An internal Windows Remote Desktop client — a friendlier replacement for the
built-in Remote Desktop Connection (mstsc.exe). Save the hosts you connect
to as clickable tiles, optionally remember the password, and reconnect in one
click. Built with Tauri 2, React, and TypeScript.
Connections require the corporate VPN, exactly like
mstsctoday.
- Saved connections — add a host by its computer name (e.g.
L-abc123-SD) and it appears as a tile. Click the tile to launch the session. - Saved credentials (optional) — tick Save password and it's stored in
Windows Credential Manager (DPAPI-protected, never in plaintext). Because
it's stored under
TERMSRV/<ComputerName>,mstscreads it automatically and connects without prompting. With no saved password,mstscprompts as usual. - Username — leave it blank to use your logged-in Windows account, or set an
explicit
user,DOMAIN\user, oruser@domainper connection.
Under the hood the app generates a standard .rdp file and launches the OS
client mstsc.exe with it — so the session itself is the same trusted Windows
Remote Desktop experience.
| Concern | Approach |
|---|---|
| Launching a session | Generate a .rdp in %TEMP%\remote-desktop\, sign it, and run mstsc.exe |
| Storing connections | JSON file in the app config dir |
| Storing passwords | Windows Credential Manager via the windows crate (CredWrite/Read/Delete) at TERMSRV/<host> |
Signing .rdp files |
rdpsign.exe with a configured certificate thumbprint (see below) |
| Deploying module JARs | Copy over WinRM (PowerShell Remoting) using the host's saved credential |
A common task is swapping a JBoss module's JAR on a server and restarting to test
it. The app can push the JAR for you — no RDP session needed, since the copy
runs over WinRM (PowerShell Remoting) using the same credential mstsc uses.
- Configure modules — click Modules in the header and add each module as
a name + the full remote path of its JAR (including the file name), e.g.
C:\jboss\modules\com\acme\billing\main\billing-core.jar. These live inmodules.jsonin the app config dir and are shared across hosts. - Deploy — on a connection tile, click Deploy JAR, pick the module and a
local
.jar, and upload. The app backs up the existing remote file to a timestamped*.bak, copies the new JAR in, and verifies the size. - Restart JBoss — for now, restart the service from the Windows Services
app (
services.msc). Automating the restart is the planned next step.
Requirements: WinRM must be reachable on the server (domain-joined servers with Kerberos/Negotiate over 5985 work out of the box), and your account needs write access to the module path. If the host has no saved password, the deploy dialog prompts for one.
The April 2026 Windows security update (CVE-2026-26151) makes mstsc.exe
show a consent dialog every time it opens a .rdp file. When the file is
unsigned, it's the red "Caution: Unknown remote connection / Unknown publisher"
variant — and that variant has no "don't ask again" option, so it reappears
on every connect. (Typing a host directly into Remote Desktop Connection is
unaffected, which is why the built-in client doesn't show it but a file-launching
client like this one does.)
The app removes the warning by signing each generated .rdp with
rdpsign.exe before launch, using a certificate that Windows trusts as an .rdp
publisher. Signing is best-effort: if it isn't set up (or rdpsign fails) the
connection still launches — you just see the warning again.
On first launch the app provisions the signing certificate itself — no manual
step. In a background thread it creates a self-signed code-signing certificate,
trusts it for your account (CurrentUser Root + TrustedPublisher), registers
it as a trusted .rdp publisher (HKCU policy), and records its thumbprint at
%APPDATA%\com.curiouserlabs.remote-desktop\signing.json. It needs no admin
rights.
You'll see a one-time Windows prompt to trust the certificate — click Yes.
After that, connections are signed and the warning is gone. (If the cert is ever
removed, delete signing.json and relaunch to re-provision.)
The same logic is also available as a standalone script — useful for pre-seeding machines or re-running manually:
powershell -ExecutionPolicy Bypass -File scripts\Setup-RdpSigning.ps1On a locked-down machine, per-user settings can be overridden by machine Group
Policy and a self-signed root may be disallowed. In that case use a certificate
from your corporate CA (or a public CA) and have IT push the equivalent
machine policy under
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services:
AllowSignedFiles(DWORD) =1TrustedCertThumbprints(REG_SZ) = the certificate thumbprint(s), uppercase, semicolon-separated
then set signing.json to that certificate's thumbprint.
Diagnosing a warning that won't go away — open the dialog and read the Publisher line:
- Still "Unknown publisher" → the file isn't being signed. Check that
signing.jsonexists with a thumbprint and that the cert is inCert:\CurrentUser\My(the first-run prompt may have been declined). - Shows the publisher name but still prompts → signing works, but the trust
isn't taking effect. On a managed machine that almost always means machine
Group Policy overrides the per-user
AllowSignedFiles/TrustedCertThumbprints(or blocks the self-signed root). This needs the machine policy above and a CA-issued cert from IT — a per-user self-signed cert can't win against it.
To temporarily revert to the pre-April-2026 behavior machine-wide, an admin can
set RedirectionWarningDialogVersion (DWORD) = 1 under
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client. Microsoft
flags this as temporary (a future update may remove it) and it weakens phishing
protection, so prefer signing.
- Windows 10/11 with WebView2 runtime (preinstalled on current Windows)
- Rust (stable) and Node.js 18+
- Visual Studio Build Tools with the Desktop development with C++ workload
npm install
npm run tauri dev # run the app with hot reloadnpm run tauri buildInstallers are written to src-tauri/target/release/bundle/ (NSIS .exe and
WiX .msi).
Replace the default icons by running:
npm run tauri icon path/to/logo.png # 1024x1024 source PNGRun these on a machine connected to the VPN:
- Launch the app; add a connection with a real server computer name.
- Click the tile →
mstscopens and prompts for the password → session connects. - Edit the connection, tick Save password, enter the password, save.
- Click the tile again → connects without a password prompt.
- Edit again, untick Save password, save → the credential is removed (next connect prompts again).
- Delete the connection → tile disappears and any saved password is purged.
- Run
scripts\Setup-RdpSigning.ps1, then click a tile → connect without the "Caution: Unknown remote connection" warning. (Before setup, expect the warning; the app still connects.) - Open Modules, add a module with a real remote JAR path. On that host's tile
click Deploy JAR, pick a local
.jar→ it uploads, backs up the old file (*.baknext to it on the server), and reports success. Restart JBoss viaservices.mscand confirm the new JAR is live.
See PHASE1_PLAN.md for the full plan and design decisions.