3

Assume the following scenario:

  1. I log on terminal server with RDP (Windows Server 2012 R2 or 2016)
  2. Another user connects to my session with "mstsc.exe /shadow" command.
  3. I get the message to confirm this access, and I agree.
  4. Then, after a while I would like to check if my session still being shadowed.

Is there any way to perform this check? Any command, Win32 API, WMI query? So far, I was only able to find out that rdpsaproxy.exe program is started in shadowed session. That is almost enough, but this program also keeps running when user denies access when prompted to accept initial shadowing request. So detecting presence of rdpsaproxy in check session is not enough to say that somebody is watching me.

macmac
  • 119
  • 8
  • 1
    I've noticed that RdpSa.exe program, that is started when session is being shadowed, creates named event semaphore, which name is 'RDPSchedulerEvent' followed by some numbers. This object is created ONLY when shadow-request is accepted. This is purely try-and-error method, but seems to work. I've put sample program to github: https://github.com/macmacy/chkshadow – macmac Oct 10 '19 at 11:17

1 Answers1

1

You could bind a notification task to the events of Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational event log:

  • 20503 - shadow watching started
  • 20504 - shadow watching stopped
  • 20506 - shadow control started
  • 20507 - shadow control stopped
Atercat
  • 99
  • 5