Enable Remote Desktop Sessions Shadowing on Windows Server RDS

Shadow connection mode in Windows allows administrators to connect to any user’s RDP/RDS session to view and interact with their desktop (with or without user consent). The Remote Desktop Shadowing mode is typically used to provide technical support to users on RDS servers. Shadow connections can be established to user RDP sessions in all modern versions of Windows, including Windows Server 2025, 2022, and 2019, as well as desktop versions such as Windows 11 and 10.

Shadow User Session on Windows Server RDS

Administrators can connect to an active RDP user’s session from the Server Manager GUI (on servers with the RDSH role installed) or via the command prompt using the built-in mstsc.exe tool.

Open the Server Manager console on the RDS server and navigate to the Remote Desktop Services section. Select your RDS collection (for example, QuickSessionCollection ).

The right pane shows the list of users with sessions on this RDSH host in this collection. Right-click on the desired user session and select Shadow from the drop-down menu.

Shadow Error - The specified session is not connected.

A form with shadow connection options will appear. You can either View or Control a user’s RDP session. Additionally, you can enable the Prompt for user consent option.

If this option is checked, the following request appears in the user’s RDP session:

Remote Monitoring Request
woshub\administrator is requesting to view your session remotely. Do you accept the request?

Once the user confirms the shadow connection, the administrator will be able to view the user’s desktop, but won’t be able to interact with it.

If the “Prompt for user consent” option is selected, a prompt will appear in the user session.

If a user rejects the administrative Shadow RDS connection, the following message appears:

Shadow Error: The operator or administrator has refused the request.

The following firewall rules must be enabled on the host to allow remote connection to the user session on it via RD Shadow mode.

• Remote Desktop – Shadow (TCP-In)
• Remote Desktop – User Mode (TCP-In)
• Remote Desktop – User Mode (UDP-In)

Remote Desktop Shadowing Using MSTSC Command

However, the built-in Windows RDP client (mstsc.exe) is a much more convenient tool because it provides several special options for connecting to a user session via Remote Desktop shadowing mode.

Mstsc.exe [/shadow:sessionID [/v:Servername] [/control] [/noConsentPrompt] [/prompt]]

• /shadow:ID – connect to the user’s RDP session with the specified ID;
• /v:servername – used to specify the hostname or IP address of the remote RDP/RDS host. If not set, connections are made to local user sessions on the current host;
• /control – allows to interact with the user session (desktop). The administrator can control the user’s mouse and input data from the keyboard. If this parameter is not set, the user’s session View mode is used;
• /noConsentPrompt – this option allows administrators to force a connection to any session without prompting users for confirmation;
• /prompt – allows to connect with other credentials (prompt for a username and password).

Therefore, to connect to a user’s desktop, you must first know the ID of their RDP session. Use the command:

quser or qwinsta

The command lists RDP sessions and includes information such as the username, ID, and status  (Active or Disconnected).

In the list, find the username you want to connect to and note its session ID (in this example ID= 3 ). To shadow this user’s RDP session in control mode, specify this ID in the command:

mstsc /shadow:3 /control

A shadow connection request will appear in the user’s session, and they can choose to either accept or decline it.

To list the logged-in users on a remote server, specify its FQDN or IP address in the command:

qwinsta /server:rdsh2

Use the following command to connect to a user session on a remote server:

Mstsc /v:rdsh2:3389 /shadow:3 /control

To connect to a user’s session without prompting, use the command:

mstsc /shadow:3 /control /noConsentPrompt

However, by default, Windows security settings prevent users from shadowing another user’s session without a prompt.

Shadow Error: The Group Policy setting is configured to require the user’s consent. Verify the configuration of the policy settings.

Next, let’s look at how to change the default shadow connections security settings in Windows

Configure Remote Desktop Shadowing Options via GPO

Use the Group Policy Editor (gpedit.msc) to modify the default configuration for shadowing RDS user sessions. The parameter Set rules for remote control of Remote Desktop Services user sessions, located under the User and Computer Configuration sections of the GPO:  Policies -> Administrative Templates -> Windows components -> Remote Desktop Services -> Remote Session Host -> Connections.

This policy can be used to configure the following Remote Desktop Shadow connection options:

• No remote control allowed (corresponds to the value of the registry parameter Shadow = 0);
• Full Control with user’s permission (1);
• Full Control without user’s permission (2);
• View Session with user’s permission (3);
• View Session without user’s permission (4).

This policy corresponds to the Shadow DWORD registry parameter in the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services key (the available values of this parameter that correspond to the policy settings are indicated in parentheses). For example, to enable full control during a shadow session without notifying the user, create this registry parameter using the following command:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 4

Shadowing RDS Session with PowerShell

You can also use the Shadow feature of Remote Desktop Services to connect to a user’s session from PowerShell. First, list the sessions on the RDS host (user sessions will be grouped according to their state):

Get-RDUserSession | ft Username, UnifiedSessionId, SessionState, HostServer, ApplicationType -GroupBy Sessionstate

The following BAT script can be used to more conveniently shadow RDP user sessions. It prompts you to enter the name of the remote RDS server, displays a list of active sessions, and prompts you to specify the session (ID) to which you want to connect to:

shadow.bat

@echo off
set /P rcomp="Enter name or IP of a Remote PC: "
query session /server:%rcomp%
set /P rid="Enter RDP user ID: "
start mstsc /shadow:%rid% /v:%rcomp% /control

Save this BAT file to the %Windir%\System32 directory. This will enable you to use the shadow command to initiate a shadow connection.

You can also use the PowerShell script with a GUI to list active RDP sessions on the local server (The script is available on our GitHub repository rds_shadow_gui.ps1):

https://github.com/maxbakhub/winposh/blob/main/RDS/rds_shadow_gui.ps1

Run the script, select the user account whose session you want to shadow, then click Connect.

An administrator can shadow a user’s session without the user’s knowledge. There are no notifications in the taskbar or on the desktop. You can set up automatic sound notifications for users when an administrator connects to their session via RD shadowing. Run the following PowerShell script at each user logon to play a sound alert when a shadow connection is detected.

while($true){
if (Get-Process -Name "RdpSa" -ErrorAction SilentlyContinue){[console]::beep(1000,500);(New-Object System.Media.SoundPlayer "C:\Windows\Media\chimes.wav").PlaySync();Write-Host "RdpSa is running at $(Get-Date)"}
Start-Sleep -Seconds 30
}

Audit Remote Desktop Shadow Session Usage in Windows

To audit the RDS Shadow connection logs, filter the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log by the following event IDs:

• Event ID 20510: Shadow View Permission Granted
• Event ID 20506: Shadow View Session Started
• Event ID 20507: Shadow View Session Stopped
• Event ID 20510: Shadow Control Permission Granted
• Event ID 20511: Shadow Control Permission Denied
• Event ID 20509: Shadow View Permission Denied
• Event ID 20510: Shadow Control Permission Granted

Using a simple PowerShell script, you can query Event Viewer and print information about who and when RD shadow connections were used on an RDS host.

$logName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
$eventIds = 20506, 20507
Get-WinEvent -FilterHashtable @{LogName = $logName; Id = $eventIds} | ForEach-Object {
$event = $_
$message = $event.Message
$timeCreated = $event.TimeCreated
Write-Host "Time: $timeCreated"
Write-Host "Event ID: $($event.Id)"
Write-Host "RD Shadow action: $message"
Write-Host "------------------"
}

How to Allow Non-Admin Users to Shadow Remote Desktop Sessions

In the above examples, local administrator permissions on the RDS host were required to shadow an RDP user session. However, you can allow a non-admin user to shadow RDP sessions without granting them local admin permissions on the computer or server.

For example, you want to allow members of the AllowRDSShadow group to use a shadow connection to RDP user sessions. Open the elevated command prompt (cmd.exe) and run the command:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName=”RDP-Tcp”) CALL AddAccount “woshub\AllowRDSShadow”,2

Available TerminalServices access permissions:

• 0 = WINSTATION_GUEST_ACCESS
• 1 = WINSTATION_USER_ACCESS
• 2 = WINSTATION_ALL_ACCESS

Since the WMIC command is deprecated in newer versions of Windows, this change must be made using the Invoke-CimMethod command.

$group = "woshub\AllowRDSShadow "
(Get-CimInstance -Namespace "root\CIMV2\TerminalServices" -ClassName Win32_TSPermissionsSetting -Filter "TerminalName='RDP-Tcp'") |
Invoke-CimMethod -MethodName AddAccount -Arguments @{AccountName=$group; PermissionPreSet=2}

To remove shadow connection permissions for a group, run:

$group = "woshub\AllowRDSShadow"
$tsPermissions = Get-CimInstance -Namespace "root\CIMV2\TerminalServices" -ClassName Win32_TSPermissionsSetting -Filter "TerminalName='RDP-Tcp'"
Invoke-CimMethod -InputObject $tsPermissions -MethodName RemoveAccount -Arguments @{AccountName=$group}

Most common issues when using RD Shadowing:

• If the user’s RDP session is locked, or a UAC prompt appears on a Secure Desktop (enabled by default), then connecting via mstsc without the [/control] flag will cause the administrator to see a black desktop with a pause symbol. Using the [/control] option in the shadow connection prevents the UAC prompt from showing on a Secure Desktop.  
• If the RD Shadow window displays a black screen instead of the published RemoteApp program image when shadowing a RemoteApp session, disable the Use advanced RemoteFX graphics for RemoteApp option in the GPO.