Terminal Server (ts) Module Documentation
The ts module in mimikatz provides tooling around Remote Desktop Services (Terminal Services).
Each command is invoked from the mimikatz console with the ts:: prefix.
| Command | Description |
|---|---|
ts::multirdp |
Experimental in-memory patch that enables multiple concurrent interactive sessions on a Remote Desktop Session Host. |
ts::sessions |
Enumerates Terminal Services sessions on the local or a remote host. |
ts::remote |
Initiates a shadow/remote-control connection into an existing session. |
ts::logonpasswords |
Experimental memory scanner that extracts credentials from the TermService process. |
ts::mstsc |
Experimental scanner that extracts cached connection properties (including secrets) from running mstsc.exe clients. |
ts::multirdpPurpose: Patch termsrv.dll in the running Terminal Services process so the host allows multiple users to log in simultaneously without enforcing single-session restrictions.【F:mimikatz/modules/kuhl_m_ts.c†L10-L48】
Usage:
ts::multirdp
Flags: This command does not accept flags. It automatically detects the OS build and applies the matching patch in-memory. Use it when you need concurrent RDP sessions for administrative workflows or testing.
Operational notes:
TermService process memory.ts::sessionsPurpose: Enumerate Remote Desktop sessions on a target host, including state, user context, connection times, lock status, and remote IP addresses.【F:mimikatz/modules/kuhl_m_ts.c†L50-L141】
Usage:
ts::sessions [/server:<hostname>]
Flags:
| Flag | Description | Why you would use it |
|---|---|---|
/server:<hostname> |
Connects to the specified remote server before enumerating sessions. Defaults to the local machine when omitted. | Use when you need to inventory sessions on a different host while executing mimikatz from another machine.【F:mimikatz/modules/kuhl_m_ts.c†L66-L79】 |
Operational notes:
* when running locally.【F:mimikatz/modules/kuhl_m_ts.c†L80-L97】WinStationEnumerateW and related APIs to query the target.ts::remotePurpose: Request that Terminal Services connect (shadow) from one session into another, optionally authenticating with a password.【F:mimikatz/modules/kuhl_m_ts.c†L143-L178】
Usage:
ts::remote /id:<sessionId> [/target:<sessionId|current>] [/password:<secret>]
Flags:
| Flag | Description | Why you would use it |
|---|---|---|
/id:<sessionId> |
Identifies the source session you want to control. Required. | The API call cannot proceed without specifying which existing session will become the controller.【F:mimikatz/modules/kuhl_m_ts.c†L147-L153】 |
/target:<sessionId> |
Session to control. Defaults to the current session when omitted. | Allows you to shadow a specific remote session instead of whichever session you are currently in.【F:mimikatz/modules/kuhl_m_ts.c†L154-L160】 |
/password:<secret> |
Password used when the source session is password-protected. Defaults to an empty string. | Supplies credentials to avoid ERROR_LOGON_FAILURE when the source session requires authentication.【F:mimikatz/modules/kuhl_m_ts.c†L161-L171】 |
Operational notes:
ts::logonpasswordsPurpose: Scan the memory of the TermService process to locate cached plaintext or protected credentials associated with active Remote Desktop sessions.【F:mimikatz/modules/kuhl_m_ts.c†L180-L307】
Usage:
ts::logonpasswords
Flags: This command does not accept flags. It automatically opens the TermService process, maps its memory, and searches for credential structures.
Operational notes:
ts::mstscPurpose: Inspect running mstsc.exe (Remote Desktop Connection) client processes for cached connection properties and secrets.【F:mimikatz/modules/kuhl_m_ts.c†L309-L469】
Usage:
ts::mstsc [/verbose]
Flags:
| Flag | Description | Why you would use it |
|---|---|---|
/verbose |
Enables verbose tracing of each property block discovered in process memory. | Helps analysts understand context or troubleshoot parsing by printing internal offsets and metadata for every matched structure.【F:mimikatz/modules/kuhl_m_ts.c†L311-L360】【F:mimikatz/modules/kuhl_m_ts.c†L388-L434】 |
Operational notes:
mstscax.dll module to confirm the target process is an RDP client before scanning.【F:mimikatz/modules/kuhl_m_ts.c†L344-L354】CryptUnprotectMemory when data is flagged as protected; otherwise falls back to hex output for unknown blobs.【F:mimikatz/modules/kuhl_m_ts.c†L435-L463】multirdp, logonpasswords, mstsc) on production systems due to potential instability or incomplete parsing.