Tuesday, October 27, 2015

Registry Terminal Server Client\Servers Key

If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.

Software\Microsoft\Terminal Server Client\Servers

It appears each time a user used Remote Desktop to connect to another computer a registry entry is created in Terminal Server Client folder. For example, I opened the following registry key

HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Terminal Server Client\Servers\SERVERXYZ\UsernameHint

And was able to read the following values


Which would seem to me to indicate that USER1 attempted to connect to SERVERXYZ thru domain DOMAIN1

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment