Unable to shadow a Windows 10 console user session

[WayneSherman]

For Windows, the currently logged in user is called the "console" session. In recent versions of Windows, Microsoft changed the behavior when connecting via RDP to the console user session. For RDC 6.1 and above, the console user is no longer session 0, and /console parameter is no longer used with mstsc.exe for connecting to the console user session.

I would like to make a feature request for FreeRDP to support "shadowing" an existing user session on Windows, particularly the console user.

On recent Windows computers, one can use "query session" to find the session ID of the console user, and then specify the session ID in mstsc using the "shadow" parameter (e.g. session ID 1):
mstsc.exe /v:host /shadow:1 /control /noConsentPrompt /prompt

To do the same in FreeRDP clients, it must implement Windows RDP shadow support. With a shadow connection, mstsc.exe doesn't use the standard RDP port 3389, but negotiates a high TCP port (not sure if this is strictly required).

More info on how it works on Windows is HERE and HERE.

[akallabeth]

There is already the freerdp shadow server.
It mirrors the session of the user it is started from.

[hardening]

From my understanding you ask for client shadowing with FreeRDP, but this requires some windows RPC calls that we don't have right now (to shadow windows 10 or even earlier versions).

[akallabeth]

@hardening correct, the links are for client side shadowing.
the rpc mechanisms are a bit of overkill for freerdp (think dependencies on samba and others must be deployed/configured ...)
but if there is someone willing to implement we'll happily merge ;)

[akallabeth]

[MS-TSTS] is a starting point, but be aware it references quite a bunch of others.

[hardening]

I'd say this issue is a duplicate of #3889

[bud4]

No rdp client with /shadow

[digitalsignalperson]

I'd say this issue is a duplicate of #3889

useful from that thread:

@amluto this was recently discussed on our development mailing list.

The /shadow parameter unfortunately involves other protocols and interfaces than RDP (SMB/RPC/..) and is to difficult to support. For details have a look to the mailing list thread regarding this: https://sourceforge.net/p/freerdp/mailman/message/35679299/

googling a bit, found a mention of rpcshadow2 here, maybe this helps:
https://blog.bitsadmin.com/blog/spying-on-users-using-rdp-shadowing#network

On the network level, certain DCE/RPC packets can be observed when a shadowing session is starting on a host on the network:

Aspect	Wireshark filter	Notes
In order to make a call to the UUID responsible for initiating the shadowing session, the named pipe SessEnvPublicRpc is opened	smb2.filename == "SessEnvPublicRpc"	It might be easier to have an IDS looking for clients that access this named pipe name. There might be other (legitimate) uses of this pipe apart from shadowing which I haven’t investigated.
DCE/RPC bind to interface UUID 1257b580-ce2f-4109-82d6-a9459d0bf6bc	dcerpc.cn_bind_to_uuid == 1257b580-ce2f-4109-82d6-a9459d0bf6bc	This is the UUID of the SessEnv.dll library of the Remote Desktop Configuration (SessionEnv) service. This UUID only exports a single function (opnum 0) with the name RpcShadow2.

Current workaround to shadow windows from linux is running a windows 10 VM with VNC and then using mstsc.exe /v:host /shadow:1 /control /noConsentPrompt /prompt inside 🤪