If you are running a full Remote Desktop session to only run one application, you are wasting resources and time! In this article, we will make a connection to single-programs that look as though they’re running locally on our workstation!

Remote Desktop vs RemoteApp

Remote Desktop Protocol is the technology Windows Servers (and workstations) use to provide remote administration. This involves loading an entire user session for the user, using more resources.

RemoteApp will load a user session, but not all the extra programs that appear. For example, to load an entire desktop to launch Active Directory Users and Computers is wasteful; launching the one tool saves on server resources.

Requirements

  • Windows 10 Enterprise or higher (Pro and Home will not allow this to work)
  • RDP access to your remote machine
  • Plain-text editor like Notepad

Procedures

  1. On the remote machine, you need to edit the registry. Change the value below to 1 to enable:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
    "fAllowUnlistedRemotePrograms"=dword:00000001
  2. Ensure you can Remote Desktop to the computer. By default, anyone who is part of the Administrators group is allowed to connect over RDP.
  3. After making the registry change, restart the remote computer.

On the client:

  1. Open the Remote Desktop program, and enter the IP Address / DNS name into the Computer Name field. Set other options you need (such as Clipboard access).
  2. Click on the Save as… button, and save the .rdp file somewhere you can find it.
  3. Close Remote Desktop
  4. Open the .rdp file in Notepad
  5. At the very end of the file, add the following:
    // Remote App
    remoteapplicationmode:i:1
    RemoteApplicationName:s:TITLE TO PUT IN TASKBAR
    RemoteApplicationProgram:s:"PATH TO PROGRAM"
    DisableRemoteAppCheck:i:1
    Prompt for Credentials on Client:i:0
    Alternate Shell:s:rdpinit.exe
    
  6. Edit the all-caps sections above to match your needs. If you need to supply command line arguments, add the following line:
    RemoteApplicationCmdLine:s:ARGUMENTS GO HERE
  7. Save the file. Now you can test it.

Examples:

Launching a filetype:

// Remote App
remoteapplicationmode:i:1
RemoteApplicationName:s:Active Directory Users and Computers
RemoteApplicationProgram:s:"c:\windows\system32\dsa.msc"
DisableRemoteAppCheck:i:1
Prompt for Credentials on Client:i:0
Alternate Shell:s:rdpinit.exe

Application requiring arguments:

// Remote App
remoteapplicationmode:i:1
RemoteApplicationName:s:Computer Management
RemoteApplicationProgram:s:"%windir%\system32\fsmgmt.msc"
RemoteApplicationCmdLine:s:/computer:\\fileserver-01
DisableRemoteAppCheck:i:1
Prompt for Credentials on Client:i:0
Alternate Shell:s:rdpinit.exe

Cautions with Remote Desktop

With many ransomware viruses and script kiddies out there, please make sure you are securing your Remote Desktop connection! Although not an exhaustive list, here are suggestions:

  • Do not allow Remote Desktop over the insecure Internet. Only allow connections after a secure connection has been made - VPN, SSH, or SSL/TLS with a Remote Desktop Gateway.
  • Do not login as the Administrator account. This account should be disabled, or restricted to Local Logins only with Group Policy.
  • Create a user that has just enough privileges to run what is needed, and add that group/user to the Remote Desktop Users group to log in.
  • Check your firewall rules regularly. Objectives and requirements can change over time.
  • Check your list of users regularly. You need to be quick to catch users that should not be allowed on to your servers.
  • Your server will not use as many resources as running a full Remote Desktop session; however, you still need to monitor resources to make sure the server stays responsive. Always keep an out-of-band method of entry open for your administrators for the scenario that RDP fails.