Universal Termsrv.dll Patch Windows Server 2012 R2 < VERIFIED • Secrets >
Prior to patching, termsrv.dll contains a function called TerminateDD or similar session-checking routines. When a third user attempts to log in via RDP, the function queries the licensing store, sees that no RDS CAL is available (or that the concurrent limit is 2), and rejects the connection.
The patch locates and changes a conditional jump instruction (JNZ, JE) to an unconditional jump (JMP) or alters the comparison value (e.g., changing a cmp eax, 2 to cmp eax, 9999). Specifically, for Server 2012 R2, the known patch targets the following hex pattern:
Unpatched bytes (around offset 0x2F6E0 or similar, version dependent):
8B 81 D8 00 00 00 83 F8 02 7C ...
Patched bytes:
8B 81 D8 00 00 00 83 F8 02 7D ... or B8 00 00 00 00 90 90 ...
Note: Exact offsets vary with Windows updates. Always use an automated patching tool.
After patching, the server no longer checks or enforces the concurrent user limit. Any number of administrators (or users) can connect simultaneously via RDP using the same administrative credentials or different local accounts.
Be aware of the following before deploying the universal patch:
Some patchers are “universal” in the sense they automatically detect the correct offset for the concurrent session limit check in the DLL.
You have two methods to perform the patch: replacing the file with a pre-patched version (Universal Patcher) or modifying the binary manually via a Hex Editor.
| Risk | Description |
|------|-------------|
| Windows Updates | termsrv.dll may be replaced by a cumulative update, resetting the patch. |
| System File Corruption | Incorrect patching can lead to RDP service failure or system instability. |
| Security Exposure | Unlimited RDP sessions increase the attack surface; each session is a potential vector. |
| Licensing Violation | Using more than 2 admin sessions without RDS CALs violates Microsoft EULA. |
| Performance Degradation | The server may exceed its design capacity for concurrent interactive users. |
| No Official Support | Microsoft support will refuse assistance on a patched system. |
Major Windows Updates or cumulative security updates often replace termsrv.dll. After installing Windows Updates, the concurrent session patch will likely be removed. You must repeat this procedure (patching the new DLL version) to restore functionality.
Universal Termsrv.dll Patch for Windows Server 2012 R2 is a third-party modification designed to unlock concurrent Remote Desktop (RDP) sessions that are typically restricted by Microsoft's licensing. While Windows Server 2012 R2 natively allows up to two simultaneous administrative sessions, this patch attempts to remove that limit without requiring a Remote Desktop Services (RDS) license. Key Features Concurrent RDP Sessions:
Enables multiple users to log in simultaneously via RDP without disconnecting existing sessions. Multi-user Support:
Allows different user accounts to access the server at the same time, which is useful for small IT teams or lab environments. Lightweight Implementation: Directly modifies the termsrv.dll system file in C:\Windows\System32 rather than running as a constant background service. Backup & Restore: Most versions of the patch automatically create a termsrv.dll.backup
file, allowing you to revert changes if the system becomes unstable. How to Apply the Patch universal termsrv.dll patch windows server 2012 r2
Patching a core system file requires elevated permissions and specific steps to succeed:
The "Universal Termsrv.dll Patch" for Windows Server 2012 R2 is a specialized tool or manual procedure used to bypass the standard limitations of Remote Desktop Services (RDS). Specifically, it allows multiple users to connect to a single server simultaneously without the need for expensive Client Access Licenses (CALs) or the full Remote Desktop Session Host (RDSH) role installation. Purpose of the Termsrv.dll Patch
By default, Windows Server 2012 R2 only supports two concurrent RDP sessions for administrative purposes. If a third user attempts to log in, one of the active users is disconnected.
Concurrent Sessions: The patch modifies the system library termsrv.dll to remove this hardcoded limit, enabling unlimited simultaneous connections.
Cost Savings: It is often used by small businesses or home labs to avoid the licensing costs associated with official Microsoft RDS deployments. How to Apply the Patch on Windows Server 2012 R2
There are two primary methods for applying this patch: using an automated executable or manually editing the DLL file with a hex editor. Method 1: Automated Patchers
Several "Universal Patch" utilities automate the process. Users typically follow these steps:
Backup: Always create a copy of the original C:\Windows\System32\termsrv.dll.
Run as Administrator: Right-click the patch program and select Run as administrator.
Apply Patch: Click the "Patch" button. The tool will stop the Remote Desktop Service, replace the file, and restart the service.
Restart: Reboot the server to ensure the new DLL is correctly loaded by the system. Method 2: Manual Hex Editing
Advanced users may choose to manually patch the file to ensure no malicious code is introduced:
The Universal Termsrv.dll Patch enables concurrent Remote Desktop sessions on Windows Server 2012 R2 by modifying system files to bypass license restrictions . Alternatives include RDP Wrapper Library and manual hex editing, though patching often triggers security warnings as a "HackTool" . For legal and technical considerations regarding this modification, review the discussion at ESET Security Forum.
Universal Termsrv.dll Patch is a community-developed modification designed to bypass the concurrent Remote Desktop (RDP) session limits in Windows. While Windows Server 2012 R2 natively supports multiple sessions via the Remote Desktop Session Host Prior to patching, termsrv
role, this patch is often sought as a "quick fix" for smaller environments or for users trying to replicate server-grade multi-user access on non-server editions.
Below is a draft blog post detailing what the patch is, how it works, and the critical risks involved.
Unlocking Concurrent RDP Sessions: A Guide to the Universal Termsrv.dll Patch
Remote Desktop is one of the most powerful tools in a Windows admin’s arsenal. However, Microsoft traditionally limits the number of simultaneous RDP connections based on your license. In Windows Server 2012 R2, you typically need to install the Remote Desktop Services (RDS) role and purchase Client Access Licenses (CALs) to host multiple users. Universal Termsrv.dll Patch What is the termsrv.dll Patch? termsrv.dll
file is a core system component responsible for managing Terminal Services. By default, it contains code that checks your Windows version and enforces session limits—usually limiting non-server versions to just one remote user and server versions to two administrative sessions.
The "patch" works by modifying specific bytes within this DLL to bypass these checks, essentially "tricking" the system into allowing unlimited concurrent sessions. Key Features Concurrent Access:
Allows multiple users to log in simultaneously without kicking the active user off. Universal Support:
Often compatible across various Windows versions, including Windows 7, 8, 10, and Server 2012 R2. Ease of Use: Most versions come as a simple executable (like UniversalTermsrvPatch-x64.exe ) that automates the file replacement and registry changes. How to Apply the Patch (The Basics) Note: Always back up your original termsrv.dll before making changes. Patching Microsoft's RDP service yourself - Sam Decrock
There are two primary ways users bypass the default RDP session limit:
RDP Wrapper Library: This is an open-source project (e.g., stascorp/rdpwrap on GitHub) that acts as a layer between the Service Control Manager and Terminal Services. It is often preferred because it does not modify the original termsrv.dll file, making it more resilient to Windows Updates.
Manual Hex Editing: Users manually search for and replace specific hex strings within the termsrv.dll file using a hex editor like HxD. This process typically involves:
Taking ownership and granting full permissions for C:\Windows\System32\termsrv.dll. Stopping the Remote Desktop Service (TermService).
Replacing a version-specific hex string to remove the session check. Important Considerations End of Support for Windows Server 2012 and 2012 R2 - Dell
Patching termsrv.dll on Windows Server 2012 R2 is typically used to enable concurrent RDP sessions without requiring a full Remote Desktop Services (RDS) deployment and its associated licenses. Method 1: RDP Wrapper (Recommended) Be aware of the following before deploying the
Instead of manually modifying system files, use RDP Wrapper Library, which acts as a layer between the Service Control Manager and Remote Desktop Services. This method is safer because it doesn't modify termsrv.dll on disk.
Download RDP Wrapper: Get the latest version from a trusted repository. Run Installer: Execute install.bat as an Administrator.
Check Status: Run RDPConf.exe. If it says "Not supported," you may need to update the rdpwrap.ini file with the latest offsets for your specific termsrv.dll version (e.g., version 6.3.9600.20165). Method 2: Manual DLL Patching
If you prefer to patch the file directly, you must take ownership of the file first to bypass system protections. Stop Services: Open Command Prompt (Admin) and run: net stop TermService Take Ownership: takeown /F "%windir%\system32\termsrv.dll" /A
icacls "%windir%\system32\termsrv.dll" /grant Administrators:(F)
Backup the Original: Always copy termsrv.dll to a safe location before proceeding. Apply the Patch:
Automated: Use a tool like TermsrvPatcher which automates the byte replacement.
Manual (Hex Editor): Search for the hex pattern 39 81 3C 06 00 00 and replace it with B8 00 01 00 00 89 81 38 06 00 00 90. Restart Service: Run net start TermService. Method 3: Native Configuration (Policy Only)
Windows Server allows two concurrent administrative sessions by default. You can enable these without any patches through Group Policy: Press Win + R, type gpedit.msc, and hit Enter.
Navigate to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.
Disable "Restrict Remote Desktop Services users to a single Remote Desktop Services session".
Enable "Limit number of connections" and set the maximum to 2.
Windows Server 2012 R2 Update 9th November, 2021 -- New termsrv.dll version 6.3.9600.20165 · Issue #1597 · stascorp/rdpwrap
Running sfc /scannow will detect the modified DLL as corrupted and restore the original. You’ll need to patch again.
