Remote Desktop Conspiracy/Mystery

Greetings, this is my first post here.

I'm wondering if someone has time to help investigate or can duplicate a strange experience I've had recently with Remote Desktop in Windows 7 Ultimate x64.

Here's my story...

I have a small home network set up and regularly rdp from my Windows XP sp3 living room laptop to my Win 7 Ultimate x64 desktop in my home office.

Everything has been working fine for some time. Last week, I lost the ability to connect. On the Win 7 machine there were several errors in the system event logs indicating Terminal server failing as follows:

Terminal Server session creation failed. The relevant status code was %1 is not a valid Win32 application.
is not a valid Win32 application.
is not a valid Win32 application.
is not a valid Win32 application.

and

Terminal Server listener stack was down. The relevant status code %1 is not a valid Win32 application.
is not a valid Win32 application.
is not a valid Win32 application.
is not a valid Win32 application.

I searched the net for these errors and found something quite bizarre was going on.

It seems that on 3/14 MS issued a security update to patch a potential rdp exploit.
The story behind the update is a strange one, there are allegations that the exploit itself was leaked to the wild by MS or one of it's security partners ahead of the patch. Sort of a conspiracy theory. The tech news was all over it. You can google news for "Microsoft Leaks RDP Exploit" or have a look here for an example.

Chinese hack Microsoft

Ok, that being said, my personal story gets stranger. I checked my Windows Update logs and found my machine had indeed taken the unattended updates to prevent the rdp exploit, specifically MS12-020, KB2667402.

The timing of the update corresponded directly with my inability to rdp, so I dug a little further. I decided to do a system file integrity check. I opened an elevated command prompt and did a sfc /scannow at the dos prompt.

Sure enough! The scan indicated a problem with a critical rdp component as shown below.

==========================================================
2012-03-22 13:04:33, Info CSI 000000bc [SR] Verify complete
2012-03-22 13:04:33, Info CSI 000000bd [SR] Repairing 1 components
2012-03-22 13:04:33, Info CSI 000000be [SR] Beginning Verify and Repair transaction
2012-03-22 13:04:33, Info CSI 000000c0 [SR] Cannot repair member file [l:20{10}]"rdpwsx.dll" of Microsoft-Windows-TerminalServices-RDP-WinStationExtensions-Binaries, Version = 6.1.7601.17767, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2012-03-22 13:04:33, Info CSI 000000c2 [SR] Cannot repair member file [l:20{10}]"rdpwsx.dll" of Microsoft-Windows-TerminalServices-RDP-WinStationExtensions-Binaries, Version = 6.1.7601.17767, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2012-03-22 13:04:33, Info CSI 000000c3 [SR] This component was referenced by [l:154{77}]"Package_3_for_KB2667402~31bf3856ad364e35~amd64~~6.1.1.1.2667402-6_neutral_GDR"
2012-03-22 13:04:33, Info CSI 000000c6 [SR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:20{10}]"rdpwsx.dll"; source file in store is also corrupted
2012-03-22 13:04:33, Info CSI 000000c8 [SR] Repair complete
================================================================

Ah Ha!!! rdpwsx.dll from Package_3_for_KB2667402 is the culprit!

I thought surely this corrupt file must be the problem. So I uninstalled update KB2667402, rebooted and sure enough, rdp connectivity was back, and sfc indicates no errors.

I thought maybe there was an error in downloading the update and let Windows Update install it again. Reboot and the corrupt file is back and no rdp joy. Uninstalled again and everything fine. Then I decided to update manually by downloading the individual update Windows6.1-KB2667402-x64.msu file manually from MS. Same exact problems!

The rdpwsx.dll in all update packages I've tried appears to be corrupt, and looks suspicious. If you view the file properties you'll see no signature or version information like you would in most MS certified files, just a time and date stamp. And it fails sfc check every time.

I've tried this literally dozens of times with the same results. The update succeeds with no failure but creates this suspicious bad file in the process. Could it be that the update itself is corrupt and MS doesn't realize it yet?

Can someone here with the same OS please see if you can verify or duplicate my results? I'm thinking MS may be sending a corrupt security update that breaks rdp without knowing it. I'm not sure how a person would contact MS to report this.

The solution for me is simple enough, uninstall the update and tell Windows Update not to try and install it again.

If you want to be safe from the exploit without the update you can turn off rdp altogether or set it to require Network Level Authentication.

But geez, if this update really does contain a bad or hacked file, think of how many others could be affected.

Am I the only one experiencing this???

Thanks in advance for the help or whatever comments you may have.

Really what I'm looking for is to find someone who also has Win 7 Ultimate x64 installed, and who has taken update KB2667402 to compare notes with.

If someone has the time, I'd be very interested in seeing the results of a System File Checker report to see if their rdpwsx.dll file is also corrupt or bad after the update.

To do this open an elevated command prompt. Start>All Programs>Accessories, right click Command Prompt and run as administrator. Then at the prompt: sfc /scanfile=c:\windows\system32\rdpwsx.dll

If errors are detected, you can export the results to a text file.

At the command prompt: findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >c:\sfcerror.txt

Where c:\sfcerror.txt will be the text file that will contain the error details.

If no error is detected, I'd really be interested in knowing the non-corrupted rdpwsx.dll file details, especially version, date and time.

If someone is bored and has time to dink around with this, it'll only take a few minutes, and would be greatly appreciated.

Thanks!

I just tested this on a Win 7 Ult 64 system and I don't get any Integrity violations for rdpwsx.dll.

Update KB2667402 was installed on 3/14/2012.

I tested this too:
RDP from XP SP3 to W7 was fine - but I only had W7 32bit to play with.
SFC was fine too.

Has KB 2621440 been applied to your XP box?

Thank you to everyone who responded.

With the info you provided I was able to see the problem was clearly on my side and not with the update package itself.

Once I understood that I looked at the event logs again, and while there were no errors in the system events regarding the update, there were in the setup logs, (which I didn't examine before) Doh!

Pretty cheeky of me to think the update package itself was flawed.

I solved this issue by using msconfig to run a completely clean boot with no third party processes or drivers, reinstalled the update package, and everything is good now.

I've marked this mystery solved. Thanks again, great forum here, great folks too. Glad I registered, kudos to all.

Glad you got it working.

Thanks for posting back with the solution!