Win 7 RDP dissapeared after TrendMicro wreaked havoc removing RDP Wrapper and more...

[thomasvjohansen]

Hi

I have several win 7 pro machines where RDP service TermService has disappered. They have all in common that rdpwrap was installed.

I suspect it was KB4530734 that did it but not sure. It could also be my antivirus Trendmicro why removed something?

I dont know how to reinstall RDP, cant find any solution to this. I have tried to remove the winupdate pakage but that havent "reinstalled" the RDP service.

My next step is to roll back to a previous date, but havent tried it yet....

any other suggestions?

[affinityv]

Hi,

On 12/12/19 11:37 pm, thomasvjohansen wrote:

I have several win 7 pro machines where RDP service TermService has disappered. The have all in common that rdpwrap was installed.

Do they also have Trend Micro installed?

I've found that TM is removing RDP Wrapper as spyware, even when the installation directory has been added to exclusions. I managed to get one site to stop using TM and may do the same for others if they keep causing grief.

NB: Even with "C:\program files\rdp wrapper" set as an exception directory, TM still may break things.

Making the DLL read only helps....

In order to fix machines, I remote in via ssh to get a cmd.exe session as an admin user and reload a registry hive that TM blows away (which breaks RDP itself!).

Once that is restored (the registry hive), then I reboot the machine and can do a normal RDP session. Once I am there, then I re-install RDP Wrapper as RDPConf shows it as not installed.

This is the registry hive:

https://drive.google.com/drive/folders/1UpdH-lWQKxLHWfKuILxAEc29P7vZjZn1?usp=sharing

The download come in as an .mp3 file, but it is in fact a .reg file.

Use the following at the cmd prompt (as admin user) to import the registry file:

reg import file.reg

btw As part of working out how to fix this (and the extent of the damage caused by TM), I found out about the registry hive from this issue link:

https://github.com/stascorp/rdpwrap/issues/857

I suspect it was KB4530734 that didt it but not sure. I dont know how to reinstall RDP, cant find any solution to this. I have tried to remove the winupdate pakage but that havent "reinstalled" the RDP service.

If the above is true about TM, then it was probably just timing and nothing to do with any Windows update.

any other suggestions?

;-)

Kind Regards AndrewM

-- Andrew McGlashan IT Support & Broadband Solutions

[thomasvjohansen]

Andrew, you are a true lifesaver, your hive from the registry worked.

I have used almost all my work day from 6.30 am this morning to find a fix.

Im so grateful for you to share your experience.

my next move must be stopping TM on the remains win7's and fix the next 2 win7 pc's with this problem.

[affinityv]

These days on Winblows, I think you are better off having ALL normal users without admin rights and using built-in M$ protections (Defender/Security Essentials). The user not being admin saves the computer from almost all problems. AV and security software adds further attack surfaces as those products operate with admin or system privileges and any fault with them (and there have been many), then it could be your enemy rather than your friend.

To give me a better chance to fix some things remotely, I have multiple means to get in to the machine; via ssh (restricted known IP addresses and with private/public key pair access) and also via a Tor service that is restricted in other ways, but allows access to ssh from any IP address. Definitely not exposing any of this the to the big bad world!

btw how many hours did you spend on it. I quickly discovered that the re-install of RDP Wrapper was failing and the output in the cmd prompt window was enough to discover about the missing hive.

[affinityv]

Also, it happened to a number of machines BEFORE any Windows updates become available, so I was sure it wasn't WU for those machines. I have raised this with TM as well, hopefully they'll fix this and not break things, especially since we've specifically installed RDP Wrapper with good reasons.

[affinityv]

It would be good if you could change the issue title to: "Win 7 RDP dissapeared after TrendMicro wreaked havoc removing RDP Wrapper and more..."

[thomasvjohansen]

A call from an user waked me up too early this morning, and I thought I could fix it before going at work, but it was more complex. At work I quickly realised it could either be TM or WU because, when trying to copy the RDPwrapper to a local machine, TM removed the files instantly. But at the same time I could see that most of my windows 7 pc's had received a couple updates the day before.

When another user reported same fault around 10am, I guessed a pattern, and found a third pc with the same problem I could fiddle with without bothering anyone. Any search online couldnt guide me how to reinstall RDP service, only how to activate it, but in this case the service and registry entries was gone.

Thats why, in a small hope, I wrote here...

Every little time I could use today, I tried to figure out why, I think I have used 5 hours or so.

TM have done some damage earlier on, but not on multiple machines so fast.

About security, I have never been af fan of antivirus, but my users are all of different ages, so have to have some. Im working on upgrading the win7 to win10 but other obsticals gives some challenges even though they are downgraded win10's.

[affinityv]

Yes, very big thanks to morelab, I was lucky to find his posts. Interesting that both ESET and TM took out registry hives. Yes, security, absolute lowest denominator for varied users is to ensure they don't have admin privs at all. And AV and other products are often more trouble than they are worth, but too many "users" are conned into believing that they absolutely must have such "protection", it also gives them a false sense of safety and they think that the products are perfect -- I explain that many things get found out over time and there is plenty in the wild that we never find out about, so they must be wary of everything and ask advice if they are ever unsure at all. Besides, even seasoned professionals can be bit more easily these days if they aren't careful.

[MrRobot5000]

Beginning last Wednesday 12/4/19 TrendMicro released a new definition which flagged RDP Wrapper as spyware/grayware. The detection was calling it "HackTool.Win64.RAdmin.AA.component." There is still nothing to this day in their encyclopedia for this. It deletes the rdpwrap.dll file from the Program Files directory as well as the TermService registry key. After clean up which is done after a machine reboot the TermService isn't even visible within services. This fix is the restore the both followed with another machine reboot to restore the service. This is impacting both Win10 and Win7 machines.

[affinityv]

I've reported to TM, hopefully they can fix this (or really, be willing to fix it). Make the "C:\program files\RDP Wrapper" directory read only; TM will keep screwing with it. On machines that have the exception set, it still kills it. I reconnect with ssh and reload the registry, reboot and re-install RDP Wrapper. At least I can do all that remotely, so long as my ssh access is good.

[bezik46]

Windows Defender also removes rdpwrap.dll with some January engine/definitions update (treats it as unwanted software, which is not really surprising)

[affinityv]

Uggh, can we add exceptions with Windows Defender easily? If so, how?

[affinityv]

This is going to get painful. https://winaero.com/blog/exclusions-windows-defender-windows-10/

[nescafe2002]

Note that TrendMicro adds a registry value "DeleteFlag"=dword:00000001 and updates value "Start"=dword:00000004 (disabled) in key HKLM\SYSTEM\CurrentControlSet\services\TermService. You can manually roll back these changes before reboot. Note that importing the registry file from Google Drive mentioned above will not remove the DeleteFlag value.

The issue can be resolved by opening WFBS settings, Devices, [Server/Desktop], Configure Policy, Antivirus/Anti-spyware, Advanced Settings, Modify Spyware/Grayware Approved List.

Add the HackTool and HKTL entries (I just did a search for Radmin and selected all HackTools and HKTL entries)

[affinityv]

At least one system that TM breaks (at random time intervals) after I fix it ...

• it doesn't have the "DeleteFlag" entry and the "Start" entry is set to 3.

The "fix" is to re-import the registry tree (from that Google drive reference, but I keep the file handy). And then do a reboot and after the reboot, re-install RDP Wrapper, then fix the INI and restart RDP service with RDPWInst.exe -r

NB: Not using TM's WFBS product on ANY systems these days. All the problem machines are now Windows 10 (except for one that will be soonish, no hurry on that one).

[affinityv]

btw WFBS -- worry free is an oxymoron here, it is indeed a worry.

[eddie-r]

Thank you so much affinityv for your solution. Trend micro was just rolled out in our company and killed RDP on my machine. We're currently in covid19 lock down and forced to work from home, so TM removing RDPWrap prevented me from working.

Got pulled over by police for being outside during lockdown, since I had to go into the office to perform this fix. Luckily I work for a hospital and my employee swipe card was sufficient to let me get to my office.

Thanks again.

[affinityv]

Thank you @eddie-r for your service!

[ragwingtmu921]

Recently my company applied the Trend apex and ruined RDP on my PC. I had followed the .reg and restored the RDP service. Thank you so much @affinityv

But when I wanted to re-install the RDP wrapper, the Trend apex deleted the whole files instantly after I downloaded it. My windows accout is under the Administrators group but I have no suffient power to open Trend apex and change the settings is there any way to re-install RDP wrapper in such situation?

[affinityv]

Recently my company applied the Trend apex and ruined RDP on my PC. I had followed the .reg and restored the RDP service. Thank you so much @affinityv

But when I wanted to re-install the RDP wrapper, the Trend apex deleted the whole files instantly after I downloaded it. My windows accout is under the Administrators group but I have no suffient power to open Trend apex and change the settings is there any way to re-install RDP wrapper in such situation?

You need to make sure that whomever is in control of "Trend Apex", that they add exceptions; that is if the exceptions are honoured. I found it best to rid Trendmicro product from all PCs and use the built-in Windows Defender with an otherwise properly locked down OS.

[nasrrafiq]

Hi, On 12/12/19 11:37 pm, thomasvjohansen wrote: I have several win 7 pro machines where RDP service TermService has disappered. The have all in common that rdpwrap was installed. Do they also have Trend Micro installed? I've found that TM is removing RDP Wrapper as spyware, even when the installation directory has been added to exclusions. I managed to get one site to stop using TM and may do the same for others if they keep causing grief. NB: Even with "C:\program files\rdp wrapper" set as an exception directory, TM still may break things. Making the DLL read only helps.... In order to fix machines, I remote in via ssh to get a cmd.exe session as an admin user and reload a registry hive that TM blows away (which breaks RDP itself!). Once that is restored (the registry hive), then I reboot the machine and can do a normal RDP session. Once I am there, then I re-install RDP Wrapper as RDPConf shows it as not installed. This is the registry hive: https://drive.google.com/drive/folders/1UpdH-lWQKxLHWfKuILxAEc29P7vZjZn1?usp=sharing The download come in as an .mp3 file, but it is in fact a .reg file. Use the following at the cmd prompt (as admin user) to import the registry file: reg import file.reg btw As part of working out how to fix this (and the extent of the damage caused by TM), I found out about the registry hive from this issue link: #857 I suspect it was KB4530734 that didt it but not sure. I dont know how to reinstall RDP, cant find any solution to this. I have tried to remove the winupdate pakage but that havent "reinstalled" the RDP service. If the above is true about TM, then it was probably just timing and nothing to do with any Windows update. any other suggestions? ;-) Kind Regards AndrewM … -- Andrew McGlashan IT Support & Broadband Solutions

Can anyone help me get this for windows server 2012 r2 9.63.9600.16384 trend micro alao wrecked my rdpwrap .

[affinityv]

See if this helps WindowsServer2012R2--6.3.9600--TermService.reg

It comes from a fully up to date (patched) Windows Server 20212 R2 using termsrv.dll that is 6.3.9600.20165

[nasrrafiq]

See if this helps WindowsServer2012R2--6.3.9600--TermService.reg

It comes from a fully up to date (patched) Windows Server 20212 R2 using termsrv.dll that is 6.3.9600.20165

Thank you will try it and update you soon.