Besides Remote Assistance, you can use Remote Desktop Session Shadowing to remotely connect to the Windows 10 user’s desktop. Most administrators are using this feature to connect to user sessions on the RDS servers running Windows Server 2012 R2 / Server 2016. However, a few of them know that session shadowing can be used to remotely view and manage a user desktop console session in Windows 10 as well. Let’s see how it works.
As you remember, if you try to connect to a Windows 10 computer using RDP, the session of a user working locally is knocked out (even if you enable multiple concurrent RDP sessions in Windows 10). However, you can connect to a console user session directly without locking it.
Suppose, you want to connect from a server running Windows Server 2012 R2 to the desktop of a user working locally on a workstation running Windows 10 Pro.
In order to establish shadow connection to a user session, you must use the standard RDP tool mstsc.exe. The command looks like this:
Mstsc.exe /shadow:<Session ID> /v:<Computer name or IP address>
You can also use one of the following options:
- /prompt – request a user credentials to connect (if not specified, you will be connected with the current user credentials);
- /control – the mode that allows to interact with the user session. If the parameter is not set, you will be connected to a user session in a view mode, i. e. you won’t be able to control a user’s mouse or enter data from the keyboard;
- /noConsentPrompt – allows not to prompt the user for confirmation to connect to a session.
Remote shadowing setting is configured using a Group Policy or by registry modification. You can configure whether you need to request the user confirmation to connect, and whether view or control is allowed in the shadow session.
The policy is located in the GPO editor section Computer Configuration -> Policies -> Administrative Templates -> Windows components -> Remote Desktop Services -> Remote Session Host -> Connections and called Set rules for remote control of Remote Desktop Services user sessions.
Instead of enabling the policy, you can set the necessary value in the DWORD registry parameter Shadow in the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services registry key. The allowed values are:
0 – disable remote control;
1 — full control with user’s permission;
2 — full control without user’s permission;
3 — view session with user’s permission;
4 — view session without user’s permission.
By default, this registry parameter is not set and the shadow connection is performed in full control mode with user permissions.
To connect to a user session remotely using shadowing, the connecting account must have the administrator permissions and Remote Desktop (RDP) enabled on the Windows 10 computer (in the System Properties).
Let’s remotely request the list of sessions on Windows 10 workstation using this command:
qwinsta /server:192.168.1.90
As you can see, there is one console user session with the ID = 1 on this computer.
Let’s try to remotely connect to the user session 1 via a shadow connection. Run the command:
Mstsc /shadow:1 /v:10.10.11.60
The Windows 10 user will see the following request on the screen:
Remote connection request
PC\admin is requesting to view your session remotely. Do you accept the request?
If the user accepts the connection, you’ll connect to the Windows 10 console session and see the users’ desktop. You will see all user actions, but won’t be able to control this session.
If you check the network connections using TCPView, you can see that it is the RemoteRPC connection (not an RDP one using port TCP/3389). It means that a random TCP port from high RPC range is used for shadow connection. Mstsc.exe establishes the connection on the side of a connecting computer, and rdpsa.exe or rdpsaproxy.exe (depending on the Windows 10 build) processes the connection on the client side. So RemoteRPC must be enabled on the client:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
“AllowRemoteRPC”=dword:00000001
Remote Desktop Shadowing is available in Windows 10 / 8.1 and Windows Server 2012 R2 / 2016 / 2019. To allow shadowing on Windows 7 SP1 (Windows Server 2008 R2) clients, you will need to install the RDP client version 8.1 – KB2830477 (requires installation of the following updates – KB2574819 and KB2857650).
Thus, Remote Desktop Shadowing can be used as the substitute of Remote Assistance or TeamViewer in a local or corporate network.