Beyond good ol’ Run key, Part 45

August 26, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

RDP was a feature guest in the last two parts of the series. Time for the third visit as there is still something to write about…

Using dedicated addins one can change the behavior of RDP session by leveraging a mechanism that Microsoft calls Virtual Channels.

Quoting directly from the web site:

Virtual channels are software extensions that can be used to add functional enhancements to a Remote Desktop Services application. Examples of functional enhancements might include: support for special types of hardware, audio, or other additions to the core functionality provided by the Remote Desktop Services Remote Desktop Protocol (RDP). The RDP protocol provides multiplexed management of multiple virtual channels.

The mechanism is implemented using DLLs, and since it is a legitimate feature its implementation and persistence mechanism are very well documented on the web site.

While the web site describes the HKCU keys only:

  • HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins
  • HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\connection\Addins

the HKLM works as well (at least for the Default; I have not tested the connection ones cuz it’s Friday 🙂 ).


  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\Default\Addins\Malware
    Name  = c:\test\test.dll


Unlike the ClxDllPath Path presented in part 44, the Addins DLLs are loaded not immediately after mstsc.exe is launched:


but only after the actual connection with the remote system is established:

virtchan2Note: If you want to test it, make sure that the DLL you want to load matches the mstsc.exe architecture (32- or 64-bit)


Comments are closed.