The built-in Windows Remote Desktop Connection (RDP) client (
mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer. On the next start, the RDP client offers the user to select one of the connections that was used previously. The user can select the name of the RDS/RDP host from the list, and the client automatically fills the username used earlier for login.
This is convenient from the end-user perspective, but unsafe from the security point of view. Especially when you connect to your RDP server from a public or untrusted computer.
Information about all RDP (terminal) sessions is stored individually in the registry hive of each user, i.e. a non-admin won’t be able to view the RDP connection history of another user.
In this article we will show where Windows stores the history and saved credentials of Remote Desktop connections, how to remove entries from the mstsc window, and clear RDP logs.
Information about all RDP connections is stored in the registry of each user. It’s impossible to remove a computer (or computers) from the list of RDP connection history using built-in Windows tools. You will have to manually clear some registry keys.
Note. The described method for clearing the connection history of Remote Desktop works on all Windows desktop versions (from Windows XP to Windows 10) and for Windows Server.
Above we have showed how to clear the history of RDP connection in Windows manually. However, doing it manually (especially on multiple computers) is time consuming. Therefore, we offer a small script (BAT file) that allows to automatically clearing the RDP history.
To automate the RDP history cleanup, you can place this script to Windows Startup or run it on user computers via a GPO logoff script.
reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f
reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers” /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers”
attrib -s -h %userprofile%\documents\Default.rdp
del /f /s /q /a %AppData%\Microsoft\Windows\Recent\AutomaticDestinations
Let’s consider all the actions of the script:
In addition, you can clear the history of RDP connections using the following PowerShell script:
Get-ChildItem “HKCU:\Software\Microsoft\Terminal Server Client” -Recurse | Remove-ItemProperty -Name UsernameHint -Ea 0
Remove-Item -Path ‘HKCU:\Software\Microsoft\Terminal Server Client\servers’ -Recurse 2>&1 | Out-Null
Remove-ItemProperty -Path ‘HKCU:\Software\Microsoft\Terminal Server Client\Default’ ‘MR*’ 2>&1 | Out-Null
$docs = [environment]::getfolderpath(“mydocuments”) + ‘\Default.rdp’
remove-item $docs -Force 2>&1 | Out-Null
Note. By the way, the feature of the RDP history cleanup is built into many system and registry “cleaners”, such as, CCleaner, etc.
If you do NOT want Windows to save the RDP connection history, you must deny writing to the registry key HKCU\Software\Microsoft\Terminal Server Client for all user accounts. First, disable permission inheritance on the specified reg key (Permissions -> Advanced -> Disable inheritance). Then change the registry key ACL by ticking the Deny option for users (but you should understand that this is an unsupported configuration).
As a result, mstsc.exe simply cannot write RDP connection info to the registry.
The Remote Desktop Connection client has image persistent bitmap caching feature. The RDP client saves rarely changing fragments of the remote screen as a raster image cache. Thanks to this, the mstsc.exe client loads parts of the screen that have not changed since the last rendering from the local drive cache. This RDP caching feature reduces the amount of data transmitted over the network.
RDP cache is two types of files in a directory %LOCALAPPDATA%\Microsoft\Terminal Server Client\Cache:
These files store raw RDP screen bitmaps in the form of 64×64 pixel tiles. Using simple PowerShell or Python scripts (easily searched for by the RDP Cached Bitmap Extractor query), you can get PNG files with pieces of the remote desktop screen and use them to get sensitive information. The size of the tiles is small, but sufficient to provide useful information to a person studying the RDP cache.
You can prevent the RDP client from storing the remote desktop screen image cache by disabling the Persistent bitmap caching option on the Advanced tab.
Sometimes when using the RDP cache, it may be damaged:
Bitmap Disk Cache Failure. Your disk is full or the cache directory is missing or corrupted. Some bitmaps may not appear.
In this case, you need to clear the RDP cache directory or disable the Bitmap Caching option.
If when establishing a new remote RDP connection, before entering the password, the user checks an option Remember Me, then the username and password will be saved in the Windows Credential Manager. The next time you connect to the same computer, the RDP client automatically uses the previously saved password for authentication on the remote host.
You can remove the saved RDP password directly from the client’s mstsc.exe window. Select the same connection from the list of connections, and click on the Delete button. Then confirm deletion of the saved credentials.
More details on how RDP saved passwords work in the article at the link.
Alternatively, you can delete the RDP saved password directly from the Windows Credential Manager. Go to the Control Panel\User Accounts\Credential Manager section. Select Manage Windows Credentials and in the list of saved passwords find the computer name (in the following format TERMSRV/192.168.1.100). Expand the found item and click the Remove button.
In an Active Directory domain environment, you can disable saving passwords for RDP connections by using the special GPO – Network access: Do not allow storage of passwords and credentials for network authentication (see an article).
Connection logs are also saved on the RDP/RDS host side. You can find information about RDP connection history in Event Viewer logs: