Joined: 19 Sep 2005
|Posted: Mon Oct 24, 2005 4:08 pm Post subject: An even better option than using the network client.
|*Pre-Req!!! Windows XP Professional - (Not Home) - Upgraded to SP2 or SP3. Worry not, hacked TCPIP DLL's are talked about below.*
When I first started using cheat engine, I thought it was fantastic! I hated to have to alt+tab, and am usually using 2 PC's anyhow, so I loved the fact that it came with a network client.
The problem(s)? The network client didn't do as good a job, because when I tried to do things like 'See what writes to this value', It would usually end up crashing my game, mostly the very first time I tried doing it. The network client also had more bugs and lacked the newer features.
I fiddled with the settings *a lot*, trying to see if it was something I was doing wrong, or a config option that wasn't set properly. To no avail.
I then launched a massive search for another software/debugger that had a network client, but stumbled upon something I think is a lot better.
Basically, Microsoft messed around with giving us concurrent remote desktop + console sessions. Meaning: The ability to be logged into the console, and still connect remotely, without logging the console session out. They scrapped the idea later, because of licensing. They had released termserv.dll in a beta version of SP2, and of course, it was preserved by techies everywhere.
I quickly installed the new termserv.dll, grinning from ear to ear, rebooted my PC, then tried to login remotely.
Ack! Console session was logged out! Ahh!!! I get it... the same user cannot login twice. So I created a 2nd admin account, and that solved *that* problem.
I then loaded up a game on my main PC and remote desktop'd to it, and loaded up cheat engine on the other.
ACK!! User wasn't allowed to debug?!
I quickly loaded up gpedit.msc and navigated its non-logical tree structure and finally found an option that lets you specify who has rights to debug programs (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Access > Debug programs). Gave my new user rights to debug then tried again.
ACK! I still wasn't allowed to 'connect' to my game, as microsoft does not allow us to 'peek' into a process that was run by another user.
Yet another hurdle I soon passed over, by using a command known as "RunAs". I had to run Cheat Engine.exe AS the console user. I figured this out quite quickly, because I already use it to run internet explorer as a 'guest' account (I'll tell ya, doing that beats out any spyware/virus scanner I've ever used.)
To sum up what is needed:
- Windows XP PROFESSIONAL with SP2/SP3 installed (this is a must. I didn't want to go to SP2, but had to. This termserv.dll will *NOT* work with XPSP1).
- Install the termserv.dll which is linked at the bottom of this post, or find an installer version of it via google. *Update* - Installer version added to the bottom of this post.
- Make sure the service "Fast User Switching" is enabled. Usually is by default, but some of us like to slim down XP to essential processes, and this is notoriously disabled by folks like us (and notoriously the reason people can't get concurrent terminal services working).
- Create a 2nd administrator account and MAKE SURE to login as that user locally, before you try to do it via remote desktop. New users aren't entirely 'created' until their first login.
- Load gpedit.msc (from start>run), and give your new user access to debug programs. (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Access > Debug programs).
- Login via remote desktop, as your new user.
- Create an icon for cheat engine, that does something like this...
runas.exe /savecred /profile /user:"MyConsoleSession" "J:\Games\Cheat Engine\Cheat Engine.exe"
Of course, replace "MyConsoleSession" with the username that you use to login to the console with. In my case, Zoultan was the console/original username, Zoultan2 was the remote desktop session, so I would put Zoultan where MyConsoleSession is.
Also, change the path to cheat engine.exe
The good thing about runas, is the /savecred switch. The first time you run it, you will be prompted for the password. This will be saved and not asked for again.
I run things as other users a lot, so I created right-click shell extensions to do it
The shell extension gives 2 additions to your right-click menu's in explorer/my computer/etc. As the example is below, I get the option to "Run As Zhoul 1" and "Run As Zhoul 2", when right-clicking on files.
- Copy/Paste the colored area into notepad
- Change the areas I marked in red, to suit your needs/usernames
- Save As> Runas_User_Shell_Ext_Helper.reg
- Double-click (or somehow run) the registry file you just created.
- You can now right-click any file, when logged in as any user, and have these displayed on your context menu.
--- Start - Runas_User_Shell_Ext_Helper.reg (copy the stuff below this line)
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\*\shell\Run As Zhoul 1]
[HKEY_CLASSES_ROOT\*\shell\Run As Zhoul 1\command]
@="cmd /V:ON /c runas /savecred /profile /user:\"Zoultan\" \"cmd /x /c start \\\"\\!CD\\!\\\" \\\"%L\\\"\""
[HKEY_CLASSES_ROOT\*\shell\Run As Zhoul 2]
[HKEY_CLASSES_ROOT\*\shell\Run As Zhoul 2\command]
@="cmd /V:ON /c runas /savecred /profile /user:\"Zoultan2\" \"cmd /x /c start \\\"\\!CD\\!\\\" \\\"%L\\\"\""
Windows Registry Editor Version 5.00
---- End - Runas_User_Shell_Ext_Helper.reg (copy the stuff above this line)
- The following, is a .bat file I use to start processes as a specific user. This is not needed for the Shell Extensions that are above. Simply another way to do it.
- Copy/paste the following to notepad
- Save As> C:\Windows\System32\X.bat
- Where X is whatever you want to name it.
- Change areas marked in Red
---- Start - Z.bat - Copy the stuff below this line
if "%1" == "" goto RunAz
set Arg=%Arg% %1
If NOT DEFINED Arg (
echo No program or paramaters were specified.
rem The following 2 lines were placed here, to handle .msc's as if they were EXE's. I was tired of having to run mmc.exe <whatever.msc>.
if "%ArgPart%" == "msc" set Arg=%windir%\system32\MMC.exe %Arg%
echo Running [ %Arg% ] As [ %Uname% ]
echo Command: runas.exe /savecred /profile /user:"%Uname%" "%Arg%"
runas.exe /savecred /profile /user:"%Uname%" "%Arg%"|rem
if NOT "%errorlevel%" == "0" echo There has been an error while trying to run %Arg% as %UName%
ping -n 5 127.0.0.1|rem
-- Z.bat END - Copy the stuff above this line
All my CE icons are setup like so...
Z.bat "J:\Games\Cheat Engine 1\Cheat engine.exe"
Z.bat "J:\Games\Cheat Engine 2\Cheat engine.exe"
etc... etc... etc...
Another reason I setup this .bat is so I could run things like task manager from my remote desktop session. Even though a remote admin can kill another admins processes, they can't do things like "Set Affinity", etc. So when I'm disallowed the ability to do something, I just use z <command> to launch the program, and voila'
You can also run things like regedit.exe , from console, as your remote desktop user, if you're g33ky enough to want to change other users settings without having to login as that user.
Lastly: If you're curious why the .bat file pings 127.0.0.1 (local host)... XP didn't come with a wait or sleep command. Therefore, in my batch files, I use ping and re-direct its output to rem (null essentially). What this does, is leaves the dos window up for 5 seconds, so I can catch the success/error messages, without having to use pause.
Remote Desktop Terminal Services Hack (you only need 1 of the following.):
*New - Sala's Term Serv Hack Installer*
*older, but still working, manual install*
If this link doesn't work in the future, then use google, and search for...
xp sp2 terminal services hack
There is hella-documentation on this ... undocumented feature =)
Last edited by Zhoul on Mon Jul 28, 2008 10:41 am; edited 13 times in total