For each successful connection to a remote computer, an RDP client in Windows (mstsc.exe) saves remote computer name (or an IP address) and the username used to log on. On the next start, the RDP client offers the user to select one of the connections that was used previously. The user can select the name of the remote rdp server from the list , and the client automatically fills the user name used for log in.
This is convenient from the end-user perspective, but unsafe from the security point of view, especially when the rdp connection is initiated from a public or untrusted computer.
Information about remote desktop (terminal) sessions is stored individually in the profile of each user, i.e. a user (assuming an ordinary user, not an administrator) can’t view the RDP connection history of another user.
In this article we will explain where Windows stores the history of Remote Desktop connections and saved credentials, and how to clear it.
How to delete RDP connections cache from the registry
Information about all RDP connections is stored in the registry of each user. It’s impossible to remove a computer (or computers) from the list of rdp connections using built-in Windows tools, you will have to manually delete some registry keys.
- Run the registry editor regedit.exe and navigate to the HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client
- You need two registry keys – Default (stores the history of the last 10 rdp connections) and Servers (contains the list of all rdp servers and usernames used previously to log in);
- Expand registry key HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default which contains the list of 10 IP addresses or DNS names of remote rdp servers that have been used recently (MRU – Most Recently Used). The name (or the IP address) of the remote desktop server is kept in the value of the key MRU*. To clear the history of the most recent rdp connections, select all values with the names of MRU0-MRU9, right-click and select Delete;
- Next, expand HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers. It contains the list of all RDC (remote desktop client) connections that have ever been established from this computer. If you expand the node with the name (or ip address) of any server, the UsernameHint key (hints the user name) shows the name of the user connected through rdp;
- To clear the history of all rdp connections and saved user names, you must clean the contents of Servers registry key. Since it’s impossible to select all the registry keys at once, it’s easier to delete the entire Servers key and then recreate it manually;
- In addition to the specified registry keys, you need to delete the default rdp connection file (which contains information about the latest rdp session) stored in Default.rdp (this file is a hidden file located in Documents directory).
How to clear the RDP connection history using a script
Above we have discussed how to clear the remote desktop history manually through the registry. However, doing it manually (especially on multiple computers) is time consuming. Therefore, we offer a small script (BAT file) that allows to automatically clear the history.
To automate the rdp history cleanup, you can put this script in the startup or to deploy it to computers by using a group policy.
1 2 3 4 5 6 7
@echo off reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp
Let’s consider all the actions of the script:
- Disable the output of the information to the console
- Delete all the values in the registry key HKCU\Software\Microsoft\Terminal Server Client\Default (clear the list of recent rdp connections)
- Delete the entire contents from HKCU\Software\Microsoft\Terminal Server Client\Servers (clears the rdp connection history and the saved user names)
- Recreate the previously deleted registry key
- Go to the directory with the Default.rdp file
- Change the Default.rdp file attributes, by default it is Hidden and System
- Delete the file Default.rdp file
In addition, you can clear the history of RDP connections using the following PowerShell script:
Get-ChildItem "HKCU:\Software\Microsoft\Terminal Server Client" -Recurse | Remove-ItemProperty -Name UsernameHint -Ea 0
Remove-Item -Path 'HKCU:\Software\Microsoft\Terminal Server Client\servers' -Recurse 2>&1 | Out-Null
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Terminal Server Client\Default' 'MR*' 2>&1 | Out-Null
$docs = [environment]::getfolderpath("mydocuments") + '\Default.rdp'
remove-item $docs -Force 2>&1 | Out-Null
In case if you want to completely disable the history of remote desktop, you can try to prevent everyone from writing to these registry keys (but you should understand that this is an unsupported configuration).
Clearing cached RDP credentials
If when establishing a new remote RDP connection, before entering the password, the user checks an option Remember Me, then the username and password will be saved in the system Credential Manager. The next time you connect to the same computer, the RDP client automatically uses the previously saved password for authorization on the remote desktop.
You can remove this password directly from the client’s mstsc.exe window. Select the same connection from the list of connections, and click on the Delete button. Then confirm deletion of the saved credentials.
Alternatively, you can delete the saved password directly from the Windows Credential Manager. Go to the Control Panel\User Accounts\Credential Manager section. Select Manage Windows Credentials and in the list of saved passwords find the computer name (in the following format TERMSRV/192.168.1.100). Expand the found item and click the Remove button.
In a domain environment, you can disable saving passwords for RDP connections by using the special policy Network access: Do not allow storage of passwords and credentials for network authentication (see an article).