Terminal Server Client Registry (RDP History)

WindowsUser ActivityDisk Image

Location

NTUSER.DAT\Software\Microsoft\Terminal Server Client\Servers and NTUSER.DAT\Software\Microsoft\Terminal Server Client\Default

Description

Per-user registry keys recording the hostname or IP address of every RDP server the user connected to from this machine, along with the username hint used for each connection.

Forensic Value

This artifact maps the outbound RDP connection history for each user account, revealing the lateral movement path from the attacker perspective. Each subkey under Servers represents a destination host with a UsernameHint value showing the account name used to authenticate. The Default\MRU list records the order of most recently connected servers. This complements the inbound RDP event logs on destination machines and is critical for reconstructing lateral movement chains.

Tools Required

KAPERegistry Explorer (Eric Zimmerman)RegRipperRECmd (Eric Zimmerman)

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target RegistryHives

RegRipper

rip.exe -r C:\output\NTUSER.DAT -p rdphint

reg.exe

reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s

RECmd

RECmd.exe -f C:\output\NTUSER.DAT --kn "Software\Microsoft\Terminal Server Client\Servers" --csv C:\output --csvf RDP_History.csv

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1021.001T1078

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote