Listen to this Post

Introduction:
Windows Remote Desktop Protocol (RDP) includes a performance optimization called the Bitmap Cache, which stores visual fragments of the remote session to speed up reconnections. However, this cache persists on disk without encryption or privilege restrictions, allowing any user or malware to extract hundreds of image fragments and stitch them back into readable screenshots—exposing passwords, configuration files, and sensitive data.
Learning Objectives:
- Understand how the RDP Bitmap Cache works and why it poses a post‑exploitation privacy risk.
- Learn to extract and reconstruct cached fragments using free, open‑source tools on both Windows and Linux.
- Implement defensive measures to disable, clear, or monitor the RDP cache and harden remote desktop environments.
You Should Know:
1. Understanding the RDP Bitmap Cache Vulnerability
The RDP Bitmap Cache is a feature dating back to early Windows versions. It stores tiny rectangular tiles (typically 64×64 pixels) of the remote display in a set of `.bmc` files. When an attacker gains user‑level access—no admin rights required—they can copy these cache files from `%userprofile%\AppData\Local\Microsoft\Terminal Server Client\Cache` and use free tools to reassemble the tiles into full screenshots of the remote session.
Step‑by‑step guide explaining what this does and how to use it (attacker perspective):
- Locate the cache files on a compromised Windows machine:
dir %userprofile%\AppData\Local\Microsoft\Terminal Server Client\Cache.bmc
- Copy all `.bmc` files to an analysis workstation (Windows or Linux).
- Use `bmc-tools` (available on GitHub) to reconstruct images:
git clone https://github.com/ANSSI-FR/bmc-tools cd bmc-tools python3 bmc-tools.py -s /path/to/cache/files -d ./output -v
- The tool outputs PNG files showing tiled screenshots. With enough fragments, entire logins, RDP sessions, and file Explorer views become visible.
-
Extracting and Stitching RDP Cache Fragments (Defender Forensics)
Defenders can use the same techniques to audit what an attacker might recover. Understanding the extraction process helps prioritize cache cleanup. Below is a Linux‑based workflow for stitching fragments.
Step‑by‑step guide:
- Transfer cache files from Windows to Linux via `scp` or a USB drive.
2. Install Python dependencies:
sudo apt install python3-pip pip3 install pillow
3. Download and run bmc‑tools:
git clone https://github.com/ANSSI-FR/bmc-tools cd bmc-tools python3 bmc-tools.py -s ./cache_folder -d ./reconstructed -l 2
– `-s` source folder, `-d` destination, `-l` logging level
4. Review generated PNGs. If partial text is visible, an attacker could stitch multiple fragments manually using image editing tools.
- Defensive Mitigation: Disabling RDP Bitmap Cache via Group Policy
The most effective defense is to disable bitmap caching entirely. This can be done locally or across a domain, and it does not impact core RDP functionality—only performance on slow links.
Step‑by‑step guide:
- Open Local Group Policy Editor (
gpedit.msc) on Windows Pro/Enterprise. - Navigate to: Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections
- Locate “Turn off Bitmap Caching” and set it to Enabled.
- Apply with `gpupdate /force` from an admin command prompt.
5. Verify that the registry key is set:
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v DisableBitmapCaching
Expected output: `DisableBitmapCaching REG_DWORD 0x1`
For standalone machines without Group Policy, set the registry directly:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v DisableBitmapCaching /t REG_DWORD /d 1 /f
4. Clearing Existing Cache and Automating Cleanup
Even after disabling future caching, existing `.bmc` files remain on disk. A periodic cleanup script removes these artifacts and reduces the forensic exposure window.
Step‑by‑step guide for a PowerShell cleanup script:
1. Open PowerShell ISE as administrator.
2. Create the script:
$cachePath = "$env:USERPROFILE\AppData\Local\Microsoft\Terminal Server Client\Cache"
if (Test-Path $cachePath) {
Remove-Item "$cachePath.bmc" -Force
Write-Host "RDP cache cleared for user $env:USERNAME" -ForegroundColor Green
} else {
Write-Host "No cache folder found." -ForegroundColor Yellow
}
3. Schedule it using Task Scheduler to run daily or after each logoff.
4. For system‑wide cleanup (all users), loop through C:\Users\\AppData\Local\Microsoft\Terminal Server Client\Cache.
5. Hardening RDP Beyond Cache Controls
Cache extraction is often a post‑exploitation activity. To reduce the risk, implement additional RDP hardening measures that limit attacker access.
Step‑by‑step guide:
- Enable Network Level Authentication (NLA) – forces authentication before a full RDP session is established, reducing cache creation for unauthorized attempts.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f
- Require TLS 1.2 encryption (set Security Layer to SSL/TLS in Group Policy).
- Use a VPN or RDP Gateway instead of exposing RDP directly to the internet.
- Limit RDP users via the “Remote Desktop Users” group and remove local admin rights for standard users.
- Monitor RDP logon events (Event ID 4624 with Logon Type 10) and cache file access using Sysmon:
<!-- Sysmon config to monitor .bmc reads --> <RuleGroup name="RDP Cache Access" groupRelation="or"> <FileCreateOnWrite onmatch="include" targetFilename=".bmc"/> </RuleGroup>
-
Windows vs. Linux RDP Clients – Complementary Risks
On Linux, popular RDP clients like Remmina, FreeRDP, and xfreerdp also implement bitmap caching but store cache in different locations. A Linux client connecting to a Windows host does not leave cache fragments on the Windows machine, but the Linux side retains its own cache. Both endpoints must be managed.
Step‑by‑step guide to clear cache on common Linux RDP clients:
- Remmina (default cache): `rm -rf ~/.local/share/remmina/cache/`
– FreeRDP (if using `/cache` option): `rm -rf ~/.cache/freerdp/`
– xfreerdp with bitmap cache: add `/cache:state:no` to the connection string to disable caching entirely.
- Forensic Detection: How to Find Evidence of Cache Reconstruction
If you suspect an attacker has already extracted RDP cache files, look for anomalies such as batch reads of `.bmc` files or the presence of image stitching tools.
Step‑by‑step guide using Windows built‑in tools:
- Search for recent access to the Cache folder:
Get-ChildItem "$env:USERPROFILE\AppData\Local\Microsoft\Terminal Server Client\Cache" | Select-Object LastAccessTime, Name
- Use Sysmon Event ID 11 (FileCreate) to detect creation of new image files (
.png,.jpg) in user directories. - Look for execution of Python or bmc‑tools via PowerShell logs:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match "bmc-tools"} - In Linux forensics, check bash history for `git clone` or
python3 bmc-tools.py.
What Undercode Say:
- Key Takeaway 1: The RDP Bitmap Cache is a silent data leak that requires zero privileges to extract – treating it as a “performance feature” without security boundaries is a dangerous oversight.
- Key Takeaway 2: Mitigation is simple and effective: disable bitmap caching via Group Policy, clear existing files, and layer NLA + TLS to shrink the attack surface.
Analysis (approx. 10 lines): This vulnerability exemplifies how convenience features often become post‑exploitation goldmines. Unlike memory scraping or keylogging, cache extraction is low‑noise, leaves minimal forensic traces, and works even after the RDP session ends. Organizations relying on RDP for remote administration—especially those with privileged account sessions—must reassess their endpoint hygiene. The fact that free tools can reconstruct readable screenshots in minutes underscores the need for proactive hardening. Furthermore, this issue affects all supported Windows versions, and Microsoft has not flagged it as a security boundary to be patched; it is architectural. Therefore, the burden falls entirely on administrators to disable or monitor the cache. For high‑security environments, consider using alternative remote access solutions that do not implement disk‑based caching, or enforce ephemeral VDI sessions that wipe user profiles after logout.
Prediction:
As awareness of RDP bitmap cache reconstruction grows, we will likely see threat actors incorporate automated cache extraction into red team toolkits and info‑stealer malware. In response, Microsoft may eventually deprecate the bitmap cache feature or restrict access to it by requiring administrative privileges to read the cache directory. Meanwhile, compliance frameworks like CIS and DISA STIGs will update their RDP benchmarks to mandate cache disabling.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecuritynews Windows – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


