How to check if session is being shadowed in Windows Terminal Server
Question
Assume the following scenario:
- I log on terminal server with RDP (Windows Server 2012 R2 or 2016)
- Another user connects to my session with "mstsc.exe /shadow" command.
- I get the message to confirm this access, and I agree.
- Then, after a while I would like to check if my session still being shadowed.
Is there any way to perform this check? Any command, Win32 API, WMI query? So far, I was only able to find out that rdpsaproxy.exe program is started in shadowed session. That is almost enough, but this program also keeps running when user denies access when prompted to accept initial shadowing request. So detecting presence of rdpsaproxy in check session is not enough to say that somebody is watching me.
1 answers
solution1
0 2021-02-11 13:47:36
You could bind a notification task to the events of Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational event log:
- 20503 - shadow watching started
- 20504 - shadow watching stopped
- 20506 - shadow control started
- 20507 - shadow control stopped
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.