The Windows Forensics Journey — RDP Connection History (Remote Desktop Protocol Connection History)

When using “mstsc.exe” (https://medium.com/@boutnaru/the-windows-process-journey-mstsc-exe-remote-desktop-connection-981bae774bac) for initiating an RDP connection, every successful connection causes the connection details to be logged (IP/hostname information). This information is saved for each user in the following registry branch: “HKCU\SOFTWARE\Microsoft\Terminal Server Client”. There are two relevant registry keys: “Default” and “Servers” (https://www.tachytelic.net/2019/01/clear-rdp-cache/).

Moreover, “Default” holds the history of the last 10 RDP connections. While “Servers” contains a list of all RDP connections that have ever been created from the local machine by the user. An example of both is shown in the screenshots below. By the way, MRU shown in the screenshots stands for “Most Recently Used” (https://www.fity.club/lists/suggestions/hkey-current-user-software-microsoft-windows/).

Lastly, when using “mstsc.exe” a hidden file named “Default.rdp” is created in the home directory of the user, the full path is “%homepath%\Documents\Default.rdp” (https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc).

See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.