Terminal Server Client Registry (RDP History)

windowsUser ActivityDisk Image

Location

NTUSER.DAT\Software\Microsoft\Terminal Server Client\Servers and NTUSER.DAT\Software\Microsoft\Terminal Server Client\Default

Description

Per-user registry keys recording the hostname or IP address of every RDP server the user connected to from this machine, along with the username hint used for each connection.

Forensic Value

This artifact maps the outbound RDP connection history for each user account, revealing the lateral movement path from the attacker perspective. Each subkey under Servers represents a destination host with a UsernameHint value showing the account name used to authenticate. The Default\MRU list records the order of most recently connected servers. This complements the inbound RDP event logs on destination machines and is critical for reconstructing lateral movement chains.

Tools Required

KAPERegistry Explorer (Eric Zimmerman)RegRipperRECmd (Eric Zimmerman)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical