WS2008: Terminal Services Architecture

Day Fourteen – we are past the halfway point.  A good portion of the next two weeks will be devoted to Terminal Services and the new TS features.  So strap in, and let’s get started …

We talked about the Windows Server 2008 Startup Processes in an earlier post.  SMSS.EXE is still the first user-mode process created during the boot process as in previous versions of Windows.  The change is that now SMSS.EXE launches a second instance of itself to configure Session 0, which is dedicated to system processes.  The instance of SMSS.EXE dedicated to Session 0 launches the Windows Startup Application (WININIT.EXE) as well as an instance of CSRSS.EXE for Session 0, after which it exits.  WININIT.EXE continues the startup process by starting SERVICES.EXE and LSASS.EXE as well as a new process, the Local Session Manager (LSM.EXE) which manages Terminal Server connections for the machine.

The Service Control Manager initializes the system services including the Terminal Services service which is implemented in termsrv.dll and hosted in an instance of SVCHOST.EXE.  The Terminal Services stack driver, termdd.sys, is loaded and creates a listener thread to listen for incoming connections on TCP port 3389.  When a session request is detected, the RDP listener thread creates a new RDP stack instance to handle the new session request.  The listener thread hands over the incoming session to the new RDP stack instance and continues listening on TCP port 3389 for further connection attempts.

When a user logs on, either at the console or via Terminal Services, the initial Session Manager process creates a new instance of itself to configure the new session.  The new SMSS.EXE process starts a CSRSS.EXE process, a Windows Logon process (WINLOGON.EXE) and a per-session instance of the Window Manager (WIN32K.SYS).  WINLOGON.EXE starts the processes listed in the following registry key (USERINIT.EXE by default): HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\Userinit.  USERINIT.EXE starts the process defined as the shell in the following registry key (EXPLORER.EXE by default on full installations of Windows Server 2008 and CMD.EXE on Server Core installations of Windows Server 2008) and then exits: HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\Shell.

Terminal Server client sessions use separate drivers on the server, one for the display (rdpdd.dll) and one for the keyboard and mouse (rdpwd.sys).  The user interface rendering calls are captured by rdpdd.dll and transmitted to the client over the RDP protocol.  The keyboard and mouse input on the client is transmitted over the TCP connection to rdpwd.sys for translation.  These drivers provide the remote server interaction functionality for the client session.  Remember that prior to Windows Server 2008, TS session creation was done serially by the Session Manager process, SMSS.EXE.  The new Session Manager design provides parallel session initialization, with the session-specific instances of SMSS.EXE concurrently creating the WINLOGON.EXE and CSRSS.EXE process instances for each session.  The end result is improved Terminal Server logon times.

The next two tables list out the important services and binaries for Terminal Services on Windows Server 2008.

Terminal Server Services

Service Location Details
Terminal Services (TermServices) %systemroot%\system32\svchost.exe -k termsvcs
Main TS service required for all Terminal Services and Remote Desktop functionality
Terminal Services Configuration (SessionEnv) %systemroot%\system32\svchost.exe -k netsvcs
Responsible  for all Terminal Services and Remote Desktop related configuration and session maintenance activities that require SYSTEM context
Terminal Services Gateway (TSGateway) %systemroot%\system32\svchost.exe -k tsgateway
Provides TS Gateway functionality
Terminal Services Session Broker (Tssdis) %systemroot%\system32\tssdis.exe Provides TS Session Broker functionality
Terminal Services UserMode Port Redirector (UMRdpService) %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted
Provides device redirection functionality

Terminal Server Binaries

Component Description
AACLIENT.DLL “Anywhere Access” Client DLL (Terminal Services Web Access)
CREDSSP.DLL Terminal Server Single Sign On Security Support Provider (SSP)
MSTSCAX.DLL Terminal Server ActiveX Control
MSTSC.EXE Remote Desktop Connection application executable
RDPINIT.EXE Used for RemoteApp initialization, started by USERINIT.EXE
RDPSHELL.EXE The RemoteApp Shell, used instead of EXPLORER.EXE
RDPSND.DLL Legacy user-mode audio driver
RDPWSX.DLL User-mode protocol extension.  Handles setup / connect / disconnect
RDPDR.SYS Kernel-mode device redirector / Drive Redirection / Smart Card Redirection / Printer Redirection / Port Redirection
RDPDD.DLL Terminal Services Display Driver
RDPWD.SYS Terminal Services session mouse and keyboard driver
RDPCLIP.EXE Terminal Services Clipboard redirection
TERMSRV.DLL Manages binding of connection stacks to Win32 context, CSRSS, etc.
Runs in a shared service host as a service via SVCHOST.EXE
%systemroot%\system32\svchost.exe -k termsvcs
TERMDD.SYS Terminal Services Device Driver that provides the run-time for network specific components and listens for RDP client connections on TCP port 3389
TDTCP.SYS Packages the RDP protocol for the underlying network TCP/IP protocol
TSDDD.DLL Terminal Services display driver used when making a console connection
WINLOGON.EXE Handles user logons and logoffs and processes the special Windows key combination (CTRL+ALT+DEL)
Responsible for starting the Windows shell (which is usually Windows Explorer)
WINSTA.DLL Provides session-related information such as idle and session login time and supports tasks such as session shadowing and switching
WINMM.DLL Media Control Interface (MCI) API DLL.  This is a library that supports multimedia services; it is used to initialize .WAV, .MID and .AUX files
WTSAPI32.DLL Windows Terminal Server SDK API’s

That brings us to the end of our quick overview of the Terminal Services Architecture in Windows Server 2008.  Tomorrow we will go over some of the Management and Administration components of Terminal Server.  Until next time …

CC Hameed

Share this post :