Terminal Services - Exploring the Shadows

Terminal Services - Exploring the Shadows

  • Comments 2
  • Likes

Hello folks, my name is Madhurjya and I would like to talk a bit about an interesting feature in Terminal services which is known as the Terminal Services Shadow Region.

On a terminal server, whenever applications are installed, it first writes the new application registry entries to the HKeyCurrentUser\Software registry location. At the same time, to ensure that these new entries are available for all the users on the terminal server, the new registry entries are propagated to another location in the registry called the shadow region:

 HKeyLocalMachine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software

So, how does the Shadow Region work?

Once the new keys are written to the shadow region; it updates an entry called LatestRegistryKey located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\INIFile Times. This key is updated with the number of seconds elapsed since midnight (UTC) of January 1, 1970, not counting leap seconds. This is known as epoch time or Unix time and is used by many OSs to keep track of time. To know more about Unix time and its significance I would suggest you to refer to this link:


When a new user logs on to the terminal server, Userinit.exe reads a registry entry called LastUserIniSyncTime entry located in HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server and compares its value with the LatestRegistryKey. Both  LatestRegistryKey and LastUserIniSyncTime hold the value in seconds. If the LastUserIniSyncTime has an entry that has a lesser value than LatestRegistryKey, the OS assumes that new software has been installed on the box and to make these new registry entries available to the current user by writing it to the HKCU\Software key.

There are instances when we might need to make certain changes for applications which are already installed on a terminal server. In these scenarios, we might need to manually add or modify the registry entries in the Shadow Region. However, manually created entries will not propagate to the current user profile unless the LatestRegistryKey entry is updated. To achieve this, we need to manually update the LatestRegistryKey entry once the required changes are made in the Shadow Region. This entry holds the value in seconds elapsed since Jan 1st 1970 and in order to propagate the changes, we need to update this entry with the number of seconds elapsed since the epoch till the current time. This will ensure that the LatestRegistryKey entry has a higher value than LastUserIniSyncTime and hence help us add the changes to the current user profile. 

There are many tools and websites which can be used to calculate UTC seconds elapsed. For example:


Here are the steps to manually propagate the shadow key to the current user profile – HKeyCurrentUser\Software:

1. Create the required customized registry keys in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software

2. Create the INIFile Times key if it’s not present in the following location:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\

3. In the INIFile Times key, create a new DWORD entry and name it LatestRegistryKey. Compute the seconds using the above link for the current date and time and set it as the value for LatestRegistryKey

4. Logon to the terminal server as a different user and check if the new keys are present in HKCU\Software and that’s it.


Until next time …


Share this post :

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Shadow keys (as they are usually called) are very dangerous: if you add a new server to your terminal server farm, that server's shadow key timestamp is newer than the timestamps in the existing user profiles causing user settings to be overwritten when users log on to the new server. To an end user that feels like random deletion of his configuration.

    You can read more about shadow keys in three posts by Nicholas Dille:

    Shadow Keys: A Relict from Ancient Times: www.sepago.de/.../shadow-keys-a-relict-from-ancient-times

    How TermSrvCopyKeyOnce Influences Shadow Keys: www.sepago.de/.../how-termsrvcopykeyonce-influences-shadow-keys

    Shadow Keys on Windows x64: www.sepago.de/.../shadow-keys-on-windows-x64

  • What is the ideal way to prevent such a behaviour - application configurations being changed possibly due to shadow keys? Does the value of LatestRegistryKey need to be the same on all the servers in the farm?