Decrypt RDP password stored in .rdg file

46,123

Solution 1

Here's a Powershell script that will do the job...

Open the RDG file with notepad to get the encrypted password. I found that RDG contained the 'profiles' I had saved, as well as the passwords saved per server.

Now use the same computer and windows account that created the RDG file to run the following powershell commands to see the password. You have to use the same account to decrypt.
> $PwdString = 'EnCryptEdStringFRoMRDGfile=='
> Copy-Item 'C:\Program Files (x86)\Microsoft\Remote Desktop Connection Manager\RDCMan.exe' 'C:\temp\RDCMan.dll'
> Import-Module 'C:\temp\RDCMan.dll'
> $EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings
> [RdcMan.Encryption]::DecryptString($PwdString, $EncryptionSettings)

Source: https://blog.prudhomme.wtf/use-powershell-to-decrypt-password-stored-in-a-rdg-file/ by THOMAS PRUD'HOMME

Solution 2

Use the following Powershell script to decrypt all passwords in an RDG file in a single shot. https://github.com/nettitude/PoshC2/blob/master/resources/modules/Decrypt-RDCMan.ps1

In case the link fails here's the content for reference:

function Decrypt-RDCMan ($FilePath) {
<#
.SYNOPSIS
This script should be able to decrpt all passwords stored in the RDCMan config file
Function: Decrypt-RDCMan
Author:Ben Turner @benpturner, Rich Hicks @scriptmonkey_
.EXAMPLE
Decrypt-RDCMan -FilePath
#>
    if (!$FilePath) {
        [xml]$config = Get-Content "$env:LOCALAPPDATA\microsoft\remote desktop connection manager\rdcman.settings"
        $Xml = Select-Xml -Xml $config -XPath "//FilesToOpen/*"
        $Xml | select-object -ExpandProperty "Node"| % {Write-Output "Decrypting file: " $_.InnerText; Decrypt-RDCMan $_.InnerText}
    } else {
    [xml]$Types = Get-Content $FilePath
    $Xml = Select-Xml -Xml $Types -XPath "//logonCredentials"
    # depending on the RDCMan version we may need to change the XML search 
    $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password; $_.Domain + "\" + $_.Username + " - " + $Pass + " - " + "Hash:" + $_.Password + "`n" } 
    # depending on the RDCMan version, we may have to use search through the #text field in the XML structure 
    $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password."#text"; $_.Domain + "\" + $_.Username + "`n" + $Pass + " - Hash: " + $_.Password."#text" + "`n"}
    }
}
function Decrypt-DPAPI ($EncryptedString) {
    # load the Security Assembly into the PS runspace
    Add-Type -assembly System.Security
    $encoding= [System.Text.Encoding]::ASCII
    $uencoding = [System.Text.Encoding]::UNICODE
    # try and decrypt the password with the CurrentUser Scope
    try {
        $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
        $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
        [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
        echo $myStr1
    } 
    catch {
        # try and decrypt the password with the LocalMachine Scope only if the CurrentUser fails
        try {
            $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
            $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
            [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
            echo $myStr1
        }
        catch {
            echo "Could not decrypt password"
        }
    }
}

Execute the script in Powershell ISE, that should register the functions. Then simple run:

Decrypt-RDCMan -FilePath MyRDGfile.rdg

46,123

pkExec

SOreadytohelp

Updated on September 18, 2022

Comments

pkExec 8 months

Is there a way to decrypt a password stored in an .rdg (Remote Desktop Connection Manager) file, providing you know the username and password of the user who created it?

I know that the password is encrypted based on the user who created it. The user is a domain user, and I am trying to use the .rdg file at home (domain unavailable). Can I "simulate" being the domain user, since I know the username+password? Remember, network access to the domain is unavailable. Physical access to the original machine is also unavailable.

I have tried this method, but (unsurprisingly) I get

"Exception calling DecryptString with 2 argument(s): Failed to decrypt using XXXX credential"

(XXX is my current home login.)
pkExec almost 7 years

You are probably confusing RDP files with RDG. They are different.
fixer1234 over 6 years

External links can break or be unavailable, in which case your answer would not be useful. Please include the essential information within your answer and use the link for attribution and further reading. Thanks.
pkExec about 6 years

I love how you post the same link as I posted in my original question, saying it doesn't work (since there is no network access to the domain)
G-Man Says 'Reinstate Monica' over 3 years

The above link is broken. There is what appears to be a similar program here.
jpaugh about 3 years

@pkExec This method worked for me. I'm guessing there's another way to solve the domain issue. (You probably need access to the domain user account which encrypted the password, and it might mean you need to reconnect to the domain.)