Shadowing is a feature that gives you the ability to watch or control ('shadow') an active session. This does not replace the session and won't result into the original session getting disconnected.
This feature works on all active sessions including the 'console session', which means you can also use this take over normal desktop computers screens.

A session can only be shadowed using or authenticating with an account which has shadow rights, you do not necessarily need the credentials from the account of the shadowed session.
By default all Administrators have this permission. For more information regarding permissions within Remote Desktop, please refer to the Remote Desktop permissions article.

Setup

Manually

Follow these steps to manually configure your computer, within each step there are multiple options to do it.

1. Enable Remote Desktop.

   • Go to "System > Remote Access/Settings", or search for this in the Start Menu, or run "systempropertiesremote.exe".

   Select "Allow remote connections to this computer".

   NOTE: Low editions of Windows do not have this feature, skip to the second option.

   • Or, edit the following registry key:

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]

   "fDenyTSConnections"=dword:00000000

2. Grant users or groups permission.

   • Go to "System > Remote Access/Settings", or search for this in the Start Menu, or run "systempropertiesremote.exe".

   Enter "Select Users", and add a user or group.

   NOTE: Low editions of Windows do not have this feature, skip to the third option.

   • Or, go to "Computer Management > Local Users and Groups" and make a user or group member of "Remote Desktop Users".

   NOTE: Low editions of Windows do not have this feature, skip to the third option.

   • Or, execute this command as an administrator:

   net localgroup "Remote Desktop Users" <username> /add

   If the group does not exist, create it first with the command:

   net localgroup "Remote Desktop Users" /add

3. Configure the firewall to allow Remote Desktop traffic.
   NOTE: This step is already done automatically when you executed the first option of step 1.

   • Go to "Windows Defender Firewall > Advanced Settings".

   Create an Inbound Rule, choose Program, and allow "%SystemRoot%\System32\RdpSa.exe".

   Create an Inbound Rule, choose Port, and allow TCP port 445.

   • Or, execute these commands as an administrator:

   netsh advfirewall firewall add rule name="RDS" dir=in action=allow protocol=TCP program="%SystemRoot%\System32\RdpSa.exe"

   netsh advfirewall firewall add rule name="RDS" dir=in action=allow protocol=TCP localport=445 program=System

4. Configure shadow mode level.
   NOTE: By default the level is set to 1.

   • Open "Local Group Policy Editor" (gpedit.msc), go to "Computer Configuration > Administrative Templates > Windows components > Remote Desktop Services > Remote Session Host > Connections".

   Open "Set rules for remote control of Remote Desktop Services user session".

   Enable this policy, and set it to level which you would like to use.

   • Or, edit the following registry key:

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]

   "Shadow"=dword:00000001

0	Disable
1	Full control, require consent
2	Full control, consent optional
3	View only, require consent
4	View only, consent optional

Tool

Using the Remote Desktop Shadow tool, you can click on the Setup button (requires Administrator rights) to easily configure your computer to be shadowed.

Usage

For example:
mstsc.exe /v:10.0.0.1 /shadow:1 /control /prompt /noConsentPrompt

/v

Enter the hostname or IP-adres of the remote computer.

/shadow

Enter the ID of the session on the remote computer that you want to shadow.
Usually the ID of the first user to login will be 1, whoever this number might increase on every login or restart.
There are multiple ways to check a session ID;

• Open the Task Manager and go to Users, right-click on the header to show the Session-column.
• Use the command "quser.exe (/SERVER:10.0.0.1)"

/control

Use this if you want to not only view the session, but also be able to control it with your mouse and keyboard as well.

/prompt

Show a form before connecting to manually enter the credentials you want to use to authenticate on the remote computer.
When this parameter is not used it will try to use your current credentials to authenticate, or credentials that are saved in the Credential Manager for this specific remote computer.
The credentials do not necessarily need to be those of the shadowed session's account, any account that has permission to shadow can be used to authenticate.

/noConsentPrompt

Shadow the session without requesting the session to accept first (so it will not show a yes/no dialog).
This only works if the remote computer has been configured to accept non-consensual shadowing.
When the remote computer has been configured this way while this argument is not used, the consent dialog will still be shown.

Tool

A tool is available that gives you the ability to easily shadow a session, look up session ID's, and setup/configure shadowing.
You can learn more about this by visiting the article Remote Desktop Shadow (Tool).

Other

Trivia

• Shadowing will display all screens of the shadowed session and will scale them to fit into one window, there is no feature to select only specific screens.
• Even though some editions of Windows don't officially support being a Remote Desktop host, manually setting this up through this article (or tool) will make this feature work.