The Remote Desktop Connection (RDP) client built into Windows (mstsc.exe) records the remote computer name (or IP address) and the name of the user used to log on after each successful connection to the remote computer. The next time the RDP client starts, it prompts the user to select one of the previously used connections. The user can select the RDS/RDP hostname from the list and the client automatically fills in the username that was previously used to log in.

This is convenient from an end-user perspective, but unsafe from a security perspective. Especially if you are connecting to your RDP server from a public or untrusted computer.

Information about all RDP (terminal) sessions is stored individually in each user’s registry structure, meaning that a non-administrator cannot view another user’s RDP connection history.

In this article, we’ll show you where Windows stores the history and credentials of remote desktop connections, how to clear items in the mstsc window, and how to clear RDP logs.

How do I remove the RDP connection cache from the registry?

Information about all RDP connections is stored in the registry for each user. You cannot remove the computer(s) from the RDP connection history list using the built-in Windows utilities. You need to delete some registry keys manually.

1. Start the registry editor (regedit.exe) and find the registry key HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server Client ;
2. You need two registration keys in this section: Default (saves the history of the last 10 RDP connections) and Server (list all RDP servers and usernames previously used to connect) ;
3. Expand the HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault registry key, which contains a list of 10 IP addresses or DNS names of remote computers that have been used recently (MRU – Most Recently Used). The name (or IP address) of the remote desktop server is registered in the MRU* parameter value. To clear the history of recent RDP connections, highlight all settings named MRU0-MRU9, right-click and select Delete ;
4. Now define the HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers key. It contains a list of all RDP connections ever made by this user. Extend the reg key with the name (or IP address) of any host. Note the value of the UsernameHint parameter. It displays the username used to connect to the RDP/RDS host. This username is used to automatically connect to the RDP host. In addition, the CertHash variable contains the SSL certificate fingerprint of the RDP server;
5. To clear the history of all RDP connections and registered user names, you need to clear the contents of the server’s registration key. Since you cannot select all subkeys at once, it is easier to remove the key from the servers and recreate it manually;
6. Next, you need to delete the default RDP connection file (which contains information about the last rdp session) – Default.rdp (this file is a hidden file located in the Documents folder).
7. Windows also saves the last connections from the remote desktop in the jump lists. Typing mstsc into the Windows 10 search box will list the RDP connections you’ve used so far. You can completely disable the last Windows 10 file and its location in the Go list by using the Start_TrackDocs setting in the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced registry key (set it to 0), or you can clean up the shipped item lists by deleting the files in the %AppData%MicrosoftWindowsRecentAutomaticDestinations directory.

Pay attention. The described method for clearing the remote desktop connection history works on all versions of Windows Desktop (from Windows XP to Windows 10) and Windows Server.

Script to erase the RDP connection history

We showed you above how to manually delete the RDP connection history in Windows. However, doing it manually (especially on multiple computers) takes time. Therefore, we propose a small script (BAT file) that allows you to delete the history of the PDR automatically.

To automate the cleaning of the RDP history, you can put this script at Windows startup or run it together with the GPO logout script on the users’ computers.

@echo out
reg delete HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers /f
reg delete HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers /f
reg add HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers
attribu -s -h %documentsDefault.rdp
del %profile%documentsDefault.rdp
del /f /s /q /a %AppData%MicrosoftWindowsRecentAutomaticDestinations.

Let’s look at all the actions in the scenario:

1. Turn off the console output;
2. Delete all entries in the HKCUSoftwareMicrosoftTerminal Server ClientDefault registry key (delete the list of recent RDP connections) ;
3. Delete the entire HKCUSoftwareMicrosoftTerminal Server ClientServers reg key (removes the list of all RDP connections and registered usernames) ;
4. Restore the previously deleted registration key ;
5. Change the attributes of the Default.rdp file in the directory of the current user profile (default is Hidden and System) ;
6. Delete the file Default.rdp ;
7. Remove the remote desktop login credentials from the recent credentials list.

You can also clear the RDP connection history using the following PowerShell script:

Get-ChildItem HKCU:SoftwareMicrosoftTerminal Server Client -Recurse | Remove-ItemProperty -Name UsernameHint -Ea 0
Remove-Item -Path ‘HKCU :SoftwareMicrosoftTerminal Server Client Servers – Reply 2>&1 | Out-Null
Remove-ItemProperty -Path ‘HKCU:SoftwareMicrosoftTerminal Server ClientDefault’ ‘MR*’ 2>&1 | Out-Null
$docs = [environment]::getfolderpath(mydocs) + ‘Default.rdp’
remove-item $docs -Force 2>&1 | Out-Null

By the way, the RDP history cleaning feature is integrated into many system and registry cleaners, such as CCleaner, etc.

How can I prevent Windows from saving the RDP connection history?

If you do not want Windows to keep track of the RDP connection history, disable the entry in the HKCUSoftwareMicrosoftTerminal Server client registry key for all user accounts. First, disable inheritance permission for the specified registration key (Permissions -> Advanced -> Disable Inheritance). Then change the ACL registry key by enabling the Deny for Users option (but note that this is an unsupported configuration).

Therefore, mstsc.exe simply cannot write RDP login information to the registry.

How do I clear the remote desktop bitmap cache?

The Remote Desktop Connection client has the ability to cache persistent bitmap images. The RDP client stores scattered portions of the remote screen as a bitmap image cache. This allows the mstsc.exe client to load parts of the screen from the local disk cache that have not changed since the last render. This RDP caching feature reduces the amount of data transferred over the network.

The RDP cache consists of two types of files in the %LOCALAPPDATA%MicrosoftTerminal Server ClientCache directory:

These files save the original raster images of the RDP screen as 64×64 pixel tiles. With simple PowerShell or Python scripts (which can be easily searched by the RDP cache bitmap extractor), PNG files can be obtained from remote screen sections on the desktop and used to retrieve sensitive information. The size of the tiles is small, but enough to give someone who wants to learn about the RDP cache useful information.

You can prevent the RDP client from caching images on the remote desktop by unchecking the Persistent Bitmap Caching checkbox on the Advanced tab.

If you use the RDP cache, it can sometimes get corrupted:

Error in the bitmap reader cache. The disk is full or the cache directory is missing or corrupt.  Some bitmaps may not be displayed.

In this case, you need to delete the RDP cache folder or disable the bitmap caching option.

Clearly stored ROP potentials

If the user selects the Remember me check box before entering the password when creating a new remote RDP connection, the username and password are stored in the Windows Credentials Manager. The next time you connect to the same computer, the RDP client will automatically use the previously registered password to authenticate to the remote host.

.

You can delete the saved RDP password directly from the mstsc.exe client window. Select the same connection from the connection list and click Delete. Then confirm the deletion of the saved references.

You can also delete the saved RDP password directly from the Windows Credential Manager. Go to Control PanelUser Account Certificate Manager. Select Manage Windows IDs and find the computer name (in the following format TERMSRV/192.168.1.100) in the list of saved passwords. Expand the found item and click the Remove button.

In an Active Directory domain environment, you can disable password retention for RDP connections with a dedicated GPO – Network Access: Do not allow passwords and credentials to be stored for network authentication.

Clear RDP event logs on remote host

Connection logs are also stored on the host side of the RDP/RDS. For more information on the history of RDP connections, see the Event Viewer logs :

• Security;
• Application and Service Logs -> Microsoft -> Windows -> TerminalServices-RemoteConnectionManager -> Operational ;
• TerminalServices-LocalSessionManager -> Administration.

In this article, you will learn more about analyzing RDP connection logs.

You can clear the logs on the RDP server using wevtutil or PowerShell.

Related Tags:

how to clear rdp cache windows 10,  how to remove remote desktop connection windows 10,  view remote desktop connection history windows 10,  how to reset remote desktop connection settings windows 10,  clear remote desktop credentials,  how to clear rdp sessions remotely,  script to remove rdp history,  microsoft remote desktop remove user account mac