(without hack workarounds) via RDP shadowing.
Warning: Do not proceed without fully understanding the steps involved and how to secure your network.
System Properties (sysdm.cpl) → Remote
Enable "Allow remote connections to this computer" → OK
Group Policy Editor (gpedit.msc) → Local Computer Policy → Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections
Double click "Set rules for remote control of Remote Desktop Services user sessions" → select "Enabled" → set "Options:" to "Full Control without user's permission" → OK
Windows Defender Firewall with Advanced Security (wf.msc) → check "File and Printer Sharing (SMB-In)" and "Remote Desktop - Shadow (TCP-In)" are enabled for LAN connections (see Restrict Windows Remote Desktop connections to LAN only)
If the local and remote credentials differ, store the remote username and password in Windows Credential Manager:
cmdkey /add:<hostname|IP> /user:<remote_user> /pass:<remote_pass>
Retrieve the remote user's session ID (will generally be "1" or "2" on single-user systems):
qwinsta /server:<hostname|IP>
Connect:
mstsc.exe /shadow:<sessionID> /v:<hostname|IP> /noconsentprompt /control
Modify and save this batch file, then run it to automatically retrieve the user session ID and establish a connection:
@echo off setlocal enabledelayedexpansion :: Set your remote username and hostname or IP address set remote_user=<USERNAME>set remote_host=<HOSTNAME|IP>:: Get the session ID for the specified username where the session state is Active for /f "tokens=2,3,4" %%a in ('qwinsta /server:%remote_host% ^| findstr /R "^ %remote_user%"') do ( if "%%c"=="Active" ( set session_id=%%b ) ) :: If an active session ID was found for the specified user, connect automatically if defined session_id ( start "" mstsc /v:%remote_host% /shadow:%session_id% /control /noConsentPrompt ) else ( echo No active session found for user "%remote_user%". ) exit
Errors:
Long delay on initial login followed by "Shadow Error: This computer name is invalid" – Resolved by enabling the "File and Printer Sharing (SMB-In)" and "Remote Desktop - Shadow (TCP-In)" rules in the server's firewall settings.
"Shadow Error: Access is denied" – Fixed by saving remote credentials in the Credential Manager using cmdkey. Alternatively, you can use the /prompt flag with mstsc.exe to manually enter credentials. However, this option isn't available for qwinsta.exe /server: or query.exe <username|session> /server:, so they will return Error [5]: Access is denied unless local and remote credentials match.
"Shadow Error: The session identification does not specify a valid session." – For manual login, this is resolved by retrieving the correct session ID on the server with query user. The batch script automatically finds the correct session ID, so no manual intervention is needed.
In Microsoft's Remote Desktop lexicon, the terms "local session", "interactive session", and "console session" all refer to the session in which the user is physically present at the computer.
View stored credentials via cmdkey /list and delete them with cmdkey /delete:<hostname|IP>. Both actions can also be performed through the Credential Manager GUI (control keymgr.dll).
Viewing a Remote User’s Desktop Session with Shadow Mode in Windows
Windows Server 2008 R2 Remote Desktop Services Resource Kit; "Shadowing a User Session" in the "Providing Help with Remote Control" section of Chapter 11, "Managing Remote Desktop Sessions"
Shadow Remote Desktop Session (RDS) Without Permission Prompt
Spying on users using Remote Desktop Shadowing - Living off the Land
How to perform RDP shadowing from Win10 Pro to another Win10 Pro
How to Shadow (Remote Control) a User’s RDP session on Windows Server RDS
/windows | Sep 04, 2024