Wednesday, July 25, 2018

How to close a RDP session but leave original user logged on

It's annoying when you make a Remote Desktop Connection (RDP) to a PC that it does not automatically reconnect the original user once your remote session has finished. I often need to do this to remotely control a Windows based bit of test equipment. I developed this script to place a button on the Taskbar of the controlled machine to close the RDP session. Provided you use this button the desktop is returned to the original user as the remote session terminates. However, if you simply close the session (as you do normally by closing the RDC window) this code does not help and the machine will, as normal,  prompt for a password before returning to the desktop.

Firstly you need to create this .bat file. I've Created mine in a folder called C:\Temp\Shutdown RDP and named my .bat file "CloseRDP.bat".

set MY_SESSION_ID=unknown
for /f "tokens=3-4" %%a in ('query session') do @if "%%b"=="Active" set MY_SESSION_ID=%%a
tscon %MY_SESSION_ID% /DEST:console /Password:YourTopSecretPassword

Firstly let me explain what this does. The second line runs the command 'query session' and extracts the session ID that is active. It puts the session ID into an environment variable called MY_SESSION_ID. The third line closes the active session (based on it's session ID number from line 2) and redirects to the console. You will have to replace YourTopSecretPassword with the password for the desktop user. Now, this is a bit of a security risk as the password is in plain text inside the .bat file but I'm afraid it does not work if you leave it out.

However there is a problem with this .bat must be run with Administrator privileges otherwise it does not work. So from File Explorer right click on CloseRDP.bat and select "Copy". Then right click in some empty space in the same folder and select "Paste Shortcut". My shortcut is now called "CloseRDP.bat - Shortcut". Right click on this and select "Properties", click on the "Advanced" button and tick "Run as administrator" and click OK twice to return to File Explorer. You have now created a shortcut that runs as Administrator. You can click on this to close the RDC session and return to the desktop. Because it runs as an Administrator you will be prompted to enter the Administrator password.

In an ideal world you would be able to drag this shortcut directly to the Taskbar for it to appear as a clickable program. However for some weird reason this does not work.

To fix this a second shortcut is required! Don't ask me why just do it! In File Explorer right click on "CloseRDP.bat - Shortcut" and select "Copy". Now right click in some empty space again and select "New > Shortcut". In the "Type the location of the item box" manually type "explorer " and then press Ctrl+V to paste the name copied earlier. It should look like this:
Click "Next" and give the shortcut a name. I've called mine "Pinable CloseRDP". There are now three files in the folder that should look like this

Now the icon for "Pinable CloseRDP" has the normal boring File Explorer icon. I like to change this to something that stands out better so right click on "Pinable CloseRDP" and select "Properties". Click on the "Change Icon..." button and select one of the default icons. I normally go with the red cross. Click OK twice to return to File Explorer. File Explorer should now have three files that look like this:

Now, after all these steps, you can finally drag the "Pinable CloseRDP" and drop it onto the Taskbar. You should now have a nice clear button that you can click to close the remote session and return the desktop to the original user.

If you are really keen you could design a custom icon to make it even clearer. When you click on you new icon you will be prompted for the Administrator password, the remote session will close and the desktop will return to the local user session without any password prompt.

Good luck, there are quite a few steps but it does work well if you follow them carefully.

Friday, March 02, 2018

WPF Blurry Pixels

Today I needed to create a small control for the status bar of my app. It needs to be small to show the pass/fail status of 96 items.

I had an ItemControl displaying the 96 items as 4 rows of 24. I started with this code but it was horribly blurry and irregularly spaced.

<Rectangle Width="4" Height="4" Margin="1,1,0,0" Fill="Green" />

To get it to display nicely with no blurry edges I changed the code to this...
<Rectangle Width="3.84" Height="3.84" Margin="0.96,0.96,0,0" Fill="Green" />
It's because WPF assumes 96 pixels per inch. By changing the size to be multiple of 0.96 you can trick WPF into drawing complete pixels.


Saturday, February 24, 2018

UK Government Gateway 2FA/2SV

The UK Government Gateway now requires two factor authentication, which they call two step verification (2SV), when you login. This is a very good thing. You can download the HMRC app, receive SMS text messages (very insecure) or receive an automated phone call (quite insecure). They push you to download the HMRC app for your phone. However, I've discovered they are using industry standard Time-Based One-Time Password (TOTP) passwords (another very good thing). As a result you can use the standard Google Authenticator or Microsoft Authenticator on your iPhone instead of the HMRC app.
Simply select "Mobile App" as your authentication method in the HMRC web site to display a QR code. Scan the QR code from your mobile authenticator app and you will be up and running in seconds. No need to download the HMRC app. Generally TOTP mobile phone authentication is much more secure than text messages or phone calls. Two factor authentication by SMS text message, used by many banks, should be banned as it's highly insecure due to serious vulnerabilities with the SS7 protocol used between mobile networks. It's so insecure that NIST (US Standards body) are no longer recommending SMS text messages a part of a two factor authentication scheme. For more details see It's a shame the UK Government even offer SMS based authentication as it lends credibility to an insecure authentication method.