The DAO Ethereum Recursion Bug: El Gordo!

If you found my article, I would consider it a reasonable assumption that you already understand the importance of this

Brief Introduction

The splitDAO function was created in order for some members of the DAO to separate themselves and their tokens from the main DAO, creating a new ‘child DAO’, for example in case they found themselves in disagreement with the majority.

The child DAO goes through the same 27 day creation period as the original DAO. Pre-requisite steps in order to call a splitDAO function are the creation of a new proposal on the original DAO and designation of a curator for the child DAO.

The child DAO created by the attacker has been referred as ‘darkDAO’ on reddit and the name seems to have stuck. The proposal and split process necessary for the attack was initiated at least 7 days prior to the incident.

The exploit one alone would have been economically unviable (attacker would have needed to put up 1/20th of the stolen amount upfront in the original DAO) and the second one alone would have been time intensive because normally only one splitDAO call could be done per transaction.

One way to see this is that the attacker performed a fraud, or a theft. Another way, more interesting for its implications, is that the attacker took the contract literally and followed the rule of code.

In their (allegedly) own words:

@stevecalifornia on Hacker News – https://news.ycombinator.com/item?id=11926150

“DAO, I closely read your contract and agreed to execute the clause where I can withdraw eth repeatedly and only be charged for my initial withdraw.

Thank you for the $70 million. Let me know if you draw up any other contracts I can participate in.

Regards, 0x304a554a310c7e546dfe434669c62820b7d83490″

The HACK

An “attacker” managed to combine two “exploits” in the DAO.

1) The attacker called the splitDAO function recursively (up to 20 times).

2) To make the attack more efficient, the attacker also managed to replicate the incident from the same two addresses (using the same tokens over and over again (approx 250 times).

Quote from “Luigi Renna”: To put this instance in a natural language perspective the Attacker requested the DAO “I want to withdraw all my tokens, and before that I want to withdraw all my tokens, and before that I want to… etc.” And be charged only once.

The Code That was Hacked

Below is the now infamous SplitDAO function in all its glory:

function splitDAO(
uint _proposalID,
address _newCurator
) noEther onlyTokenholders returns (bool _success) {
...
// Get the ether to be moved. Notice that this is done first!
uint fundsToBeMoved =
(balances[msg.sender] * p.splitData[0].splitBalance) /
p.splitData[0].totalSupply;
if (p.splitData[0].newDAO.createTokenProxy.value(fundsToBeMoved)(msg.sender) == false) // << This is
the line the attacker wants to run more than once
throw;
...
// Burn DAO Tokens
Transfer(msg.sender, 0, balances[msg.sender]);
withdrawRewardFor(msg.sender); // be nice, and get his rewards
// XXXXX Notice the preceding line is critically before the next few
•http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/ Question: So what about Blockchain/DLs?
totalSupply -= balances[msg.sender]; // THIS IS DONE LAST
balances[msg.sender] = 0; // THIS IS DONE LAST TOO
paidOut[msg.sender] = 0;
return true;
}

The basic idea behind the hack was:

1) Propose a split.
2) Execute the split.
3) When the DAO goes to withdraw your reward, call the function to execute a split before that withdrawal
finishes (ie recursion).
4) The function will start running again without updating your balance!!!
5) The line we marked above as “This is the line the attacker wants to run more than once“ will run more
than once!

Thoughts on the Hack

The code is easy to fix, you can just simply zero the balances immediately after calculating the fundsToBeMoved. But this bug is not the real issue for me – the main problem can be split into two areas:

Ethereum is a Turing complete language with a stack/heap, exceptions and recursion. This means that even with the best intentions, we will create a vast number of routes through the code base to allow similar recursion and other bugs to be exposed. The only barrier really is how much ether it will cost to expose the bugs.
There is no Escape Hatch for “bad” contracts. Emin Gun Sirer wrote a great article on this here: Escape hatches for smart contracts

Whilst a lot of focus is going in 2) – I believe that more focus needs to be put into making the language “safer”. For me, this would involve basic changes like:

Blocking recursion. Blocking recursion at compile and runtime would be a big step forward. I struggle to see a downside to this, as in general recursion doesn’t scale, is slow and can always be replaced with iteration. Replace Recursion with Iteration
Sandbox parameterisation. Currently there are no sandbox parameters to sit the contracts in. This means contracts the economic impact of these contracts are more empirical than deterministic. If you could abstract core parameters of the contract like the amount, wallet addresses etc etc and place these key values in an immutable wrapper than unwanted outcomes would be harder to achieve.
Transactionality. Currently there in no obvious mechanism to peform economic functions wraped in an ATOMIC transaction. This ability would mean that economic values could be copied from the heap to the stack and moved as desired; but critically recursive calls could no revist the heap to essentially “duplicate” the value. It would also mean that if a benign fault occured the execution of the contract would be idempotent. Obviously blocking recursive calls goes some way towards this; but adding transactionality would be a material improvement.

I have other ideas including segregation of duties using API layers between core and contract code – but am still getting my head around Ethereum’s architecture.

How to Ping a computer using .NET Sockets

///
/// The main entry point for the application.
///
[STAThread]

static void Main(string[] args)
{

    int timeToReplyMs = Ping("andrewbaker.ninja", 10000);
    Console.WriteLine("Time Taken(ms): " + timeToReplyMs);
}




#region Ping Method
///
/// Pings a host and returns the time taken for the host to respond (given the host name or IP address of the host to ping).
///



/// The host (machine name or IP address) to ping.
/// The ping timeout in ms (zero represents infinite).
/// Returns the time in milliseconds to receive a response from the host.

public static int Ping(string host, int timeout)

{

    //IPHostEntry ipHost = Dns.GetHostByName(host);
    IPHostEntry ipHost = Dns.GetHostEntry(host);

    // Ping the server
    return Ping(ipHost, timeout);

}




///
/// Pings a host and returns the time taken for the host to respond.
///




/// The host to ping.
/// The ping timeout in ms (zero represents infinite).
/// Returns the time in milliseconds to receive a response from the host.

public static int Ping(IPHostEntry host, int timeout)

{

    // Declare some Constant Variables
    const int SOCKET_ERROR = -1;
    const int ICMP_ECHO = 8;
    int timeTaken;



    // Declare the IPHostEntry
    if (host == null)
    {
        throw new ArgumentNullException("host", "The host to ping must be specified.");
    }

    Socket socket = null;

    try

    {
        // Initilize a Socket of the Type ICMP
        socket = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Icmp);


        // Convert to the first Ip address from the host to an endpoint
        IPEndPoint ipepServer = new IPEndPoint(_GetValidAddress(host.AddressList), 0);
        EndPoint epServer = (ipepServer);

        // Set the receiving endpoint to the client machine
        IPHostEntry localHost;

        localHost = Dns.GetHostEntry(Dns.GetHostName());
        IPEndPoint ipEndPointFrom = new IPEndPoint(_GetValidAddress(localHost.AddressList), 0);
        EndPoint EndPointFrom = (ipEndPointFrom);


        int packetSize;

        IcmpPacket packet = new IcmpPacket();

        // Construct the echo packet
        packet.Type = ICMP_ECHO; //8
        packet.SubCode = 0;
        packet.CheckSum = UInt16.Parse("0");
        packet.Identifier = UInt16.Parse("45");
        packet.SequenceNumber = UInt16.Parse("0");

        int pingDataSize = 32; // sizeof(IcmpPacket) - 8;

        packet.Data = new Byte[pingDataSize];

        // Initilize the Packet.Data
        for (int i = 0; i < pingDataSize; i++)
        {
            packet.Data[i] = (byte)'#';
        }

        // Variable to hold the total Packet size
        packetSize = pingDataSize + 8;
        Byte[] icmpPacketBuffer = new Byte[packetSize];
        int totalPacketSize;


        // Call Serialize, which counts the total number of Bytes in the Packet
        totalPacketSize = _SerializePacket(packet, icmpPacketBuffer, packetSize, pingDataSize);


        // Error in Packet Size
        if (totalPacketSize == -1)
        {
            // Throw serialization exception
            throw new ApplicationException("Error serializing packet buffer");
        }

        // Get the packet into a UInt16 array
        // Get the Half size of the Packet
        Double packetSizeDouble = Convert.ToDouble(totalPacketSize);
        Double halfPacketSizeDouble = Math.Ceiling(packetSizeDouble / 2);
        int checkSumBufferLength = Convert.ToInt32(halfPacketSizeDouble);

        // Create a Byte Array
        UInt16[] checkSumBuffer = new UInt16[checkSumBufferLength];

        // Code to initilize the Uint16 array
        int icmpHeaderBufferIndex = 0;

        for (int i = 0; i < checkSumBufferLength; i++)
        {
            checkSumBuffer[i] = BitConverter.ToUInt16(icmpPacketBuffer, icmpHeaderBufferIndex);
            icmpHeaderBufferIndex += 2;

        }

        // Call a method which will return a checksum
        UInt16 unsignedCheckSum = _CalcChecksum(checkSumBuffer, checkSumBufferLength);

        // Save the checksum to the Packet
        packet.CheckSum = unsignedCheckSum;

        // Have the checksum, serialize the packet again
        Byte[] sendbuf = new Byte[packetSize];

        // Check the packet size
        totalPacketSize = _SerializePacket(packet, sendbuf, packetSize, pingDataSize);


        if (totalPacketSize == -1)
        {
            // Throw serialization exception
            throw new ApplicationException("Error serializing packet buffer");

        }


        // Start timing
        int dwStart = Environment.TickCount;

        // Send the Packet
        if (socket.SendTo(sendbuf, packetSize, 0, epServer) == SOCKET_ERROR)
        {
            throw new ApplicationException("Failed to send packet to " + host.HostName + ".");

        }


        // Initialize the buffers. The receive buffer is the size of the
        // ICMP header plus the IP header (20 bytes)
        Byte[] arrayBytesReceived = new Byte[256];


        // Loop for checking the time of the server responding
        while (true)

        {

            int nBytes = socket.ReceiveFrom(arrayBytesReceived, 256, 0, ref EndPointFrom);
            timeTaken = Environment.TickCount - dwStart;



            if (nBytes == SOCKET_ERROR)
            {

                throw new ApplicationException("Failed to receive response to echo packet from " + host.HostName + ".");

            }

            else if (nBytes > 0)

            {
                // Received message
                // int dwStop = Environment.TickCount - dwStart;
                // Console.WriteLine("Reply from " + epServer.ToString() + " in " + dwStop + "MS :Bytes Received" + nBytes);
                break;
            }




            // Default to a one second timeout
            if (timeTaken > timeout && timeout > 0)
            {
                throw new ApplicationException("Ping to " + host.HostName + " timed out after " + timeout + " milliseconds.");
            }
        }

    }
    finally
    {
        if (socket != null)
        {
            // close the socket
            socket.Shutdown(SocketShutdown.Both);
            socket.Close();
        }

    }




    return timeTaken;

}

//
// Find a valid IP address
private static IPAddress _GetValidAddress(IPAddress[] addressList)
{
    for (int i = 0; i < addressList.Length; i++)
    {
        try
        {
            var address = addressList[i].Address;
        }
        catch (Exception)
        {
            // Invalid address
            continue;
        }
        // The address is valid
        return addressList[i];
    }
    return null;
}



#region Private Methods

///
/// This method get the Packet and calculates the total size
/// of the Pack by converting it to byte array
///
private static int _SerializePacket(IcmpPacket packet, Byte[] Buffer, int PacketSize, int PingData)

{

    int cbReturn;

    // serialize the struct into the array
    int Index = 0;


    Byte[] b_type = new Byte[1];
    b_type[0] = (packet.Type);

    Byte[] b_code = new Byte[1];
    b_code[0] = (packet.SubCode);

    Byte[] b_cksum = BitConverter.GetBytes(packet.CheckSum);
    Byte[] b_id = BitConverter.GetBytes(packet.Identifier);
    Byte[] b_seq = BitConverter.GetBytes(packet.SequenceNumber);


    // Console.WriteLine("Serialize type ");
    Array.Copy(b_type, 0, Buffer, Index, b_type.Length);
    Index += b_type.Length;

    // Console.WriteLine("Serialize code ");
    Array.Copy(b_code, 0, Buffer, Index, b_code.Length);
    Index += b_code.Length;

    // Console.WriteLine("Serialize cksum ");
    Array.Copy(b_cksum, 0, Buffer, Index, b_cksum.Length);
    Index += b_cksum.Length;

    // Console.WriteLine("Serialize id ");
    Array.Copy(b_id, 0, Buffer, Index, b_id.Length);
    Index += b_id.Length;

    Array.Copy(b_seq, 0, Buffer, Index, b_seq.Length);
    Index += b_seq.Length;

    // copy the data
    Array.Copy(packet.Data, 0, Buffer, Index, PingData);

    Index += PingData;

    if (Index != PacketSize/* sizeof(IcmpPacket) */)
    {
        cbReturn = -1;
        return cbReturn;
    }

    cbReturn = Index;
    return cbReturn;
}

///
/// This Method has the algorithm to make a checksum
///
private static UInt16 _CalcChecksum(UInt16[] buffer, int size)

{
    int cksum = 0;
    int counter;

    counter = 0;

    while (size > 0)
    {
        UInt16 val = buffer[counter];
        cksum += Convert.ToInt32(val);
        counter += 1;
        size -= 1;
    }

    cksum = (cksum >> 16) + (cksum & 0xffff);
    cksum += (cksum >> 16);

    return (UInt16)(~cksum);

}

#endregion Private Methods




#region IcmpPacket Class (Private)

///
/// Class that holds the Pack information.
///
private class IcmpPacket
{

    ///
    /// Type of message
    ///
    public Byte Type;

    ///
    /// Type of sub code
    ///
    public Byte SubCode;

    ///
    /// Complement checksum of struct
    ///
    public UInt16 CheckSum;

    ///
    /// Identifier
    ///
    public UInt16 Identifier;

    ///
    /// Sequence number
    ///
    public UInt16 SequenceNumber;

    ///
    /// The data
    ///
    public Byte[] Data;

}

#endregion IcmpPacket Class (Private)

}

endregion

High Performance Timer

Below is a sample class containing a high performance timer. Example usuage:

PerformanceTimer pf = new PerformanceTimer(true);

float timeMs = pf.GetTimeMs();

using System;
using System.Runtime.InteropServices;

///
/// This class can be used to gather accurate performance timings.
///
public class PerformanceTimer
{


[DllImport("kernel32.dll")]
internal static extern bool QueryPerformanceCounter(ref long lpPerformanceCount);



[DllImport("kernel32.dll")]
internal static extern bool QueryPerformanceFrequency(ref long lpFrequency);



#region Private Variables

private bool _isRunning = false;
private long _startTime = 0;
private long _frequency = 0;
private float _elapsed = 0;

#endregion Private Variables



#region Constructors



///
/// Default constructor - does not start timer immediately.
///
public PerformanceTimer()
{

}



///
/// Constructor with option to start timer at same time.
///
///Whether to start timer immediately.

public PerformanceTimer(bool startTimer)

{

    if (startTimer)
    {

        Start();

    }

}

#endregion Constructors


#region Public Properties

///
/// Returns True if the timer is currently running.
///
/// To change the running state use the Start and Stop methods provided.

public bool IsRunning
{
    get { return _isRunning; }
}



#endregion Public Properties



#region Public Methods



///
/// Starts the performance timer running.
///

public void Start()

{
    QueryPerformanceFrequency(ref _frequency);
    QueryPerformanceCounter(ref _startTime);
    _elapsed = 0;
    _isRunning = true;

}



///
/// Stops the performance timer running.
///

public void Stop()

{

    // Call procedure that will set internal elapsed variable, then turn running flag off.

    GetTime();

    _isRunning = false;

}



///

/// Returns the time elapsed since "Start" was called (in seconds). If the timer

/// is not running the time elapsed between the last start and stop time is returned.

///

/// A float representing the time ellapsed (in seconds)

public float GetTime()

{

    if (_isRunning)
    {
        long endTime = 0;
        QueryPerformanceCounter(ref endTime);
        _elapsed = (float)(endTime - _startTime) / _frequency;
        return _elapsed;
    }
    else
    {
        return _elapsed;
    }
}



///
/// Returns the time elapsed since "Start" was called (in milliseconds). If the timer
/// is not running the time elapsed between the last start and stop time is returned.
///
/// A float representing the time ellapsed (in milliseconds)

public float GetTimeMs()

{
    if (_isRunning)
    {
        return GetTime() * 1000;
    }
    else
    {
        return _elapsed * 1000;

    }

}



///
/// Override ToString to display time nicely formatted.
///
/// Returns the time formatted as a string.

public override string ToString()

{
    return String.Format("{0:0000.000}s ", GetTime());
}
#endregion Public Methods

}

Importing Data From an Excel Workbook into a VB array

The following code can be used to import the contents of an excel workbook into an array from within a Visual Basic application.

Option Explicit

'Purpose     :  Reads an excel workbook's worksheet into a 2d array
'Inputs      :  sWorkbookPath           The path of the workbook to return the data from.
'               [sSheetName]            The name of the worksheet to return the data from.
'Outputs     :  Returns True if successful
'Author      :  Andrew Baker
'Date        :  31/12/2000 13:51
'Notes       :
'Revisions   :

Function ImportWorksheetFromExcel(sWorkbookPath As String, Optional sSheetName As String = "") As Variant
    Dim oExcel As Object
    Dim oWorkbook As Object
    Dim oWkSheet As Object
    Dim avValues As Variant
    
    On Error Resume Next
    'Check if file exists
    If Len(Dir$(sWorkbookPath)) > 0 Then
        Set oExcel = CreateObject("Excel.Application")
        If (oExcel Is Nothing) = False Then
            On Error GoTo ErrFailed
            'Successfully created an Excel Application
            'Open workbook
            Set oWorkbook = oExcel.Workbooks.Open(sWorkbookPath, False, True)
            'Add sheet to store results
            If Len(sSheetName) > 0 Then
                Set oWkSheet = oWorkbook.Sheets(sSheetName)
            Else
                'Just use first sheet
                Set oWkSheet = oWorkbook.Sheets(1)
            End If
            
            'Get used range
            Call RangeToArray(oWkSheet.UsedRange, avValues)
            
            'Close Excel
            oWorkbook.Close False
            oExcel.Quit
            Set oExcel = Nothing
        End If
    End If
    
    ImportWorksheetFromExcel = avValues
    Exit Function

ErrFailed:
    Debug.Assert False
    Debug.Print Err.Description
    On Error GoTo 0
End Function

'Purpose     :  Reads the values of a range into an array (much quicker than looping through a range)
'Inputs      :  rngInput                The range to extract the values from.
'               avValues                See outputs.
'Outputs     :  Returns the True on success.
'               avValues                An 2d array containing the values in the range.
'Author      :  Andrew Baker
'Date        :  31/12/2000 13:51
'Notes       :
'Revisions   :
'Example     :  Call RangeToArray(Worksheets(1).Range("A1:K1000"), avValues)

Function RangeToArray(rngInput As Object, avValues As Variant) As Boolean
    On Error GoTo ErrFailed
    avValues = Empty
    avValues = rngInput.Value
    RangeToArray = True
    
    Exit Function

ErrFailed:
    'Failed
    Debug.Print "Error in RangeToArray: " & Err.Description
    Debug.Assert False
    RangeToArray = False
    On Error GoTo 0
End Function

'Demonstration routine.
Sub Test()
    Dim avData As Variant, vCell As Variant

    avData = ImportWorksheetFromExcel("C:\Book1.xls")
    For Each vCell In avData
        Debug.Print "Cell: " + vCell
    Next
End Sub

Simple function to Add a number of weekdays to a date

Below is a simple function to add or subtract a number of weekdays to a specified date.

/// <summary>
/// Takes a reference date and add or subtracts a specified number of weekdays.
/// </summary>
/// <param name="date">The reference date.</param>
/// <param name="offset">The number of days to offset by.</param>
/// <returns>The reference date plus or minus the specified number of weekdays.</returns>
private DateTime AddWeekDays( DateTime date, int offset)
{
	int daysAdded = 0;
	int addDay = 1;
	if (offset < 0)
	{
		addDay = -1;
	}
	DateTime result = date;
	do
	{
		if (daysAdded == offset)
		{
			break;
		}
		if (result.DayOfWeek != DayOfWeek.Saturday && result.DayOfWeek != DayOfWeek.Sunday)
		{
			daysAdded = daysAdded + addDay;
		}
		result = result.AddDays(addDay);
	} while (true);
	return result;
}

A lightweight alternative to Process.GetCurrentProcess().ProcessName

Unfortunately, the following (seemingly harmless code) requires administrator rights (and on Windows 2003 you will need to be member of “Performance Monitor Users” group):

System.Diagnostics.Process.GetCurrentProcess().ProcessName

In most cases this is not appropriate and certainly not in a Citrix environment. If you call it without the correct permissions you the following stack dump:

Unhandled exception in EntryPoint: System.InvalidOperationException: Couldn't get process information from remote machine. ---> System.ComponentModel.Win32Exception: Access is denied    
 at System.Diagnostics.PerformanceMonitor.GetData(String item)    
 at System.Diagnostics.PerformanceCounterLib.GetPerformanceData(String item)    
 at System.Diagnostics.PerformanceCounterLib.get_CategoryTable()    
 at System.Diagnostics.PerformanceCounterLib.GetPerformanceData(String[] categories, Int32[] categoryIndexes)    
 at System.Diagnostics.NtProcessManager.GetProcessInfos(PerformanceCounterLib library)   
  --- End of inner exception stack trace ---    
 at System.Diagnostics.NtProcessManager.GetProcessInfos(PerformanceCounterLib library)    
 at System.Diagnostics.NtProcessManager.GetProcessInfos(String machineName, Boolean isRemoteMachine)    
 at System.Diagnostics.ProcessManager.GetProcessInfos(String machineName)    
 at System.Diagnostics.Process.EnsureState(State state)    
 at System.Diagnostics.Process.get_ProcessName()

Below is a light weight alternative to System.Diagnostics.Process.GetCurrentProcess().ProcessName and does not require any special permissions:

/// <summary>
/// Returns the starting process name (same as System.Diagnostics.Process.GetCurrentProcess().ProcessName),
/// but doesn't require any admin rights.
/// </summary>
/// <returns>Returns the starting process name.</returns>
public static string GetCurrentProcessNameLite()
{
	string procName = new System.IO.FileInfo(System.Reflection.Assembly.GetEntryAssembly().Location).Name;
	if (procName.ToLower().IndexOf(".exe") > -1)
	{
		// Remove the ".exe" extension
		procName = procName.Substring(0, procName.Length - 4);
	}
	return procName;
}

Managing Terminal Services Sessions Remotely

I regularly administer Windows 2000 Server and Windows Server 2003 machine using Terminal Services. In W2K I use Terminal Services in Administration mode and in W2K3 I use Remote Desktop. Basically this is the same thing but it’s packaged a bit differently on the two OSes. In both situations there are only 2 users allowed for administration so occasionally both are used up and I can’t access the server. This may happen if two people are legitimately using the servers or if someone forgot to log off. Yes, I do have the settings set to automatically disconnect and/or log off a user after X minutes of inactivity but even with that there are times when I need to be able to manage this remotely.

You would think this would be as easy as connecting to the remote server by adding the Terminal Services Manager snap-in to a MMC console or remotely stopping and starting the service (in a pinch). Strangely, these obvious solutions aren’t available. Terminal Services Manager doesn’t exist as a snap-in to connect to a remote machine and because the TermService service is a core system service, you can’t even stop it on the local machine, let alone a remote one.

Fortunately there is an easy solution. Windows 2000+ (includes Windows XP and 2003) have two command-line tools called qwinsta and rwinsta that can query and reset a remote session.

For example, let’s say that I can’t gain access to a server using Terminal Services because both sessions are used up. I can use another server to check the status of the first one. As long as the logged in user has administrative rights on the non-accessible machine I would run this:

qwinsta /server:12.12.12.12

Where 12.12.12.12 is the IP address or name of the non-accessible machine.

This will display something like this:

   qwinsta /server:12.12.12.12
    SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
    console                                     0  Conn    wdcon
    rdp-tcp                                 65536  Listen  rdpwd
    rdp-tcp#470       Bob                       1  Active  rdpwd
    rdp-tcp#471       Jane                      3  Active  rdpwd

Now I know that Bob and Jane are the two that are logged in. Since Jane left the office 20 minutes ago I know that she forgot to log off. I don’t know where Bob is but I only need one session so I’ll ignore him for now.

To disconnect Jane’s session I would type this:

rwinsta /server:12.12.12.12 3

Notice the 3 which is the session ID I found from using qwinsta above.

Yet another option with W2K3 is a new feature that lets you connect to the desktop directly and gain a 3rd session.

If you’re like me, you probably noticed that rwinsta and qwinsta seems like strange names. This came from the Citrix Metaframe days which Terminal Services has descended from. It stands for:

qwinsta = Query WINdows STAtion
rwinsta = Reset WINdows STAtion

One final comment. Microsoft has replaced these two tools with Query but since qwinsta and rwinsta is fully compatible with W2K WinXP and W2K3 I choose to use it instead.

Note: In Windows Server 2003, you can right-click on the root in Terminal Services Manager and Connect to another server. Also, if you are in an Active Directory domain and using Windows 2000 Server, you can Connect to All Servers and access remote servers from the GUI. But, in a Windows 2000 Server not connected to a domain, you run into the limitations that prompted this blog.