Created: 01.06.2023

RDP Bitmap Cache. Windows developed RDPโ€”small chunks of screenshots. The size of each is 64x64 bit. And also, there is 1 huge sprite with all of them.

%USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache
  • older - .bmc
  • newer - Cache####.bin where # is a number starting from 0

In case you investigate a successful RDP login to a specific machine, note that only in the case of the RDP login the โ€œWorkstation Nameโ€ field in the โ€œNetwork Informationโ€ section does not refer to the source machine name instead it refers to the name of the machine that recorded the event log (Target machine). be careful because such wrong information may miss leading your incident investigations. For the example in the screenshot, the โ€œpbeeslyโ€ account logged on the โ€œSCARNTONโ€ hostname from the source machine IP. If you want to find the source machine name you can use the Event IDs 4778 or 4779 recorded in the security events instead. https://www.linkedin.com/posts/mostafa-yahia-701b4b15a_in-case-you-investigate-a-successful-rdp-activity-7004505487912112130-W6Oo?utm_source=share&utm_medium=member_desktop


Expand… Something here