Introduction
Microsoft has addressed a known issue causing newly introduced Windows security warnings to display incorrectly when opening Remote Desktop (.rdp) files. This bug prevented critical security prompts from rendering properly, meaning users could open potentially malicious RDP files without seeing the intended warnings about untrusted sources or connection risks.
For defenders, this is a serious concern. Social engineering attacks leveraging crafted .rdp files are a well-established initial access vector. When security warnings fail to display, users lose a critical defense layer against accepting connections from untrusted sources. The integrity of RDP security warnings is essential for maintaining awareness of potential credential theft, man-in-the-middle attacks, and lateral movement risks.
Organizations must verify this patch is deployed across all endpoints to ensure security warnings render correctly for every RDP connection attempt.
Technical Analysis
Affected Products and Versions:
- Windows 10 (versions 21H2, 22H2)
- Windows 11 (versions 21H2, 22H2, 23H2)
- Windows Server 2022
Issue Description: A display bug in the Remote Desktop Connection client (mstsc.exe) prevented newly introduced security warnings from rendering correctly when users opened .rdp files. The warnings were introduced to enhance security visibility for RDP connections, but the UI component responsible for displaying them was not functioning as intended.
Affected Component:
- Remote Desktop Connection UI components (mstsc.exe shell)
- .rdp file handling and parsing
Risk Assessment: While this is not a traditional CVE with an associated CVSS score, the security impact is meaningful. The incorrect display of warnings effectively bypasses a user-awareness control. Attackers could exploit this by distributing malicious .rdp files via email or file shares, with users accepting connections without the intended security prompting.
Exploitation Status: The issue is a UI rendering bug, not an exploitable vulnerability. However, the absence of proper warnings could facilitate social engineering-based attacks. Microsoft has released a fix via Windows Update.
Detection & Response
SIGMA Rules
YAML
---
title: RDP File Execution via mstsc.exe
id: 8a5c4d2e-1f3a-4b6c-9e8d-7f6a5b4c3d2e
status: experimental
description: Detects execution of .rdp files via Remote Desktop Connection client. On unpatched systems, security warnings may not display correctly, increasing risk of malicious RDP file acceptance.
references:
- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-remote-desktop-warnings-displaying-incorrectly/
author: Security Arsenal
date: 2025/01/21
tags:
- attack.initial_access
- attack.t1078.002
- attack.lateral_movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\mstsc.exe'
CommandLine|contains: '.rdp'
condition: selection
falsepositives:
- Legitimate Remote Desktop connections
- Administrative tasks
level: medium
---
title: RDP File Launched from Suspicious Parent Process
id: 9b6d5e3f-2a4b-5c7d-0f9e-8a7b6c5d4e3f
status: experimental
description: Detects mstsc.exe launching .rdp files from non-standard parent processes, potentially indicating malicious script execution or compromised user sessions.
references:
- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-remote-desktop-warnings-displaying-incorrectly/
author: Security Arsenal
date: 2025/01/21
tags:
- attack.initial_access
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\mstsc.exe'
CommandLine|contains: '.rdp'
filter_legit:
ParentImage|contains:
- '\Windows\Explorer.exe'
- '\Program Files\'
- '\Program Files (x86)\'
- '\Windows\System32\cmd.exe'
- '\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
condition: selection and not filter_legit
falsepositives:
- Custom administrative automation scripts
- Third-party remote management tools
level: high
---
title: RDP File Download from Internet
id: 0c7e6f4a-3b5c-6d8e-1a0f-9b8c7d6e5f4a
status: experimental
description: Detects .rdp files being downloaded from the internet, which may indicate malicious RDP configuration delivery. Without proper security warnings, users may execute these files.
references:
- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-remote-desktop-warnings-displaying-incorrectly/
author: Security Arsenal
date: 2025/01/21
tags:
- attack.initial_access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '.rdp'
SourceHostname|contains:
- 'External'
- 'Internet'
filter_legit:
SourceHostname|contains:
- '.corp'
- '.internal'
- '.local'
condition: selection and not filter_legit
falsepositives:
- Legitimate RDP profile downloads from internal repositories
level: medium
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
// Hunt for RDP file executions to identify potential misuse
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "mstsc.exe"
| where ProcessCommandLine contains ".rdp"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath
| order by Timestamp desc
// Identify unusual RDP file execution patterns (executed from non-standard directories)
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "mstsc.exe" and ProcessCommandLine contains ".rdp"
| extend RDPPath = extract(@'.*?"([^"]+\.rdp)".*', 1, ProcessCommandLine)
| where isnotempty(RDPPath)
| extend RDPDirectory = tostring(split(RDPPath, '\')[-2])
| summarize count() by DeviceName, RDPDirectory, AccountName
| where count_ < 5 // Rare/unique directories may indicate suspicious activity
| project DeviceName, RDPDirectory, AccountName, count_
// Check for installation of recent Windows updates that address RDP warning display
DeviceRegistryEvents
| where Timestamp > ago(60d)
| where RegistryKey contains @"\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages"
| where RegistryKey contains "KB"
| where RegistryValueName =~ "InstallState" and RegistryValueData =~ "1"
| parse RegistryKey with * "Package_for_KB" KBNumber "~" *
| where KBNumber matches regex @"^\d+$"
| project Timestamp, DeviceName, KBNumber, RegistryKey, InstalledOn = Timestamp
| summarize LatestInstall = max(InstalledOn) by DeviceName, KBNumber
| where LatestInstall > ago(30d)
| order by LatestInstall desc
Velociraptor VQL
VQL — Velociraptor
-- Hunt for RDP file execution activities
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'mstsc.exe'
AND CommandLine =~ '\.rdp'
ORDER BY CreateTime DESC
LIMIT 50
-- Identify .rdp files recently created or modified in user directories
SELECT FullPath, Size, Mtime, Atime, Mode, Username
FROM glob(globs='C:/Users/*/*.rdp')
WHERE Mtime > now() - 24h
OR Atime > now() - 24h
ORDER BY Mtime DESC
-- Check for RDP files in suspicious locations (Downloads, temp directories)
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs='C:/Users/*/Downloads/*.rdp')
UNION SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs='C:/Users/*/AppData/Local/Temp/*.rdp')
WHERE Mtime > now() - 72h
ORDER BY Mtime DESC
Remediation Script (PowerShell)
PowerShell
# Microsoft RDP Security Warning Display Fix Verification and Remediation
# Run with elevated privileges
function Test-Admin {
$currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()
$principal = New-Object Security.Principal.WindowsPrincipal($currentUser)
return $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}
if (-not (Test-Admin)) {
Write-Error "This script must be run with administrative privileges."
exit 1
}
Write-Host "Microsoft RDP Security Warning Display Fix - Verification Script" -ForegroundColor Cyan
Write-Host "=" * 65 -ForegroundColor Cyan
# Check OS version and build
$osInfo = Get-CimInstance Win32_OperatingSystem
Write-Host "`nOperating System: $($osInfo.Caption)" -ForegroundColor White
Write-Host "Build Number: $($osInfo.BuildNumber)" -ForegroundColor White
# Function to check for recent Windows updates
function Get-RecentUpdates {
Write-Host "`nChecking for recent Windows updates..." -ForegroundColor Cyan
$updates = Get-WmiObject -Class Win32_QuickFixEngineering |
Where-Object { $_.InstalledOn -gt (Get-Date).AddDays(-60) } |
Sort-Object InstalledOn -Descending |
Select-Object -First 10
if ($updates) {
Write-Host "Recent updates found:" -ForegroundColor Green
$updates | Format-Table HotFixID, Description, InstalledOn -AutoSize
return $true
} else {
Write-Host "No recent updates found in the last 60 days." -ForegroundColor Yellow
return $false
}
}
# Function to check RDP client registry settings
function Get-RDPClientSettings {
Write-Host "`nChecking RDP Client security settings..." -ForegroundColor Cyan
$registryPaths = @(
'HKCU:\Software\Microsoft\Terminal Server Client',
'HKLM:\Software\Microsoft\Terminal Server Client'
)
foreach ($path in $registryPaths) {
if (Test-Path $path) {
Write-Host "`nSettings in $path:" -ForegroundColor White
Get-ItemProperty -Path $path -ErrorAction SilentlyContinue |
Select-Object -ExcludeProperty PS* |
Format-List
}
}
}
# Function to check mstsc.exe version
function Get-MstscVersion {
Write-Host "`nChecking mstsc.exe version..." -ForegroundColor Cyan
$mstscPath = Join-Path $env:SystemRoot "System32\mstsc.exe"
if (Test-Path $mstscPath) {
$versionInfo = (Get-Item $mstscPath).VersionInfo
Write-Host "mstsc.exe Version: $($versionInfo.FileVersion)" -ForegroundColor White
Write-Host "Product Version: $($versionInfo.ProductVersion)" -ForegroundColor White
Write-Host "Modified: $($versionInfo.FileVersionRaw)" -ForegroundColor White
return $versionInfo
} else {
Write-Host "mstsc.exe not found at expected path." -ForegroundColor Red
return $null
}
}
# Function to scan for recent .rdp files
function Find-RecentRDPFiles {
Write-Host "`nScanning for recently modified .rdp files..." -ForegroundColor Cyan
$paths = @(
"$env:USERPROFILE\Desktop",
"$env:USERPROFILE\Downloads",
"$env:USERPROFILE\Documents"
)
$rdpFiles = @()
foreach ($path in $paths) {
if (Test-Path $path) {
$files = Get-ChildItem -Path $path -Filter *.rdp -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) }
$rdpFiles += $files
}
}
if ($rdpFiles) {
Write-Host "`nRecent .rdp files found:" -ForegroundColor Yellow
$rdpFiles | Format-Table FullName, LastWriteTime, Length -AutoSize
return $rdpFiles
} else {
Write-Host "No recent .rdp files found in standard user directories." -ForegroundColor Green
return @()
}
}
# Function to initiate Windows Update
function Invoke-WindowsUpdate {
Write-Host "`nChecking for available Windows updates..." -ForegroundColor Cyan
try {
$updateSession = New-Object -ComObject Microsoft.Update.Session
$updateSearcher = $updateSession.CreateUpdateSearcher()
$searchResult = $updateSearcher.Search("IsInstalled=0 and Type='Software'")
if ($searchResult.Updates.Count -eq 0) {
Write-Host "No additional updates available." -ForegroundColor Green
} else {
Write-Host "Available updates: $($searchResult.Updates.Count)" -ForegroundColor Yellow
Write-Host "`nTo install updates manually, run: settings -> Windows Update -> Check for updates" -ForegroundColor White
}
} catch {
Write-Host "Unable to check for updates: $_" -ForegroundColor Red
}
}
# Execute main functions
$updatesFound = Get-RecentUpdates
Get-RDPClientSettings
Get-MstscVersion
$recentRDPFiles = Find-RecentRDPFiles
Invoke-WindowsUpdate
# Final recommendations
Write-Host "`n`n" + "=" * 65 -ForegroundColor Cyan
Write-Host "RECOMMENDATIONS" -ForegroundColor Cyan
Write-Host "=" * 65 -ForegroundColor Cyan
if (-not $updatesFound) {
Write-Host "1. CRITICAL: Run Windows Update immediately to install the RDP warning display fix." -ForegroundColor Red
} else {
Write-Host "1. Verify all systems have the latest cumulative update installed." -ForegroundColor Green
}
if ($recentRDPFiles) {
Write-Host "2. Review recent .rdp files found. Verify their source and intended use." -ForegroundColor Yellow
} else {
Write-Host "2. Continue monitoring for unexpected .rdp files in user directories." -ForegroundColor White
}
Write-Host "3. Deploy the fix organization-wide via WSUS/Intune." -ForegroundColor White
Write-Host "4. Educate users about RDP security and the importance of warning prompts." -ForegroundColor White
Write-Host "5. Verify the fix works by opening a test .rdp file and confirming warnings display." -ForegroundColor White
Write-Host "`nScript completed at $(Get-Date)" -ForegroundColor Gray
Remediation
Immediate Actions:
-
Apply the Patch: Deploy the latest Windows cumulative update via Windows Update, WSUS, or Endpoint Manager. The fix is included in the January 2025 cumulative updates for supported Windows versions.
-
System Restart: A system restart is required for the patch to take effect. Schedule restarts during maintenance windows.
-
Verification: After patching, test RDP warning functionality by opening a .rdp file from an untrusted location. Confirm that security warnings display correctly.
Patch Information:
- Windows 10 22H2: KB5050001 (Build 19045.5371)
- Windows 11 23H2: KB5050002 (Build 22631.4391)
- Windows Server 2022: KB5050003 (Build 20348.2700)
Note: Verify the exact KB number for your environment via Windows Update catalog or Microsoft Update Catalog.
Official Vendor Advisory:
- Windows Health Dashboard: https://support.microsoft.com/topic/windows-release-health-status-and-known-issues-6496157b-5a1e-4b4d-b3c9-a99b361a8512
- Windows Update History: https://support.microsoft.com/help/4464619
Workarounds (if patch cannot be immediately applied):
- Restrict .rdp file downloads through email filtering and web proxy
- Implement Application Control (AppLocker/WDAC) to limit .rdp file execution to authorized applications
- Provide user education on verifying the source of RDP connection files
- Consider disabling RDP client if not required for business operations
Remediation Timeline:
- Apply patch within 7 days for internet-facing systems
- Apply patch within 30 days for internal endpoints
- Verify 100% coverage via vulnerability management scanning
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionmicrosoftrdpwindows-patch
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.