This is because of the design enhancements in Windows Vista and Windows Server 2008, by virtue of which you cannot connect to Session 0, which is the default session. Running services and user applications together in Session 0 poses a security risk because services in Session 0 run at elevated privileges and therefore can be targeted by malware that attack by attempting and exploiting a privilege escalation.
The new generation of the Windows operating system mitigates this security risk by isolating services in Session 0 and making Session 0 non-interactive to the user. In Windows Vista (and Windows Server 2008), only system processes and services run in Session 0. The first user logs on to Session 1. Subsequent users log on to subsequent sessions (Session 2, Session 3 etc). This means that services (like printer drivers loaded by spooler service, UMDF drivers, user/window interactive services, etc) never run in the same session as users' applications and are therefore protected from attacks that originate in application code. [More info]
Session Zero in Windows XP/Windows Server 2003: The first user logs in to Session Zero itself.
Session Zero Isolation in Windows XP SP3/Windows Vista SP1/Windows Server 2008: First user's Session is not within Session Zero, a separate session is created, thereby improving security.Since there is no longer the ability to connect to Session 0, the /console switch is no longer required. But, what if I want to connect to Session 0 on a Windows Server 2003/XP or earlier machine using RDP 6.1? Let's find out.
When I typed "mstsc /?" on my Windows Server 2008 machine, these are the options that are available to me:
Notice that the /console option is not available, but there is a /admin option. The /admin option lets you connect to Session 0 on a remote computer that doesn't have Windows Vista SP1, Windows XP SP3 or Windows Server 2008 or later installed.
However, if you try to pull the /console switch on a Windows Server 2008 or Vista SP1 machine, you get an error "An unknown parameter was specified in the computer name field".
37 comments:
try saving the session to a .rdp file and then:
mstsc /admin bla.rdp
works fine!
This is a strange workaround, but it works.
Workaround for what? You're still using /admin.
Is there a way to remotely connect to the old console session in Windows 2008 and Vista SP1?
Yes. You use the /admin switch to connect to an existing session on a remote machine.
In short, you can do everything you did with /console except connecting to session 0.
The whole point of being able to connect to the console is to start a (usually time-consuming) task and then disconnect and be able to walk over to the console later on.
I can appreciate the new security model, but this is another case where MS developers don't consider the ramifications. *sigh*
Nice post. I just discovered this this morning after updating to XP SP3. MS seems to have failed to update the Remote Desktops MMC. It seems to still try to to use the /console flag and thus fails to conenct to session 0 on remote systems running server 2003.
Hi Tim,
The Remote Desktops MMC is part of the Windows Server 2003 AdminPak. The MMC snap-in is not a Windows XP feature and hence is not addressed by the Windows XP Service Pack.
Shijaz
Thanks for your post! I routinely remote into console on our Windows 2003 server to start timed jobs and I kept disconecting expecting the session to stay logged in (as is the case with a console session) only to see it logged off! The work around I found, is to login as a user on your 2003 server, then FROM that server go to Run and type mstsc -v:localhost /f -console
Your back at console, baby!!
I have the same Remote Desktops snap-in issue. Afeter applying WXP SP3, I was unable to access the console of my W2k3 Servers. Only regular remote desktops connections are available... I am very dissapointed... again.
Gustavo,
If you've read and understood my post, you will know how to connect to console of your Windows 2003 servers using the RDP that comes with Windows XP SP3.
FAIL
THANK YOU! Just installed SP3 and went to get on my servers remotely (which I must run @ console since they're specific application servers and can't have multiple logins).
You saved my day.
Kevin, Univ of MS
You saved my day.
Thank you for the post. All the comments were great, too!
I had heard grumbles from colleagues who were using Vista but I was running XP, and thought I was safe.
Thanks for the excellent tip.
I'm one of the users who had a nice collection of RDP /console connections in the MMC. The MMC does not allow a connection parameter of /admin to be passed in the server name, so now the MMC can't be used. This stinks. If MS would have updated the code behind the MMC, I would have been content even though I'd have to update all my connections. Seems MS had made the choice for me.
Jas
Dameware I guess. I can understand the security side of it but it makes it unusable in alot of instances for me now.
I found this tip to be helpful since I just upgraded to SP 3 on XP and noticed I was not getting in on session 0.
Do you think this has anything to do with Microsoft controlling access to virtual servers? In a virtual environment the console switch is used all the time. I wonder if this will impact access to servers via VMWare's Virtual Infrastructure Client/ Virtual Center Console? It could be another way they are trying to interfere with other virtual systems?
No, this shouldn't affect the way virtualization software gives you access to the console.
I can't even connect to Windows 2003 Server with or without the /admin. It is probably because of this TS Gateway crap (i don't need it) at SSL port 443, but unfortunately it does still not connect, even if I turn it off. It only says I ought to speak to my network administrator, and that is... me! The servers are OK.
Also note that the /admin change breaks the ability to use Remote Web Workplace on SBS 2003 to gain console access to the SBS server + any additional servers you have on the SBS network. See my blog post for details on workarounds.
Great explanation BTW.
Thanks Chris.
I'm sure the SBS admins here will find your blog entry useful!
I have Vista Ultimate w/ SP1 and I cannot use the /admin flag. mstsc /? only shows /console. But this only connects to a user session, not the console session.
Thanks. mstsc /admin works fine.
I just got around to installing SP3 (Sep '08) and it took a little while to figure this out.
I was using the "connect to console:i:1" line in the .rdp file, versus the /console switch.
I have DOZENS of .rdp files that now have to be changed, so instead of changing all the files, I created a new file extension type called ".rdc" and copied the .rdp properties over to it (when prompted), and then (from advanced options) edited the "Connect" action to add the /admin switch after "mstsc.exe".
Now I have .RDP for typical Terminal Server functions and .RDC (Remote Desktop Console) for console files.
The last step is to rename the console .rdp files to .rdc and I'm done.
The change is simple, global and helps differentiate between the two actions for cleaner administration.
-GWATA
/admin is NOT the same as /console. I uninstalled XP SP3 and now things are back to normal.
The Remote Desktops MMC appears to use MSTSC.exe. I replaced MSTSC.EXE with MSTSC.EXE Version 5.1 from an XPsp2 machine and both applications now work with the /console switch. There was no need to uninstall XPsp3.
SteveK
I Posted that I replaced the XPsp3 MSTSC.EXE with MSTSC.EXE Version 5.1 from an XPsp2 machine and both applications now work with the /console switch. There was no need to uninstall XPsp3. I ALSO replaced the MSTSCAX.DLL, MSTSHST.DLL, and MSTSMMC.DLL with the XPsp2 copies. These are all located in SYSTEM32. SteveK
Non-server OS only support one TS session when connecting with MSTSC, when I connect I only connect to the console (session 0).
No need to use the /console or /admin parameter.
Server OS support three TS sessions plus console.
Terminal server OS support more sessions, unlimited I guess.
Hey Thanks, Upgraded to SP3 a few days ago and just bumped into the no \console problem at an annoying time. \Admin works gr8 for me,
Thanks.
Also thx to steve fo suggesting to roll back the files, think im gonna try that!
;-)
If you want to disconnect and keep your tasks running I think you can use this command:
%windir%\System32\tscon.exe 0 /dest:console
coincidentally, it is a method to disconnect from the session without the "logon" screen appearing on the computer your connected to.
Thanks! First google result and worked like a charm :)
Nice post.. thanks guys -- Just found out this morning about the problem in cosole mode RDC and the "mstsc -v:servername/f -console" works for me
Thank-you for solving this! It works great connecting my XP SP3 to Server 2003.
Thanks - I appreciate you finding this and documenting this so I can Google and find it. This works great with my XL SP3 and Windows Server 2003.
Post a Comment
You should feel free to challenge me, disagree with me, or tell me I'm completely nuts in the comments section of each blog entry, but I reserve the right to delete any comment for any reason whatsoever. That said, I will most likely only delete abusive, profane, rude, or anonymous comments, so keep it polite, please.