ClearType over Remote Desktop in Windows XP

Download source - 92.18 KB

Introduction

A few of my favorite things are:

ClearType font smoothing in Windows XP
Working from home using Remote Desktop
Not running Vista

Unfortunately, when using Remote Desktop Protocol (RDP) to connect to your Windows XP machine, font smoothing using ClearType is disabled. My guess is that back in 2001 when XP was released, Microsoft made the decision that ClearType over RDP would be prohibitively slow.

In 2007, however, multi-megabit broadband is much more common and the decision to not allow users to enable ClearType seems a tad bit dated (which Microsoft itself seems to realize... Windows Vista supports ClearType over RDP).

So, armed with both WinDBG and my assumption that patching a few choice bytes in the kernel would rectify this problem, I set off to enable ClearType over RDP in Windows XP.

Some Background

I wish I could describe the exact methodology I used to find the code path that does the RDP check but it was really just a lot of trial and error. Also, the fact that I wrote this code over a year ago means I don't even remember all the dirty details myself. Memories of fruitless days spelunking through disassembled kernel code are memories that are quickly repressed, it seems.

So, despite not really having any instructional value, I wanted to put this utility out there. It's made long days of Remote Desktop work a little easier on my eyes and I know the other ClearType aficionados I've shared it with are equally relieved that they finally have a solution to the problem.

Overview

There are two parts to the program:

A kernel driver that patches a few bytes in win32k.sys
A user-mode application that loads the driver and tells it to go ahead and do the patch

The kernel portion is easy. Basically, in win32k.sys, there's a code path that looks like this (courtesy of WinDBG's disassembler):

bf811387 66393550399abf  cmp     word ptr [win32k!gProtocolType (bf9a3950)],si
bf81138e 0f85c2feffff    jne     win32k!LFONTOBJ::ppfeMapFont+0x77 (bf811256)

I found in my debugging that the gProtocolType variable was different depending on whether you were at the console or accessing the machine via Remote Desktop. In a console session, the jne branch was not taken; over RDP it was.

The simplest change (and the one that produced the desired results) was to just skip that jne instruction. Replacing it with nops meant that the branch wouldn't be followed - the non-RDP code-path would always be the one taken.

The kernel portion of this program (RdpClearType.sys) simply does this nop patching.

However, there is one caveat: it appears that each logon session gets its own copy of win32k.sys mapped into its address space (in a region called "Session Space"). When I installed the driver and either set it to start on boot or started it manually using the Service Control Manager (SCM), it didn't work. My guess is that, in both cases, because the driver was being loaded by the SCM (which wasn't running in my logon session) the effects weren't visible from my session.

My solution was to create a user-mode loader application that broke the process down into two steps:

Load and start the driver through the normal SCM interfaces (CreateService and StartService). My driver's DriverEntry code would be called on one of the SCM's threads and execute in its logon session. This is why my DriverEntry function doesn't do the actual patching...it simply creates a "device" that is visible to user-mode called \DosDevices\RdpClearType.
After the driver has been loaded and started, the user-mode code opens the \DosDevices\RdpClearType device and calls DeviceIoControl. While servicing this call, the driver's code is executing on my thread running in my logon session. Doing the patching here affects win32k.sys in my Session Space.
Finally, a call to the Windows API function ValidateRect causes the entire screen to refresh. All the fonts are now rendered using ClearType.

Just to keep things easy, I've embedded the RdpClearType.sys driver inside of RdpClearType.exe as a resource. When you run RdpClearType.exe, the SYS file is extracted to your temp directory and loaded from there.

Usage

It couldn't be easier...just run RdpClearType.exe on the machine you're connecting to. You can even safely run it when you're Remote Desktop'ed in (which is extra-fun because you get to see the transformation happen right before your eyes!).

Neither the patch nor the driver persists across reboots. You'll need to run RdpClearType.exe each time you reboot.

Compatibility

I've been using this for about a year on Windows XP Professional SP2. I'm sure a Service Pack will invalidate the hard-coded address I'm patching and I don't do any sort of memory scanning or symbol lookup to find the location. There's just a simple check to make sure the existing bytes are what I expect them to be.

If a Service Pack or an update breaks it, I'll do what I can to update the code in a timely manner. Of course, if you have the Windows Driver Development Kit (DDK), Visual Studio, WinDBG and a lot of patience, you can find the new address yourself and rebuild the program. (Fun!)

History

2007-10-13: Initial release
2007-10-22: Added another possible patch address. The patch will now work with win32k.sys versions 5.1.2600.3099 and 5.1.2600.2770. A big thanks to Rob deMontarnal for his help in debugging the compatibility issue in the initial release!
2007-11-06: Added patch addresses for win32k.sys versions 5.1.2600.3180 and 5.1.2600.3115
2007-11-09: Added patch address for win32k.sys version 5.1.2600.2180

You must Sign In to use this message board.


Per page

Doesn't work with 5.1.2600.2770 [modified]
Chromax

16:12 13 Oct '09

I used your utility for years, then when I upgraded to IE8 on September 22, 2009... it stopped working but I took a while to notice.

Same error as others, "ERROR creating service: 1073".

My win32k.sys version is 5.1.2600.2770

I've uploaded that file in a RAR archive to here, for you to make a version that works with it:

http://www.megaupload.com/?d=YX9W77CV[^]

And no, I'm not going to install SP3 which is full of crap just to get cleartype in RDP.

modified on Tuesday, October 13, 2009 9:20 PM

Removing it
queerasmoi

11:40 11 May '09

I installed this patch somewhere over a year go, and while I find the results visually pleasing, I recently moved to an apartment with a lower upstream broadband connection and now text takes way too long to load over RDP. So I would like to remove the patch. Unfortunately I don't know how to! If I initiate an RDP session with the "Font Smoothing" unchecked, it still gives me ClearType on the other end.

Is there any way I can revert RDP back to the original behaviour? (no Cleartype on RDP, but when I get home and log in Cleartype is back)

Any help would be appreciated.

Direct and dynamic patch for win32k.sys 5.1.2600.5756
Member 4429503

15:33 22 Mar '09

Whichever one you choose – verify md5 before and after!

You will need following zip file (Dan Farino post from 17:59 16 Apr 08)
http://homepage.mac.com/dan.farino/RdpClearType.zip

win32k.sys patch for 5.1.2600.5756

md5:
16b961a0552bc09b9e3a338fc816ffe5 *win32k.sys.5.1.2600.5756
4359c53e38edd7fb8febf852a7a2b99b *win32k.sys.5.1.2600.5756.patched

Comparing files win32k.sys.5.1.2600.5756 and WIN32K.SYS.5.1.2600.5756.PATCHED
00000148: 6C 9A
00000149: 57 36
000106CB: 0F 90
000106CC: 85 90
000106CD: C2 90
000106CE: FE 90
000106CF: FF 90
000106D0: FF 90

00000148 & 00000149 <- PE Header checksum update
000106CB…000106D0 Actual patch

Or dynamic patch patch (c) “Dan Farino”

RdpClearType.exe patch to work with win32k.sys for 5.1.2600.5756
md5:
dd1f48b3f093dde13eebe2c287b28bec *RdpClearType.exe
8d41d9e9f4861df4fc64def9125d1022 *RdpClearType.exe.orig

Comparing files RdpClearType.exe.orig and RDPCLEARTYPE.EXE
00000138: BB A5
00000139: 3C 32
0002A348: F3 E8
0002A349: D5 D0
0002A5C0: D6 CB
0002A5C1: 0B 06

00000138 & 00000139 <- PE Header checksum update for RdpClearType.exe
0002A348 & 0002A349 <- PE Header checksum update for RdpClearType.sys (resource BIN/102 in RdpClearType.exe)

0002A5C0…0002A5C1 Actual patch

(Source file driver.c, line #27
char *pPatch1 = (char*)0xBF810BD6; )
has changed to
char *pPatch1 = (char*)0xBF8106CB; ) // Patch location for win32k.sys.5.1.2600.5756

Once again: Whichever one you choose – verify md5 before and after!

Thanks
bgs264

0:55 8 Jul '08

Just a note to say thanks. Maybe now I can cancel the impending opticians visit! Cheers for posting this.
Sign In·View Thread·PermaLink

XP SP3 support RDP ClearType natively
s4e8

4:46 19 May '08

Import following registry file and _GO_. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations] "AllowFontAntiAlias"=dword:00000001
Sign In·View Thread·PermaLink

Re: XP SP3 support RDP ClearType natively
sendonline

5:59 19 May '08

It works, my eyes thank you!
Sign In·View Thread·PermaLink

Re: XP SP3 support RDP ClearType natively
yomoma2

18:09 22 May '08

To me it doesn't seem to if the host machine is under xp. Any more details?
Sign In·View Thread·PermaLink

Re: XP SP3 support RDP ClearType natively
s4e8

22:16 22 May '08

You must install XP 3bit SP3, you can verify by follow command: strings win32k.sys \| find "AllowFontAntiAlias" After import this registry, you must do a reboot. This registry key corresponding to symbol win32k!gbAllowRemoteAntiAliasing inside the windbg.
Sign In·View Thread·PermaLink

Re: XP SP3 support RDP ClearType natively [modified]
s4e8

0:31 23 May '08

Sorry, I make a mistake. There is 2 registry for remote font antialiasing.

[code]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations]
"AllowFontAntiAlias"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"AllowFontAntiAlias"=dword:00000001
[/code]

If a session initialed by console, and switch to remote afterwards, it use the first one. If it's initialed by RDP, then use the second.
After change settings, re-logon is required, reboot is optional.

modified on Friday, May 23, 2008 5:39 AM

Re: XP SP3 support RDP ClearType natively
yomoma2

3:20 23 May '08

Thanks, and great job! I've just noticed that it worked only if the session was started locally. As I usually initialize it by RDP, it didn't work as the second string was missing.
Sign In·View Thread·PermaLink

Re: XP SP3 support RDP ClearType natively
JasonBunting

9:04 30 May '08

Totally awesome - w00t!!! Thank you SO much for posting this, I'm loving it! Consolas over RDP on XP is da bomb.
Sign In·View Thread·PermaLink

Re: XP SP3 support RDP ClearType natively
Randy87

6:58 11 Aug '08

Yep, this works for sure. Just put it on an XP SP3 VM of mine. Thanks a lot!
Sign In·View Thread·PermaLink

Re: XP SP3 support RDP ClearType natively
Member 4255858

8:24 17 Oct '08

I added the two registry entries to my Win XP sp2 machine, and it works too. Thanks.
Sign In·View Thread·PermaLink

Re: XP SP3 support RDP ClearType natively
bgs264

1:19 22 Dec '08

That's beautiful! Thank you so much. It works a charm on a recently patched XP Pro SP2 machine when a patch broke the fix provided by the original author's article. Many thanks to s4e8. Regards, Ben
Sign In·View Thread·PermaLink

Re: XP SP3 support RDP ClearType natively
technowannabe

8:22 5 Jan '09

The patch works great with two XP Pro SP2 machines and the registry entries listed in this thread. Great work - it's really refreshing to have my font smoothing back!!! Todd
Sign In·View Thread·PermaLink

Re: XP SP3 support RDP ClearType natively
R Cheung

23:24 18 Oct '08

The host computer is running SP3, but the client computer is running SP2. I have added the registry commands on both the host and the client, but it is not working. Do both ends have to run SP3?
Sign In·View Thread·PermaLink	2.00/5

Does SP3 now enable clear type font smoothing?
Pete1215

16:10 16 May '08

I noticed that SP3 has this added feature -- from knowledge base article
951616 which describes the RDP 6.1 upgrade:

Visual provements
Remote Desktop Connection now supports 32-bit color and font smoothing.

To enable 32-bit color, follow these steps: 1. Click Start, click All Programs, click Accessories, click Communication, and then click Remote Desktop Connection.
2. Click Options, click the Display tab, and then click Highest Quality (32 bit) in the Colors list.
To enable font smoothing, follow these steps: 1. Click Start, click All Programs, click Accessories, click Communication, and then click Remote Desktop Connection.
2. Click Options, click the Experience tab, and then select the Font smoothing check box.

I thought I'd wait awhile for the dust to settle wrt SP3 before I installed it.

Anybody know if this now gives cleartype?
Would both sides need to run RDP 6.1?

Pete.

Re: Does SP3 now enable clear type font smoothing?
yomoma2

4:57 17 May '08

32bit works via reg, but font smoothing doesn't seem to work on a xp->xp connection. IIRC it's only available if the host is on Vista.
Sign In·View Thread·PermaLink

Re: Does SP3 now enable clear type font smoothing?
Pete1215

14:04 18 May '08

Yomoma2: Could you clarify what "32bit works via reg" means. Sorry, I'm missing something. Pete.
Sign In·View Thread·PermaLink

Re: Does SP3 now enable clear type font smoothing?
yomoma2

11:43 19 May '08

Via registry tweak you can enable 24bit colour (not 32bit, my fault) instead of the standard max 16bit.
Sign In·View Thread·PermaLink

Not working for xp sp3 5.1.2600.5512
sendonline

11:03 5 May '08

Any chance for update for 5.1.2600.5512? MD5 for win32k.sys: DE01D79A607C7B9AE7FF88E934D0FFB2
Sign In·View Thread·PermaLink	5.00/5

Re: Not working for xp sp3 5.1.2600.5512
yomoma2

11:47 6 May '08

Not working for me with final sp3 b5512 sp3 too! Thanks for you attention.
Sign In·View Thread·PermaLink	5.00/5

Re: Not working for xp sp3 5.1.2600.5512
JasonBunting

10:08 9 May '08

Ditto - I wish I knew more about hacking this kind of thing, I would just do it myself. Thank you for your hard work on this!
Sign In·View Thread·PermaLink

Any chance of an update?
Dave Abrahams

16:17 23 Apr '08

It looks like some recent microsoft security fix made your wonderful patcher stop working, at least for me. I'm not getting any errors, but I'm also not getting any font smoothing. Do you suppose you can repeat your magic trick and get it to work again? Thanks billions, Dave
Sign In·View Thread·PermaLink	2.00/5

Re: Any chance of an update?
Dave Abrahams

16:19 23 Apr '08

Err, sorry... This is obviously the same problem as appears in another thread, which for some reason was hidden from me until I posted this one.
Sign In·View Thread·PermaLink