RDP Shared Drives & Clipboard (Drive Redirection)
Location
HKCU\Software\Microsoft\Terminal Server Client\Default and C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtxDescription
When RDP drive redirection is enabled, the client maps local drives to the remote session (appearing as \\tsclient\C). Registry keys record server hostnames and IPs, and RDP client operational logs capture connection details including drive and clipboard redirection events.
Forensic Value
RDP drive redirection (tsclient) is a primary data exfiltration vector in lateral movement scenarios, allowing attackers to copy files between compromised hosts without touching the network in a detectable way. The TerminalServices-RDPClient operational log records Event ID 1024 (drive redirection enabled) and Event ID 1026 (clipboard redirection), providing direct evidence of data transfer capability. Registry entries under Terminal Server Client\Default and Servers subkeys preserve the history of RDP connections with server hostnames, even after the RDP session ends. Correlating tsclient file access timestamps from the USN journal with RDP session logs can reconstruct the exact files moved during lateral movement.
Tools Required
Collection Commands
Registry Explorer
RECmd.exe --hive NTUSER.DAT --key "Software\Microsoft\Terminal Server Client" --csv C:\output\ --csvf rdp_client_reg.csv
EvtxECmd
EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx" --csv C:\output\ --csvf rdp_client_events.csv
PowerShell
Get-ItemProperty "HKCU:\Software\Microsoft\Terminal Server Client\Default" | Format-List *