I'm getting disconnected sessions & ghost users on Windows Server after using RDP

Modified on Wed, 07 Feb 2024 at 02:02 PM

Orphaned sessions and ghost users result from a Windows feature and not the Rublon MFA for Windows Logon & RDP connector. As a result, it is up to each organization to devise an effective way of dealing with orphaned sessions that fits their policies. You can read on for additional information about disconnected sessions and ghost users in Windows, but note that the Rublon connector does not control this behavior.


Why am I getting orphaned sessions and ghost users after closing the RDP window?

Orphaned sessions and ghost users result from a Windows feature that allows saving the session (e.g., after a loss of internet connection) so that the user logged in via RDP can resume work as if nothing had happened. Consequently, if a user logs in via RDP without our MFA for Windows Logon and RDP connector, starts any application, e.g., Notepad, and types HELLO WORLD, a ghost process will be created after the RDP session is closed. And when the same user logs in again with RDP, they should still have the Notepad application open with the entry they added. The same thing happens with our connector, meaning that the Rublon for Windows connector has no effect on this feature.


Ongoing processes after closing the RDP window

The "winlogon.exe" process handles the interactive logon and logoff processes, while "LogonUI.exe" is the user interface component that presents the login screen.

When a user logs in via Remote Desktop Protocol (RDP), these two processes manage the session. If a user disconnects from an RDP session instead of logging off, the session remains active in a disconnected state. In this state, processes associated with the session, including "winlogon.exe" and "LogonUI.exe," may continue running, waiting for the user to reconnect or log off.

Disconnected sessions can occur due to network interruptions, client-side disconnections, or manual disconnections by the user. These sessions can persist until the user logs off or until a timeout period elapses, depending on the RDP session settings.


How to manage orphaned sessions

To manage disconnected sessions, you can use the Remote Desktop Services Manager (previously known as Terminal Services Manager) or PowerShell commands like Get-RDUserSession and Disconnect-RDUser. These tools allow you to view and manage active and disconnected sessions on your Windows Server.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article