How to Allow Multiple RDP Sessions in Windows 10 and 11?

Remote users can connect to their Windows 10 and 11 computers via the Remote Desktop Services (RDP). It is enough to enable RDP in the device settings and connect to the computer using any Remote Desktop client. But there is a restriction on the number of simultaneous RDP sessions – only one remote user can work simultaneously. If you try to open a second RDP session, a warning will appear asking you to disconnect the first user’s session.

Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?

All desktop Windows versions (including Win 10 and 11) have a number of restrictions on the Remote Desktop Service usage:

  1. You can remotely connect via RDP only to higher Windows editions (Professional and Enterprise). In Windows Home and Single Language editions the incoming remote desktop connections are forbidden;
  2. Only one simultaneous RDP connection is supported. When you try to open a second RDP session, the user is prompted to close the active connection;
  3. If there is a user who works on the console of the computer (locally), then when you try to create a new remote RDP connection, the console session will be disconnected. A remote RDP session will be also forcibly disconnected if the user will try to log in locally.

Actually, the number of simultaneous RDP connections on Windows is limited by the license (and not by any technical aspect). Thus, this restriction doesn’t allow to create a terminal RDP server based on the workstation that can be used by multiple users. Microsoft’s logic is simple: if you need a terminal server – buy a Windows Server license, RDS CALs, install and configure the Remote Desktop Session Host (RDSH) role.

Technically, any Windows version with a sufficient amount of RAM can support the simultaneous operation of several dozens of remote users. On average, 150-200 MB of RAM is required for one user session (excluding running apps). Those, the maximum number of simultaneous RDP sessions is theoretically limited only by computer resources.

Let’s consider two ways on how to allow simultaneous RDP connections on Windows 10 and 11: using the RDP Wrapper tool or patching the termsrv.dll system file.

Contents:

  • RDP Wrapper: Enable Multiple RDP Sessions on Windows
  • RDP Wrapper Not Working on Windows 10
  • Modify the Termsrv.dll to Enable Multiple RDP Sessions
  • Patching Termsrv.dll on Windows Using PowerShell

Note. System modifications described in the article are considered as a violation of the Microsoft License Agreement  and you may perform them at your own risk.

RDP Wrapper: Enable Multiple RDP Sessions on Windows

The RDP Wrapper Library OpenSource project allows you to enable multiple RDP sessions on Windows 10 without replacing the termsrv.dll file. This tool works as a layer between SCM (Service Control Manager) and the Remote Desktop Services. RDPWrap allows you to enable not only support for multiple simultaneous RDP connections but also to build an RDP server on Windows Home editions. RDP Wrapper doesn’t make any changes to the termsrv.dll file, it’s just loading termsrv library with the changed parameters.

Thus, the RDPWrap will work even in the case of termsrv.dll file update. It allows you not to be afraid of Windows updates.

Important. Before installing RDP Wrapper, it is important to make that you are using the original (unpatched) version of the termsrv.dll file. Otherwise, RDP Wrapper may become unstable or not start at all.

You can download the RDP Wrapper from the GitHub repository https://github.com/binarymaster/rdpwrap/releases (the latest available version of the RDP Wrapper Library is v1.6.2). The project hasn’t been updated since 2017, but it can be used in all new builds of Windows 10 and even Windows 11.

The RDPWrap-v1.6.2.zip archive contains some files:

  • RDPWinst.exe — an RDP Wrapper Library install/uninstall the program;
  • RDPConf.exe — an RDP Wrapper configuration tool;
  • RDPCheck.exe —an RDP check utility (Local RDP Checker);
  • install.bat, uninstall.bat, update.bat — batch files to install, uninstall, and update RDP Wrapper.

To install RDPWrap, run the install.bat file as an administrator. The program will be installed to the C:\Program Files\RDP Wrapper directory.

After the installation is complete, run the RDPConfig.exe. Most likely, immediately after installation, the tool will show that the RDP wrapper is running (Installed, Running, Listening), but not working. Note the red warning [not supported]. It reports that this version of Windows 10 (ver. 10.0.19041.1320) is not supported by the RDPWrapper.

The fact is that for each version of Windows 10 there must be a description in the rdpwrap.ini configuration file. Your config file simply doesn’t have any settings for your Windows 10 build.

The current version of the rdpwrap.ini file can be downloaded here https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini

Manually copy the contents of this page to the “C:\Program Files\RDP Wrapper\rdpwrap.ini” file. Or download the file using the PowerShell cmdlet Invoke-WebRequest (you must first stop the Remote Desktop service):

Stop-Service termservice -Force
Invoke-WebRequest https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini -outfile "C:\Program Files\RDP Wrapper\rdpwrap.ini"

Restart your computer, run the RDPConfig.exe tool. Check that all items are green in the Diagnostics section and the caption [Fully supported] appears. The screenshot below shows that the RDP Wrapper with this new config works fine on Windows 11 as well.

Try to establish several RDP sessions to your computer (use any RDP client: mstsc.exe, rdcman, etc.). It worked out well (you can even use saved RDP credentials)! Now your Windows 10 allows two (and more) remote users to use different RDP sessions simultaneously.

The RDPWrap tool is supported in all Windows editions, so you can build your own terminal (RDS) server on any Windows device.

Also, RDP Wrapper allows to:

  • Enable Remote Desktop;
  • The option Hide users on logon screen allows you to hide the list of users from the Windows Logon Screen;
  • If you disable the Single session per user option, multiple simultaneous RDP sessions will be allowed under the same user account (the registry parameter fSingleSessionPerUser =  0 is set under the reg key HKLM\SYSTEM\ CurrentControlSet\Control\Terminal Server\fSingleSessionPerUser);
  • RDP Port — you can change the Remote Desktop port number from TCP 3389 to any other;
  • In the Session Shadowing Mode section, you can configure the remote control (shadow) connection mode to RDP sessions.

You can set limits on the duration of RDP sessions using the GPO.

RDP Wrapper Not Working on Windows 10

In some cases, the RDP Wrapper tool doesn’t work as expected and you cannot to your Windows host using multiple RDP sessions.

If the utility showed [not supported] in the status section, then the rdpwrap.ini file doesn’t contain configuration for your Windows build. Update the rdpwrap.ini file as described above.

If the RDP Wrapper doesn’t work after updating the rdpwrap.ini file, try opening the rdpwrap.ini file and looking for a description section for your Windows version. How to know if there is support for your version of Windows in the rdpwrapper config file?

The screenshot below shows that for my version of Windows 10 (10.0.19041.1320) there are two description sections:

[10.0.19041.1320]
…..

[10.0.19041.1320-SLInit]

…..

If there is no section in the config file for your version of Windows, try using Google to search for the rdpwrap.ini strings for your Windows build. Add the lines you find to the end of the file.

Also, if you have problems with RDPWrapper, you can open the issue at https://github.com/stascorp/rdpwrap/issues. Here you can also find the actual rdpwrap.ini file.

If after installing security updates or upgrading the Windows 10 build, RDP Wrapper doesn’t work correctly, check if the “Listener state: Not listening” is displayed in the Diagnostics section.

Try updating the rdpwrap.ini file, and then reinstalling the service:

rdpwinst.exe -u
rdpwinst.exe -i

It happens that when you try to establish a second RDP connection under a different user account, you see a warning:

The number of connections to this computer is limited and all connections are in use right now. Try connecting later or contact your system administrator.

In this case, you can use the Local Group Policy Editor (gpedit.msc) to enable the policy “Limit number of connections” under Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections section. Change its value to 999999.

Restart your computer to update the GPO and apply the settings.

Modify the Termsrv.dll to Enable Multiple RDP Sessions

To remove the restriction on the number of concurrent RDP user connections in Windows 10 without using rdpwrapper, you can replace the original termsrv.dll file. This is the main library file used by the Remote Desktop Service. The file is located in C:\Windows\System32 directory.

Before you edit or replace the termsrv.dll file, it is advisable to create its backup copy. This will help you to revert to the original version of the file if necessary. Open the elevated command prompt and run the command:

copy c:\Windows\System32\termsrv.dll termsrv.dll_backup

Then you need to take ownership of the file. To change the owner of a file from TrustedInstaller to the local Administrators group using the command:

takeown /F c:\Windows\System32\termsrv.dll /A

SUCCESS: The file (or folder): c:\Windows\System32\termsrv.dll now owned by the administrators group

Now grant the local administrators group Full Control permissions on the termsrv.dll file using the icacls.exe:

icacls c:\Windows\System32\termsrv.dll /grant Administrators:F

processed file: c:\Windows\System32\termsrv.dll Successfully processed 1 files; Failed processing 0 files.

After that, stop the Remote Desktop service (TermService) using the services.msc console or from the command prompt:

Net stop TermService

The Remote Desktop Services UserMode Port Redirector service stops with it.

Before moving on, you need to find out your version (build number) of Windows 10. Open the PowerShell console and run the command:

Get-ComputerInfo | select WindowsProductName, WindowsVersion

In my case, Windows 10 build 21H1 is installed.

Then open the termsrv.dll file using any HEX editor (for example, Tiny Hexer). Depending on your Windows build, you need to find and replace the string according to the table below:

Windows buildFind the stringReplace with
Windows 11 RTM ( 21H2 – 22000.258)39 81 3C 06 00 00 0F 84 4F 68 01 00        B8 00 01 00 00 89 81 38 06 00 00 90  
Windows 10 x64 21H239 81 3C 06 00 00 0F 84 DB 61 01 00
Windows 10 x64 21H139 81 3C 06 00 00 0F 84 2B 5F 01 00
Windows 10 x64 20H239 81 3C 06 00 00 0F 84 21 68 01 00
Windows 10 x64 200439 81 3C 06 00 00 0F 84 D9 51 01 00
Windows 10 x64 190939 81 3C 06 00 00 0F 84 5D 61 01 00
Windows 10 x64 190339 81 3C 06 00 00 0F 84 5D 61 01 00
Windows 10 x64 180939 81 3C 06 00 00 0F 84 3B 2B 01 00  
Windows 10 x64 18038B 99 3C 06 00 00 8B B9 38 06 00 00  
Windows 10 x64 170939 81 3C 06 00 00 0F 84 B1 7D 02 00  

Tiny Hexer editor cannot edit termsvr.dll file directly from system32 folder. Copy it to your desktop, and after modification replace the original file.

For example, my build of Windows 10 x64 is 21H1 (19043.1320) with the termsrv.dll file version 10.0.19041.1320. Open the termsrv.dll file in Tiny Hexer, then find the text:

39 81 3C 06 00 00 0F 84 2B 5F 01 00

and replace it with:

B8 00 01 00 00 89 81 38 06 00 00 90

Save the file and run the TermService.

If something goes wrong and you experience some problems with the Remote Desktop service, stop the service and replace the modified termsrv.dll file with the original version:

copy termsrv.dll_backup c:\Windows\System32\termsrv.dll

Patching Termsrv.dll on Windows Using PowerShell

In order not to modify the termsrv.dll file manually using a HEX editor, you can use the following PowerShell script to apply the patch automatically. This script is based on the Windows PowerShell version and doesn’t work on modern PowerShell Core. The script is universal and can be used to patch the termsrv.dll file on all editions of Windows 10 (1809+) and Windows 11.

# Stop RDP service, make a backup of the termsrv.dllfile and change the permissions
Stop-Service UmRdpService -Force
Stop-Service TermService -Force
$termsrv_dll_acl = Get-Acl c:\windows\system32\termsrv.dll
Copy-Item c:\windows\system32\termsrv.dll c:\windows\system32\termsrv.dll.copy
takeown /f c:\windows\system32\termsrv.dll
$new_termsrv_dll_owner = (Get-Acl c:\windows\system32\termsrv.dll).owner
cmd /c "icacls c:\windows\system32\termsrv.dll /Grant $($new_termsrv_dll_owner):F /C"
# search for a pattern in termsrv.dll file
$dll_as_bytes = Get-Content c:\windows\system32\termsrv.dll -Raw -Encoding byte
$dll_as_text = $dll_as_bytes.forEach('ToString', 'X2') -join ' '
$patternregex = ([regex]'39 81 3C 06 00 00(\s\S\S){6}')
$patch = 'B8 00 01 00 00 89 81 38 06 00 00 90'
$checkPattern=Select-String -Pattern $patternregex -InputObject $dll_as_text
If ($checkPattern -ne $null) {
$dll_as_text_replaced = $dll_as_text -replace $patternregex, $patch
}
Elseif (Select-String -Pattern $patch -InputObject $dll_as_text) {
Write-Output 'The termsrv.dll file is already patch, exitting'
Exit
}
else {
Write-Output "Pattern not found "
}
# patching termsrv.dll
[byte[]] $dll_as_bytes_replaced = -split $dll_as_text_replaced -replace '^', '0x'
Set-Content c:\windows\system32\termsrv.dll.patched -Encoding Byte -Value $dll_as_bytes_replaced
# comparing two files
fc.exe /b c:\windows\system32\termsrv.dll.patched c:\windows\system32\termsrv.dll
# replacing the original termsrv.dll file
Copy-Item c:\windows\system32\termsrv.dll.patched c:\windows\system32\termsrv.dll -Force
Set-Acl c:\windows\system32\termsrv.dll $termsrv_dll_acl
Start-Service UmRdpService
Start-Service TermService

The complete script code is available in my GitHub repository at https://github.com/maxbakhub/winposh/blob/main/termsrv_rdp_patch.ps1

To execute the script, download it to your computer. Change the PowerShell execution policy settings for the current session:

Set-ExecutionPolicy Bypass -Scope Process -Force

And run the script:

C:\users\root\desktop\termsrv_rdp_patch.ps1

The script can be run after installing Windows updates to immediately make changes to the termsrv.dll file (you don’t have to modify the termsrv.dll file in the HEX editor after each update installation).

The advantage of the method of enabling multiple RDP sessions in Windows 10 or 11 by replacing the termsrv.dll file is that antiviruses do not respond to it (unlike the RDPWrap, which is detected by many antiviruses as a Malware/HackTool/Trojan).

The main drawback is that you will have to manually edit the termsrv.dll file each time you upgrade the Windows 10 build (or when updating the version of the termsrv.dll file during the installation of monthly cumulative updates). And if you are using RDPWrapper, you will also need to update the rdpwrap.ini file after installing Windows updates.

In this article, we looked at how to remove the restriction on the number of simultaneous RDP user connections and run a free terminal server on desktop versions of Windows.

About Mahyar

OrcID: 0000-0001-8875-3362 ​PhD Candidate (National Academy of Sciences of Ukraine - Institute for Telecommunications and Global Information) MCP - MCSA - MCSE - MCTS Azure Security Engineer Associate MCITP: Enterprise Administrator CCNA, CCNP (R&S , Security) ISO/IEC 27001 Lead Auditor CHFI v10 ECIH v2

Check Also

How To Attack Kerberos

Kerberos Fundamentals Kerberos is a network authentication protocol that works on the principle of issuing …