1. Eject USB Device

  • When logged on remotely with standard user privileges, it is not possible to eject a USB device from the Notification Area.

  • Make sure to logon remotely with administrative privileges.

2. Help

"connection file" -- Specifies the name of an .RDP file for the connection.

/v:<server[:port]> -- Specifies the remote PC to which you want to connect.

/g:<gateway> -- Specifies the RD Gateway server to use for the connection. This
parameter is only read if the endpoint remote PC is specified with /v.

/admin -- Connects you to the session for administering a remote PC.

/f -- Starts Remote Desktop in full-screen mode.

/w:<width> -- Specifies the width of the Remote Desktop window.

/h:<height> -- Specifies the height of the Remote Desktop window.

/public -- Runs Remote Desktop in public mode.

/span -- Matches the remote desktop width and height with the local virtual desktop,
spanning across multiple monitors, if necessary. To span across monitors, the monitors
must be arranged to form a rectangle.

/multimon -- Configures the Remote Desktop Services session monitor layout to be
identical to the current client-side configuration.

/edit -- Opens the specified .RDP connection file for editing.

/restrictedAdmin -- Connects you to the remote PC in Restricted Administration mode. In
this mode, credentials won't be sent to the remote PC, which can protect you if you
connect to a PC that has been compromised. However, connections made from the
remote PC might not be authenticated by other PCs, which might impact application
functionality and compatibility. This parameter implies /admin.

/remoteGuard -- Connects your device to a remote device using Remote Guard. Remote
Guard prevents credentials from being sent to the remote PC, which can help protect your
credentials if you connect to a remote PC that has been compromised. Unlike Restricted
Administration mode, Remote Guard also supports connections made from the remote PC
by redirecting all requests back to your device.

/prompt -- Prompts you for your credentials when you connect to the remote PC.

/shadow:<sessionID> -- Specifies the ID of the session to shadow.

/control -- Allows control of the session when shadowing.

/noConsentPrompt -- Allows shadowing without user consent.

3. Move Off-screen Window

  • Select the application either by choosing it in the taskbar or using the Alt+Tab key.

  • Press Alt+Space and select Move.

  • Use the arrow keys to move the window back onto your screen.

4. Usage

  • Enter the following commands at a Command Prompt.

    # Automatic.
rdp
rdp <Computer>
rdp <Computer> -Shadow
rdp <Computer> -Shadow -Control

# Manual shadow.
qwinsta.exe /server:<Computer>
get-administratorpassword <Computer>
mstsc.exe /shadow:<Id> /v:<Computer> /prompt
# Type *.\Administrator* in the *User name* field.
# Type the LAPS password in the *Password* field.
# Click *OK*.

  • Enter the following commands at a Command Prompt on the local computer.

    Show-Status -wifi
scp.exe -p -i id_rsa-auto W:\Software\_Delta\Delta-Windows-Tools-#.#.#-x64.exe Administrator@SMRUWS-TB02:C:\Tmp
scp.exe -p -i id_rsa-auto "W:\Software\Microsoft\Microsoft Teams new\teamsbootstrapper-1.36.52307.0.exe" Administrator@SMRUWS-TB02:C:\Tmp
scp.exe    -i id_rsa-auto Administrator@SMRUWS-TB02:C:\SMRUWS-TB02.* .
smru-putty Administrator@SMRUWS-TB02
# Add domain account to "Remote Desktop Users" group.
net localgroup "Remote Desktop Users" <Domain>\<User> /add

  • Enter the following commands at a Command Prompt on the remote computer.

    dir C:\Tmp\Delta-Windows-Tools-#.#.#-x64.exe
C:\Tmp\Delta-Windows-Tools-#.#.#-x64.exe
Set-WindowsConfiguration
Show-Inventory

  • Enter the following commands at a Command Prompt on the local computer.

    Show-RemoteComputers
rdp <Computer> <Port>
rdp localhost -Force -Shadow
rdp localhost -Force -Shadow -Control

mstsc.exe /v:tbhf-web-mrm:<rdp port>

scp.exe -p -P <ssh port> W:\Software\CrowdStrike\SMRU\WindowsSensor-6.38.15205.0.exe Administrator@tbhf-web-mrm:

  • Enter the following commands at a Command Prompt on the local computer.

    rem Logon as Administrator with PuTTY to computer using id_rsa-auto.ppk private key.
smru-putty Administrator@<computer>
smru-putty Administrator@localhost

rem Logon as Administrator with SSH to computer using id_rsa-auto private key.
smru-ssh Administrator@<computer>
smru-ssh Administrator@localhost

Show-RemoteComputers
rdp <computer> <rdp port>
smru-putty -P <ssh port> Administrator@tbhf-web-mrm
smru-ssh -p <ssh port> Administrator@tbhf-web-mrm

smru-putty -P <ssh port> Administrator@tbhf-web-mrm
scp.exe -p -P <ssh port> W:\Software\CrowdStrike\SMRU\WindowsSensor-6.38.15205.0.exe Administrator@tbhf-web-mrm:
scp.exe -p -P <ssh port> W:\Software\_Delta\Delta-Windows-Tools-#.#.#-x64.exe Administrator@tbhf-web-mrm:

  • Enter the following commands at a Command Prompt on the remote computer.

    scp.exe -p smru@10.10.1.2:/media/Windows/Software/_Delta/Delta-Windows-Tools-#.#.#-x64.exe C:\Tmp
scp.exe -p smru@10.10.1.2:/media/Windows/Software/CrowdStrike/SMRU/WindowsSensor-6.38.15205.0.exe C:\Tmp
scp.exe -p smru@10.10.1.2:/media/Windows/Software/CrowdStrike/TBHF/WindowsSensor.MaverickGyr-6.38.15205.exe C:\Tmp

  • Note: For the rdp and smru-putty aliases to work make sure to have the id_rsa-auto.ppk file in your home folder.

  • Note: For the smru-ssh alias to work make sure to have the id_rsa-auto file in your home folder.

    $Command = "lsof -i4tcp | grep ^ssh.*:[2-3][2-3]0.*LISTEN"
$Computer = "TBHF-WEB-MRM"
$PrivateKey = "${Env:UserProfile}\id_rsa-auto"
$User = "root"
ssh.exe -i $PrivateKey $User@$Computer $Command
    ssh.exe -i C:\Users\Douwe\id_rsa-auto root@tbhf-web-mrm lsof -i4tcp | grep ^ssh.*:[2-3][2-3]0.*LISTEN
ssh.exe -i C:\Users\Douwe\id_rsa-auto root@tbhf-web-mrm lsof -i4tcp | grep ^ssh.*:220.*LISTEN

5. XXX

  • Enter the following commands at a Command Prompt with administrative privileges.

    netstat.exe -nob | Findstr.exe /ric:"3389"

:: Note: The following command will trigger a CrowdStrike incident.
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <Id> O:\Tmp\dump.txt full

  • Enter the following commands at a PowerShell Command Prompt with administrative privileges.

    $Process = netstat.exe -nob | Select-String TermService -Context 1
$Id = ($Process.Context | Select-Object -ExpandProperty PreContext) -replace "^.* ", ""
Get-Process -Id $Id | Format-List *

# Note: The following command will trigger a CrowdStrike incident.
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $Id O:\Tmp\dump.txt full