: How to: link .rdp alla console amministrativa « Barlaccione's Blog

  43. Krishna R says:

    Thanks for the really useful tip…

    I use a ‘command-line service’ from time to time (with interact with desktop enabled — http://kennethhunt.com/archives/001899.html), which needs a /console connect… I used to wonder why it doesn’t work on a few machines, now this explains it…

  44. Ron says:

    I can’t stand the “new way” of doing things. Like today I try to connect to a machine.. the user gave me the wrong IP, was the IP of their personal computer! Windows 7 RDC just says login failed, does not help me. I dig out the old mstsc.exe version 5 and instantly I see the login screen and that it is Windows 7… wrong machine!

  45. baris acar says:

    This post was a life saver , thank you!

  46. Pingback: 3 Simultaneous Remote Connections To a Server

  47. James says:

    Thanks alot, this was great.

  48. DaWaBZ94 says:

    hi all;
    this is just a BiG ThX
    saved my life
    thX again :)

  49. Doug says:

    Thanks. This /admin give me what I needed.

  50. jijin says:

    Thanks alot :) its worked for me too ..Nice post

  51. Jimminy Jones says:

    Removing /console option from server 2008 RDP server is FREAKING STUPID!!! Sure there are some security enhancements but what if you need to connect to a previous session again?? Now run RDP and get connected to a brand new randomy generated session each time. STUPID!

    example: Say you are performing a task which requires a lot of time on a server. IE shifting 200gb of data. Run RDP get randomly generated session lets say 8. Start the copy and leave it running. 1.5 hours later come back and your session has timed out, as it does. Start RDP again and get randomly generated session. THIS TIME 3! where is your file copy?!?! Its still running over on session 8! So how are you going to find out its progress, any errors, any dialogue boxes??

    I understand the “security” reasoning for no session 0 but at least leave the /admin switch in there and make it connect to session 1 or 100 or something specific. Not a random session.

    • shijaz says:

      @Jimminy
      You’re missing the point altogether. Re-read the post.

      • Gaius Gracchus says:

        No, he is not missing the point.

        What a sucky, scummy excuse for taking away one of the three free connections using RDP.

        Now with server 2008, you only get TWO. So you pay MORE and get LESS.
        Oh, and it is a ‘feature’ — big bro is looking out for you. (NOT).

        Typical MicroSquish cr@p.

  52. dannykpowell says:

    RT @shijaz: No more MSTSC.exe /CONSOLE http://t.co/gtRmV1n

  53. New versions of terminal services client (mstsc) no longer have the console switch. Use /admin instead.
    http://t.co/GCeqARO

  54. Pingback: Terminal server, Remote desktop e connessione alla consolle | Consulenti IT Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

Connect with Facebook

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>