{"id":2435,"date":"2025-03-07T10:01:52","date_gmt":"2025-03-07T10:01:52","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/03\/07\/enabling-incognito-mode-in-rdp-to-hide-all-the-traces\/"},"modified":"2025-03-07T10:01:52","modified_gmt":"2025-03-07T10:01:52","slug":"enabling-incognito-mode-in-rdp-to-hide-all-the-traces","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/03\/07\/enabling-incognito-mode-in-rdp-to-hide-all-the-traces\/","title":{"rendered":"Enabling Incognito Mode in RDP to Hide All the Traces"},"content":{"rendered":"

Enabling Incognito Mode in RDP to Hide All the Traces
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Microsoft\u2019s Remote Desktop Protocol (RDP)<\/a> has introduced a lesser-known but critical security feature colloquially referred to as \u201cincognito mode\u201d through its \/public command-line parameter.\u00a0<\/p>\n

This functionality, formally called public mode, prevents the client from storing sensitive session artifacts\u2014a development with significant implications for cybersecurity, digital forensics, and enterprise IT management.<\/p>\n

According to Devolutions, public mode activates when launching mstsc.exe (Microsoft Terminal Services Client) with the \/public flag, disabling key data retention mechanisms:<\/p>\n

Connection Settings:<\/strong> Normally stored in the hidden %USERPROFILE%DocumentsDefault.rdp file, public mode blocks updates to this configuration repository:<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

Administrators can manually edit it via notepad \u201c~DocumentsDefault.rdp\u201d, but session-specific changes evaporate post-disconnection.<\/p>\n

Credential Caching: <\/strong>The Windows Credential Manager typically stores RDP credentials under TERMSRV\/ entries. Public mode disables both retrieval and storage, forcing manual authentication each time. Forensic analysts<\/a> often query these using:<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

This command becomes obsolete in public sessions as no new credentials persist, reads the report<\/a>.<\/p>\n

Persistent Bitmap Cache: <\/strong>RDP optimizes performance by caching screen fragments in %LOCALAPPDATA%MicrosoftTerminal Server ClientCache.\u00a0<\/p>\n

Public mode deactivates this, though administrators can independently disable it via BitmapCachePersistEnable:i:0 in RDP files.\u00a0<\/p>\n

Forensic tools<\/a> like BMC-Tools (GitHub<\/a>\/ANSSI-FR) extract bitmap artifacts from these caches, which public mode renders inert.<\/p>\n

Implications and Countermeasures<\/strong><\/h2>\n

Public mode alters registry interactions critical to incident investigations:<\/p>\n

MRU Server List: <\/strong>The 10 most-recently-used servers, stored in HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault, cease updating. Attackers leveraging compromised systems leave no new IP\/DNS trails.<\/p>\n

Username Hints:<\/strong> Registry keys like HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers<IP>UsernameHint typically reveal account names. Public mode blanks this field post-session.<\/p>\n

Certificate Exceptions: <\/strong>TLS trust overrides for invalid certificates, usually recorded in CertHash values under HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers, are blocked.<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

This erases credentials, bitmap caches, and registry entries.<\/p>\n

Recommendations<\/strong><\/h2>\n

Public mode introduces usability trade-offs:<\/p>\n