Remotely Enabling Remote Desktop (the 1337 way)

So this one is a little obscure, but lemme paint a quick picture:

A few years back, I had a small client site that had some remote users and executives that would connect to their office workstations from home via VPN / Remote Desktop. One day an executive got a new computer and “we” forgot to enable Remote Desktop for her. Normally this could have been addressed by a GPO, but it was a really small client site, and we just didn’t put that much complexity into the configuration. Anyway, this same day the user wanted to work from home and she was not able to connect. She proceeded to call me during dinner to inform me of this situation! I wanted to help but was thinking it would be tough to allow remote access REMOTELY! But I thought of a way! After I completed the below steps I contacted the user and she was able to connect!

I was so proud of myself I saved the steps and now I want to share it with everyone today. I used a combination of a free utility called psexec which can be downloaded here. I also used the built-in command prompt and registry editor that comes with Windows. Look at the below window, and follow the command prompt progress. I’ve commented along the way in green.

C:\Documents and Settings\admin>”C:\Documents and Settings\admin\Desktop\psexec.exe” \\computer0123 cmd.exe

PsExec v1.94 – Execute processes remotel

Sysinternals – http://www.sysinternals.com

Microsoft Windows XP [Version 5.1.2600]

C:\WINDOWS\systeadmin2>hostname

computer0123

#verify hostname

C:\WINDOWS\systeadmin2>netsh firewall add portopening TCP 3389 rdp enable

Ok.

#now I’m sure remote desktop will be allowed through the firewall

C:\WINDOWS\systeadmin2>netstat -a

Active Connections

Proto Local Address Foreign Address State

TCP computer0123:epmap computer0123.Eedge.net:0 LISTENING

TCP computer0123:microsoft-ds computer0123.Eedge.net:0 LISTENING

TCP computer0123:39259 computer0123.Eedge.net:0 LISTENING

TCP computer0123:netbios-ssn computer0123.Eedge.net:0 LISTENING

TCP computer0123:microsoft-ds kaserver.eedge.net:10442 ESTABLISHED

TCP computer0123:1332 kadata.eedge.net:microsoft-ds ESTABLISHED

TCP computer0123:1535 kaserver.eedge.net:netbios-ssn ESTABLISHED

TCP computer0123:2033 kaserver.eedge.net:1025 TIME_WAIT

TCP computer0123:1060 computer0123.Eedge.net:0 LISTENING

TCP computer0123:10001 computer0123.Eedge.net:0 LISTENING

UDP computer0123:microsoft-ds *:*

UDP computer0123:isakmp *:*

UDP computer0123:1025 *:*

UDP computer0123:1026 *:*

UDP computer0123:1027 *:*

UDP computer0123:4500 *:*

UDP computer0123:ntp *:*

UDP computer0123:netbios-ns *:*

UDP computer0123:netbios-dgm *:*

UDP computer0123:1900 *:*

UDP computer0123:ntp *:*

UDP computer0123:netbios-ns *:*

UDP computer0123:netbios-dgm *:*

UDP computer0123:1900 *:*

UDP computer0123:ntp *:*

UDP computer0123:1028 *:*

UDP computer0123:1044 *:*

UDP computer0123:1209 *:*

UDP computer0123:1900 *:*

#I see Remote Desktop is not enabled, as port 3389 is not in the list

#I then use regedit from my machine and remotely connect to the registry on her workstation and enable remote desktop. (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnection=0)

C:\WINDOWS\systeadmin2>shutdown -m \\computer0123 -r

The machine is locked and can not be shut down without the force option.

C:\WINDOWS\systeadmin2>shutdown -m \\computer0123 -r –f

C:\Documents and Settings\admin>

#it works now

For those who are lost in the command prompt, just look at these steps instead:

Use psexec to open a cmd session on the computer0123
Use netsh to open a hole in the remote computer’s firewall for TCP 3389. This is the port Remote Desktop uses.
Use netstat to check to see if remote desktop is currently listening/running
Use regedit (not shown) to connect to computer0123’s registry and change the 1 to an 0 in the fDenyTSConnection key.
Use the shutdown command to restart the computer, which is required when enabling Remote Desktop via the registry.