MSTSC as a Shell

Justin CollinsIT Manager
This article is written for administrators wanting to transform PC's into Fat Clients for use with Remote Desktop Services (aka Terminal Services).  It creates a seamless transition from the client desktop to Remote Desktop window.  It works on XP, Vista, and Windows 7.  

How it works
The user logs in to the PC, the MSTSC shell opens (instead of Explorer), and it automatically logs the user in using the "Allow Default Credentials" GPO to pass through local credentials.  When the user closes the Terminal Services window, the computer will automatically log off the user and return to the logon screen.

Step 1:  This creates a batch file that starts MSTSC and waits until its closed and  automatically logs out the user.
In C:\Program Files create a batch file called mstsc.bat with the following:
c:\Program Files\system32\mstsc.exe /v RDPServerName

Open in new window

Step 2:  This step is a VBS script that runs the previous batch file invisibly.  You don't have to run it invisibly, but I like it because then the user can't close the batch file and leave the computer with a blank screen.
In C:\windows\system32 create a file called invisible.vbs with the following
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

Open in new window

Step 3:  Allow Default Credentials GPO
See the following articles:
Windows XP: Must have SP3   
Windows Vista and Windows 7

Step 4:  This sets the shell to the batch file and runs it invisibly:
Open Regedit, navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
and change "Shell" from explorer.exe to
wscript.exe C:\windows\system32\invisible.vbs C:\windows\system32\mstsc.bat

If you want to work on the PC, minimize the TS window, and just press CTRL+ALT+DEL, Task Manager, Start new process, and run explorer.exe.  That will bring up an Explorer window.

Silent/Automatic/Command Line Install:  Use the following in a batch file to run all of the above in one quick step.  This script also creates an MSTSCUninstall.bat to remove settings and files.
@echo off
                      echo wscript.exe "%WinDir%\system32\invisible.vbs" "%WinDir%\system32\mstsc.bat" > "%WinDir%\system32\invisible.vbs"
                        echo "%WinDir%\mstsc.exe" /v yourservername
                        echo logoff
                      ) > "%WinDir%\system32\mstsc.bat"
                      set LMSw=HKEY_LOCAL_MACHINE\SOFTWARE
                      reg add "%LMSw%\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t reg_sz /d "wscript.exe ^"%WinDir%\system32\invisible.vbs^" ^"%WinDir%\system32\mstsc.bat^"" /f
                      reg add "%LMSw%\Policies\Microsoft\Windows\CredentialsDelegation" /v AllowDefaultCredentials /t reg_dword /d 1 /f
                      reg add "%LMSw%\Policies\Microsoft\Windows\CredentialsDelegation" /v ConcatenateDefaults_AllowDefault /t reg_dword /d 1 /f
                      reg add "%LMSw%\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials" /v 1 /t reg_sz /d "TERMSRV/" /f
                      reg add "%LMSw%\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials" /v 2 /t reg_sz /d "TERMSRV/yourservername" /f
                      REM:  This generatess the uninstall script:
                        echo del "%WinDir%\system32\mstsc.bat"
                        echo del "%WinDir%\system32\invisible.vbs"
                        echo reg add "%LMSw%\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t reg_sz /d explorer.exe /f
                        echo reg del "%LMSw%\Policies\Microsoft\Windows\CredentialsDelegation" /v AllowDefaultCredentials /t reg_dword /d 1 /f
                        echo reg del "%LMSw%\Policies\Microsoft\Windows\CredentialsDelegation" /v ConcatenateDefaults_AllowDefault /t reg_dword /d 1 /f
                        echo reg del "%LMSw%\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials" /v 1 /t reg_sz /d "TERMSRV/" /f
                        echo reg del "%LMSw%\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials" /v 2 /t reg_sz /d "TERMSRV/yourservername" /f
                        echo del "%WinDir%\system32\MSTSCUninstall.bat"
                      ) > "%WinDir%\system32\MSTSCUninstall.bat"

Open in new window

To undo the shell replacement: minimize the TS window, and just hit CTRL+ALT+DEL, click Task Manager.  In Task Manager, click on File, New Process, and type in C:\Windows\System32 and run MSTSCUninstall.bat.  Or you could run regedit instead and change the registry key shown above back to explorer.exe.
Justin CollinsIT Manager

Comments (20)

Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

The /v is not related to anything else than to provide the remote computer name to connect to. It overrides the one stored in the RDP file.
@Qlemo yea but if I load the rdp file for some reason using the logoff command just logs the user off the local computer before they can even go into the rdp.

Just right now i am hitting an issue where the command start /wait %windir%\system32\mstsc.exe c:\mstsc\rdp.rdp works but when they logoff their session there is just a black screen. the other command with the goto it keeps relaunching the rdp file. So continuous loop of the application just pops up. If there is a way to either log them off the local computer when the session is over or launch the application again if they log off. Just so close but cant reach it.
I did have to add another layer in to mine to get it to work. These were copied from an email I sent to a coworker explaining how I got it to work... done on terminal server would have been cool but I can’t figure out a way to use this without it affecting every computer. done to force the autologon to keep happening when RDP is closed or logged out of and the script finishes and logs out the local session DONE ON TERMINAL SERVER. Lets the logon screen from remote sessions set idle for 999 seconds. This will keep the room machine from starting, logging in to windows, using mstsc as a shell, not being logged in quick enough, closing, logging in to windows and on and on and on…… the bread and butter.

So basically when you fire it up it sets there with the RDP login window. 999 seconds later it will give up and close but then the machine logs off due to the script. Then policy kicks in and says to force it to log back in and then it sets for another 999 seconds waiting for someone to need to log on.
@hdh-informationsystesm this was the closes thing I thought would work for me done to force the autologon to keep happening when RDP is closed or logged out of and the script finishes and logs out the local session

But it is not what I want. Cause I want it to auto log off when they close the remote desktop connection.

I have it where the computer auto login and launch the mstsc with the rdp file. they connect to the remote desktop. once they done they will logoff of the remote desktop and then i want the local computer to automatically log off. or run the instance of the mstsc with the rpd file again.
so having it like this where it loads no rdp file it works. it launch the mstsc.exe and you have to input all the settings manually. and you login and then when you logoff the session it logoff the local computer. then initiating the autologin and back to the mstsc.exe.

start /wait %windir%\system32\mstsc.exe 

Open in new window

But when I load an rdp file to this to save time and add in extra settings to the mstsc.exe it just logoff right away when it logs in to the local machine.

start /wait %windir%\system32\mstsc.exe c:\mstsc\rdp.rdp

Open in new window

It would worked perfectly if it was able to load a rdp file and be able to stay on until logging off the remote desktop.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.