TS Initial Program
Location:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal ServicesHKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal ServicesHKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Classification:
| Criteria | Value |
|---|---|
| Permissions | Admin; User1 |
| Security context | User |
| Persistence type | Registry |
| Code type | EXE |
| Launch type | User initiated2 |
| Impact | Non-destructive |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable |
Description:
If the fInheritInitialProgram value is set to 1, the exe indicated in the InitialProgram value is automatically started on RDP connection.
References:
https://twitter.com/JacqBens/status/1560380971777662983