Remote Desktop

最後更新: 2019-08-10



  • mstsc.exe path
  • Sent "Ctrl + Alt + Del"
  • reboot & shutdown
  • Other Hotkey
  • 設定 idle 時的 timeout
  • Change the TCP Port
  • Account Policies Policy
  • RD - Disable Administrator Login
  • Security Log in Event Viewer does not store IPs
  • 網路層級驗證
  • Console Session
  • RDP Version


mstsc.exe path




Sent "Ctrl + Alt + Del"




reboot & shutdown


[方法1] hotkey

Alt + F4

[方法2] CMD

C:\Windows\System32\shutdown.exe /t 10 /r /f /c "by shortcut"


Other Hotkey


CTRL+ALT+BREAK         全螢幕模式之間切換


設定 idle 時的 timeout


Terminal Server:

Connection object:

tscc.msc--> right-click RDP-Tcp-->Properties-->Sessions tab


Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions


HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\terminal services\MaxIdleTime

Server08 R2

Administrative Tools -> Terminal Services -> "Remote Desktop Session Host Configuration"

* Timeout and reconnection settings configured by using "Remote Desktop Session Host Configuration"

   it will take precedence over timeout and reconnection settings that have been configured for a specific user account.


Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services ->

Remote Desktop Session Host -> Session Time Limits

- 使用者會在工作階段中斷連線前兩分鐘收到警告訊息
- 停用 => 無限期保持使用中但閒置狀態

When session limit is reached or connection is broken:

  • Disconnect - To disconnect the user from the session, allowing the session to be reconnected
  • End session -  Any running applications are forced to shut down, which can result in loss of data at the client

For a domain user account

idle time for a session:

<1> For a domain user account

Active Directory Users and Computers ->

<username> -> Sessions tab -> Idle session limit

End a disconnected session

Amount of time that a disconnected user session is kept active on the RD Session Host server.

When a session is in a disconnected state, running programs are kept active.

Idle session limit

amount of time that an active Remote Desktop Services session can be idle (without user input)

before the session is automatically disconnected or ended.

When a session limit is reached or connection is broken

Specify whether to disconnect or end the user's Remote Desktop Services session

when an active session limit or an idle session limit is reached.

<2> Group Policies


Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Sessions

<3> Terminal Services Configuration

Connections -> Properties



Change the TCP Port


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber



Listen 多一個 Port


OS Window 7

Run REGEDIT on your TS.

Export the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server\WinStations\RDP-Tcp

Edit the REG file

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server\WinStations\RDP-Tcp\



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server\WinStations\RDP-Tcp-33389

# 33389 = 000826D

** 不用 reboot !!


netstat -n -l -p tcp


在 S2008 的 TS 上時, 要人手 Stop / Start "RDP-Tcp-33389" Service 一次


Account Policies Policy


Account Policies -> Account Lockout Policy

    Account lockout threshhold -                        0 = administrator explicitly unlocks it
    Reset account lockout counter after -           minutes that must elapse after a failed logon
    Account lockout duration


A successful authentication resets the failed attempts counter


 MaxDenials is the maximum number of failed attempts before the account is locked out.
 ResetTime (mins)
Manually resetting an account that is locked out
  registry subkey for the user account is deleted.


RD - Disable Administrator Login


Workgroup Solution:

  1. Right-click on Computer and select Properties
  2. Advanced System Properties
  3. Adds the user to the Remote Desktop Users group


Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment
"Allow log on through Remote Desktop Services"

Open the Allow log on through Remote Desktop Services policy and remove the Administrators item.


To use the Ctrl-Alt-Insert combo in Microsoft RDP


perform the following configuration:

    Open the Remote Desktop Connection utility.
    Click Options.
    Open the Local Resources tab.
    Change the value for Apply Windows key combinations option under Keyboard to On the remote computer.

All key combinations are sent to the remote desktop connection.



Security Log in Event Viewer does not store IPs


Introducing TLS/SSL as Remote Desktop authentification, Windows does not log the source IP address of the failed login anymore. Within the event log you will just find the audit failure 4625 with NULL SID and no IP address.

Configure the Terminal Services

"Terminal Services Configuration Tools"

Connections -> RDP-Tcp -> Properties

General tab -> Security Layer

Remote desktop


Available security layers

SSL (TLS 1.0) SSL (TLS 1.0)

will be used for server authentication and for encrypting all data transferred between the server and the client.


The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used. This is the default setting.

RDP Security Layer

Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.


By default, RD Session Host sessions use native RDP encryption. However, RDP does not provide authentication to verify the identity of an RD Session Host server. You can enhance the security of RD Session Host sessions by using Secure Sockets Layer (SSL) Transport Layer Security (TLS 1.0) for server authentication and to encrypt RD Session Host communications.


How to identify the attacker and to protect your system even when the Windows event 4625 does not show an IP address

Install Cyberarms Intrusion Detection (IDDS), enable the TLS/SSL security agent, and you'll be fine. IDDS monitors network connections and locks out attackers before they are able to break in.


This is a feature of TLS/SSL encryption of remote desktop. Using the RDP encryption instead (original protocol encryption) you will see all of the IP addresses in 4625 audit messages.


Computer Configuration\Windows Settings\Security Settings\Security Options

Network security: LAN Manager authentication level -- Send NTLMv2 response only. Refuse LM & NTLM
Network security: Restrict NTLM: Audit Incoming NTLM Traffic -- Enable auditing for all accounts
Network security: Restrict NTLM: Incoming NTLM traffic -- Deny all accounts


Do not allow for passwords to be saved -- Enabled
Prompt for credentials on the client computer -- Enabled


Event Log



21: 工作階段登入成功
23: 工作階段登出成功
24: 工作階段已中斷連線
25: 工作階段重新連線成功




Server 2012 R2 Default 有 網路層級驗證

所以 XP 不能連它, 如果想連, 那就要關閉"網路層級驗證"


1. gpedit.msc

2. 電腦設定/系統管理範本/Windows 元件/遠端桌面服務/遠端桌面工作階段主機/安全性

透過使用網路層級驗證以要求對遠端連線進行使用者驗證 <- 設成(已停用)


Console Session


mstsc -console IP


RDP Version


Windows XP SP3 + KB969084 (

RDP verion 會升級到 7.0, 但不支援"網路層級驗證"




在 VM 內用到 Graphic 卡資源

  • VM Guest: 加 HW: RemoteFX 3D 視訊卡 (dxdiag ( 會見到所有加速都啟用了))
  • VM Host: Hyper-V (遠端桌面虛擬主機)

Windows virtual desktops

Remote Desktop Virtualization Host is new to R2 and installs on the Hyper-V box,

monitoring and preparing VMs as directed by the RD Connection Broker.

When you install Remote Desktop Virtualization Host on a server,

Hyper-V will be installed if not already present.

Delivered as part of S2008 R2 SP1

It allows the end user to work remotely

 - Windows Aero desktop environment,
 - watch videos  (RemoteFX Calista Codec)
 - run 3D applications (provides VMs with access to the physical GPU)
 - redirecting USB devices into Windows 7 VMs

Client computers

RDP >= 8.0


l3codeca.acm error


Win7 event log 6281

Code Integrity determined that the page hashes of an image file are not valid.

The file could be improperly signed without page hashes or corrupt due to unauthorized modification.

The invalid hashes could indicate a potential disk device error.

File Name:    \Device\HarddiskVolume2\Windows\System32\l3codeca.acm

l3codeca.acm ?

l3codeca.acm, l3codecp.acm= MPEG Layer-3 Audio Codec for MSACM

An acm codec is a kind of program that works almost like a DLL.

l3codeca.acm       # advanced version (free, but  low bitrates)

l3codecp.acm       # professional version


when audio is redirected to the client and we load audiodg.exe,

it enumerates the codecs to get information from them.

Not all codecs are signed to load in a protected process and

if they are not this error is generated.

audiodg.exe (Win 7)

它是 Windows 音頻設備圖形隔離進程