View Desktop Session of Remote User in Windows with Shadow Mode. Ranjan.info

you can use remote desktop shadowing To remotely connect to a user session on a Windows computer. This feature is essentially an analogue of Remote Assistance and allows administrators to remotely view and interact with a user’s desktop on both desktop versions (Windows 11 or 10) and Windows Server RDS Server.

Enable Remote Desktop Shadow Connection Mode in Windows

You need to configure the Windows computers you want to connect to via Remote Desktop Shadow Connection in a certain way.

1. Enable Remote Desktop (RDP) on the user’s computer (manually or via GPO);
2. Your account must have local administrator permissions on the user’s computer (you can add the user to the ‘Administrators’ group manually or by using group policies);
3. Configure shadow connection mode. You can configure whether you need to request user confirmation to connect and whether views or controls are allowed in the shadow session. You can configure shadow connection mode via gpio option Set rules for remote control of Remote Desktop Services user sessions (Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Session Host -> Connections). The following 5 modes are available:0 – disable shadow remote control;
   1 – Full control with user permission;
   2 – Full control without user permission;
   3 – View sessions with user permission;
   4 — View sessions without user permission
4. You can enable the desired shadow connection mode directly through the registry. Edit the Registry Manually or With add reg command. In this example, we set mode 4, which allows viewing the remote session without the user’s permission: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 4

   By default, this registry parameter is not set and the shadow connection is performed in full control mode with user confirmation.

5. Configure Windows Defender Firewall rules to allow incoming remote shadow connections. The following port is used for session shadowing traffic in Windows, instead of the standard 3389/RDP port: 139/tcp, 445/tcpand a series of dynamic rpc port (from 49152 to 65535). To allow incoming shadow connection traffic, you must enable two pre-defined firewall rules in Windows: File and Printer Sharing (SMB-In) And Remote Desktop - Shadow (TCP-In), Allows remote access to the last rule RdpSa.exe process. You can enable Windows Defender rules on user computers through a GPO or by using the Enable-NetFirewallRule PowerShell cmdlet.

Remotely connect to a user session via Remote Desktop Shadowing

Let’s see how to remotely connect to another user’s desktop session on a remote Windows computer using Remote Desktop Shadow Connection. In this example, I will connect to the user’s session from my Windows 11 computer on the user’s Windows 10 workstation.

Built-in Remote Desktop Connection Tool (mstsc.exe) is used to shadow the connect to the user’s session. The command format is:

Mstsc.exe /shadow:<Session ID> /v:<Computer name or IP address>

You can also use one of the following mstsc options:

• /Ready – Request user credentials to connect (if not specified, you will be connected to the current user credentials);
• /control – The mode that allows the user to interact with the session. If the parameter is not set, you will be associated with a user session in a visual mode, that is, you will not be able to control the user’s mouse or enter data with the keyboard;
• /noConsentPrompt – Do not prompt the user to confirm that they are connected to the desktop session.

Now you need to find out the username and its session ID on the remote computer (if the user works directly on the computer console, his session ID will always be 1).

Let’s display a list of user sessions on a remote computer (this could be a desktop computer running Windows 11/10 or a Windows Server with the Remote Desktop Services host role).

Let’s remotely request a list of sessions on a Windows 10 workstation using this command:

qwinsta /server:PC_Name01

In this example, you can see that there is only one user logged in to the computer, which works directly on the computer console (SESSIONNAME=console) with session id =1,

Let’s try to connect remotely to this user’s desktop via shadow connection. run command:

Mstsc /shadow:1 /v:PC_Name01

Windows users will be asked to confirm that an administrator is connecting to their session:

Remote connection request
PC\admin is requesting to view your session remotely. Do you accept the request?

The version of Windows running on this server does not support user shadowing.

If the user accepts the connection, you will connect to his console session and see the user’s desktop. You will see all user actions, but will not be able to control (interact) this session. If you want to control its session, use the /control option in the mstsc command. In this case, the caption in the window title will change to Viewing username (sessionID 1) on computername To Controlling…

UAC privilege escalation request appears if user session is locked because user is inactive or when connecting without using mstsc /control Parameters, the Shadow Session window turns black and a pause symbol appears on it.

If the user has a UAC prompt on the secure desktop, the shadow session goes into a suspended state. After the user confirms the UAC action, your shadow session will be resumed.

• use keyboard shortcuts Ctrl + Alt + Break To resize the Shadow Connection window to fit the entire screen of your desktop;
• press Alt+* on the computer (or Ctrl+* on the RDS server) to end the shadow session.

You can notify a user that someone is connecting to their session remotely via an RDP shadow connection by using the following PowerShell script:
while($true){
if (Get-Process -Name "RdpSa" -ErrorAction SilentlyContinue){[console]::beep(1000,500);Write-Host "RdpSa is running at $(Get-Date)"}
Start-Sleep -Seconds 1
}
You can run this PowerShell script as a Windows service. In this example, we are notifying the user with a simple beep. In addition, you can show a pop-up notification on the desktop.

You can query the shadow connection history on a users computer from the Windows Event Log. All events of interest to you can be found Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Section of Event Viewer.

• event id 20508 – shadow view allowed
• event id 20503 – shadow view session started
• event id 20504 – Shadow view session paused

You can get the shadow connection log from the user’s computer using PowerShell:

$EventIds = 20508,20503,20504
Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";ID=$EventIds}

Remote Desktop Shadowing is available in Windows 11/10/8.1 and Windows Server 2022/2019/2016/2012 R2. Thus, you can use Remote Desktop Shadowing as an analogue of Remote Assistance or Teamviewer/AnyDesk, providing quick and secure access to users’ computers on the local corporate network.