REW

Where Is The Remote Desktop Password Stored?

Published Aug 29, 2025 3 min read
On this page

When a user opts to save credentials for a Remote Desktop Protocol (RDP) connection, the password is not stored in the .rdp file itself. Instead, the credentials are securely saved in the Windows Credential Manager. The Credential Manager encrypts the data using the Data Protection API (DPAPI) and a key linked to the user's account, meaning the credentials can only be decrypted and used by that specific Windows user on the same machine.

How RDP credential storage works

Understanding where and how RDP credentials are saved involves examining a few components of the Windows operating system.

Windows Credential Manager

For most modern Windows versions (Windows Vista and later), this is the primary storage location for saved RDP credentials.

  • Encrypted Storage: When the "Allow me to save credentials" box is checked in the Remote Desktop Connection client (mstsc.exe), the password is encrypted and stored in the Windows Credential Manager.
  • Location: The stored credentials appear in the "Windows Credentials" section of the Credential Manager. The Credential Manager can be accessed by searching for "Credential Manager" in the Windows search bar or via the Control Panel.
  • Listing: Each saved RDP connection is listed with a name prefixed by TERMSRV/, followed by the remote computer's hostname or IP address.

RDP (.rdp) files

While .rdp files contain connection settings like server address and port, they do not store the password directly in an easily readable format for recent Windows versions.

  • Password Reference: Instead of the password, the .rdp file contains a reference to the credential entry in the Windows Credential Manager. This allows the Remote Desktop client to find and retrieve the correct, securely stored password when the connection is initiated.
  • Legacy Behavior: Older RDP clients (pre-version 6.0) stored credentials directly within the .rdp file, which was a significant security vulnerability.

The Windows Registry

The Windows Registry is another location where some information related to RDP connections can be found, particularly for advanced configurations.

  • Connection History: Registry keys store information about RDP connection history and other preferences, but they do not typically contain the plaintext password.
  • Location: Advanced users can find registry paths such as HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers which contain subkeys for each remote server connected to.

Caching in memory (LSASS)

When an RDP connection is active, the credentials are used by the Local Security Authority Subsystem Service (LSASS) process.

  • Security Risk: During an active session, credentials can exist in the memory of the lsass.exe process. This is a known vector for attackers, who can use tools like Mimikatz to dump memory and retrieve plaintext passwords from a compromised system.
  • Mitigation: Remote Credential Guard, a security feature from Microsoft, helps mitigate this risk by redirecting authentication requests and preventing credentials from being exposed on the remote machine.

Third-party RDP clients

Alternative RDP clients, such as Remote Desktop Manager by Devolutions or third-party tools on macOS, store credentials differently.

  • Secure Storage: Reputable third-party clients store credentials in their own secure, encrypted databases rather than relying on the Windows Credential Manager.
  • macOS Keychain: On macOS, the Microsoft Remote Desktop application stores passwords in the Keychain Access utility, using the operating system's built-in, secure credential storage.

Security implications

The method of storing RDP credentials has significant security implications:

  • Convenience vs. Security: Saving RDP credentials provides convenience but introduces a security risk. If a local computer is compromised, an attacker can access the saved RDP passwords for lateral movement across a network.
  • Malware and Attackers: Specialized malware, such as RDPThief, is designed to intercept or retrieve credentials from memory during an active RDP session.
  • Best Practices: Administrators should disable the ability to save passwords via Group Policy and utilize a dedicated, audited password vault or manager for storing credentials. Securing the local machine is the best defense for personal use.
Enjoyed this article? Share it with a friend.