Forums
Main Category
General (Technical,...
Remote Desktop Conn...
 
Notifications
Clear all

Remote Desktop Connection Settings & Configuration

 
General (Technical, Procedural, Software, Hardware etc.)
9 Posts
3 Users
0 Reactions
1,740 Views
RSS
pronie2121
 pronie2121
(@pronie2121)
Estimable Member
Joined: 17 years ago
Posts: 117
Topic starter 06/03/2009 1:58 am  

I tryed searching the forum and over at google, I am looking to see if there is a settings file, log, registry entry, anything of that nature that would keep track of if remote desktop was used and to what computer it connected to. I did find a default.rdp file in which I saw that rdp was some sort of settings file, in this file amongst other values it has a full address with an ip, a username, and a domain. Besides this file is there anything else to show if and to what computer and remote desktop connection was made, thanks everyone, this is on a Windows XP computer.


   
Quote
pronie2121
 pronie2121
(@pronie2121)
Estimable Member
Joined: 17 years ago
Posts: 117
Topic starter 06/03/2009 2:07 am  

I did find an RDP file settings sheet that takes you through each value and what it is, and it looks like the full address area is the IP address or name of server domain is what needs to be typed in to connect username, etc. looks like when remote desktop starts this file controls the settings of whats in there? any one have some more knowledge about this, thank you.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
06/03/2009 2:12 am  

The RegRipper tsclient.pl plugin, created on 24 Mar 2008, contains the Registry key you're looking for….


   
ReplyQuote
pronie2121
 pronie2121
(@pronie2121)
Estimable Member
Joined: 17 years ago
Posts: 117
Topic starter 06/03/2009 2:27 am  

I did use that and if im thinking of the right key it returned the same results that came out of that default.rdp file, same IP, domain, and user it was at software\microsoft\terminal server client\servers\**ip address**?? does that mean that this was the IP and domain that was connected to using the remote desktop connection?


   
ReplyQuote
pronie2121
 pronie2121
(@pronie2121)
Estimable Member
Joined: 17 years ago
Posts: 117
Topic starter 06/03/2009 2:41 am  

the TSClient gave (3) MRU
MRU0
MRU1
MRU2

each with a different IP address next to it, are those 3 different IP's that have been connected to?


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
06/03/2009 2:42 am  

Pronie,

RR plugins are text-based, which means you can open them in Notepad. When you do so, you'll see that that's NOT the same Registry key used by the plugin.

Were you to search for the key listed in the plugin on TechNet, you'll find the following
http//support.microsoft.com/kb/312169


   
ReplyQuote
pronie2121
 pronie2121
(@pronie2121)
Estimable Member
Joined: 17 years ago
Posts: 117
Topic starter 06/03/2009 2:58 am  

thanks for the pointer keydet what im seeing is that since I have the three entries, the most recently used was the MRU0 and MRU1 before that and so on, thanks for the help.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
06/03/2009 3:12 am  

No problem…although, to be honest, since you did have RegRipper, this is all work you could've done yourself.


   
ReplyQuote
 mobileforensicswales
(@mobileforensicswales)
Reputable Member
Joined: 17 years ago
Posts: 274
10/03/2009 2:51 pm  

On a similar related issue I've always found the Nirsoft Remote desktop password viewer useful

http//www.nirsoft.net/utils/remote_desktop_password.html


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: