If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Terminal Server Client\Servers
It appears each time a user used Remote Desktop to connect to another computer a registry entry is created in Terminal Server Client folder. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Terminal Server Client\Servers\SERVERXYZ\UsernameHint
And was able to read the following values
Which would seem to me to indicate that USER1 attempted to connect to SERVERXYZ thru domain DOMAIN1
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.