Launching RDP from KeePass 2.x with auto-login

Configuring KeePass to launch RDP:

If you manage all of your RDP connections through KeePass, you may notice there’s no direct or easy way of launching Remote Desktop Client and automatically logging into a remote machine.

The following few steps will help guide you through configuring KeePass to automatically launch an RDP connection through a menu item or accelerator key on that entry in KeePass.

  1. Start by opening your KDBX file, or create a new one.
  2. Open the options dialog by going to the Tools menu and select Options.
    2014-04-29_01h29_14
  3. On the integration tab, click the “URL Schema Overrides…” button.
  4. Add a schema
  5. Use the schema “rdp” and use the URL override command:

    2014-04-29_01h29_58
  6. Now any password entries that have a URL of rdp://{hostname or ip} (e.g. rdp://127.0.0.1) will be able to have mstsc.exe (remote desktop client) launched and logged in.2014-04-29_01h43_02
  7. To launch it, you can right click on the entry, use the toolbar, or hit the CTRL+U key (or whatever it is configured for) on the selected item.2014-04-29_01h44_23

So how does it work?  Let’s break down the command:

KeePass only supports a single command, so we have to get a little hacky to make it execute multiple consecutive commands.

The cmd:// prefix is a KeePass specific prefix that indicates to KeePass to run the “URL” as a Windows command.

Immediately after cmd:// is the cmd.exe command which is the Windows Command Intrepeter – an actual Windows command. The /c command line switch tells cmd.exe to run the command and immediately close the Window afterwards. You can change it to /k if you would like the window to stay open after the commands are done.

The part surrounded by quotation marks is the parameter we’re passing into cmd.exe.  It’s the series of commands we’re going to execute, and it will initialize the credentials used for RDP in Windows, call mstsc.exe (RDP client) and connect, wait 5 seconds (I don’t think this is necessary), then immediately remove those credentials from Windows.  The double ampersands ( && ) is what allows us to chain multiple commands together. {URL:RMVSCM} is the URL, but with the schema removed. So instead of using {URL} and getting rdp://123.123.123.123, we use {URL:RMVSCM} which returns just 123.123.123.123. For
information on the variables passed, see the KeePass Help Doc: Placeholders.

cmdkey.exe will allow you to create, display, or delete stored credentials in Windows.  Unfortunately mstsc.exe doesn’t actually accept credentials through the command line, but it will re-use credentials that are saved in Windows. You can also see your credentials in Control Panel > Credential Manager.

If you need to debug it, you can either change the /c to /k on cmd.exe (which keeps the window open), or append “&& pause” to the end of the command that gets executed.

tl;dr; initialize credentials, run RDP client using those credentials, wait 5 seconds, remove credentials.

31 thoughts on “Launching RDP from KeePass 2.x with auto-login”

  1. If you use start /b to launch mstsc.exe in the background, the shell windows (and the temporarily saved credentials) will be gone after the specified timeout.

    1. Hi Thomas, which command do you use the /b switch with? I did a /? to cmd.exe, cmdkey.exe, and mstsc.exe and I don’t see a /b switch with any of them. Win 8.1

      1. try “start /?” 😉

        cmd://cmd /c “cmdkey /generic:TERMSRV/{URL:RMVSCM} /user:{USERNAME} /pass:{PASSWORD} && start /b mstsc /v:{URL:RMVSCM} && timeout /t 5 /nobreak && cmdkey /delete:TERMSRV/{URL:RMVSCM}”

        1. I’ve tried both original and your method and both give me an error ‘cmdkey is not a recognized internal or external command’. Any advice? (Running Windows 8.1 and KeePass 2.29)

        2. Hey Guy,

          CmdKey.exe should be located in C:WindowsSystem32. Do you have that executable there? Also, do you have an icon called Credential Manager under Control Panel? CmdKey.exe should be a command line interface to access the Credential Manager. Are you running the non-Pro (Home or whatever it’s called these days) edition of Windows 8.1? It’s possible cmdkey is only available with Pro, and I would be happy to research an alternative if that’s the case.

    1. Hello Fazlul, I haven’t tried this out so you may need to experiment a little bit, but there is a file called Default.rdp in your users Documents folder. It’s a hidden file, but if you open it, you can configure the defaults for RDP connections.

      Default.rdp and Documents

      Also, if you run “mstsc.exe /?” from the command line (or Run dialog), you will get a list of available command line arguments. It doesn’t look like they have any way to configure that directly through the command line, but you can configure and save a .RDP file and pass that in as an argument for mstsc.exe. The only thing I’m not sure about is if that’ll still allow you to manage the credentials through KeePass.

  2. Improvement of the line given by Boris to escape special characters in password:

    cmd://cmd /c “cmdkey /generic:TERMSRV/{URL:RMVSCM} /user:{USERNAME} /pass:{T-REPLACE-RX:/{PASSWORD}/(.)/^$1/} && start /b mstsc /v:{URL:RMVSCM} && timeout /t 5 /nobreak && cmdkey /delete:TERMSRV/{URL:RMVSCM}”

    Each character in the password is simply (and nastly) escaped with a ^ in front using {T-REPLACE-RX:/{PASSWORD}/(.)/^$1/}

    1. This fixes the port problem for me:
      cmd://cmd /c “cmdkey /generic:TERMSRV/{BASE:HOST} /user:{USERNAME} /pass:{T-REPLACE-RX:/{PASSWORD}/(.)/^$1/} && start /b mstsc /v:{URL:RMVSCM} && timeout /t 5 /nobreak && cmdkey /delete:TERMSRV/{BASE:HOST}”

  3. HI Adam:
    I copied your command code to the keepass URL, but it generated a much more long URL which made my keepass NO RESPONSING and crushed! There must be something wronge whit your command ,I just don’t konw how to fix it.

    cmd://cmd /c "cmdkey /generic:TERMSRV/{URL:RMVSCM} /user:{USERNAME} /pass:{PASSWORD} && mstsc /v:{URL:RMVSCM} && timeout /t 5 /nobreak && cmdkey /delete:TERMSRV/{URL:RMVSCM}"

  4. I’m not sure why that would have happened. Did you add it to the Tools > Options > Integration > URL Overrides section first? I just tried it with the latest version of KeePass and it still seems to work.

  5. Hello, i just found this, very usefull !

    I i have some passwords with spaces, and i’m not being able to pass it. I tried ^ character but with no good, cmdkey said incorrect parameter.
    any idea ? (other than change password :D)

    1. I will try that.

      I use this command to launch RDP sessions on AD domain controllers of multiple domains and forests.
      So i modified the command to create reference to another entry. Now, i have maybe 130 entries, but only 6 usernames and passwords.Very convenient when time to modify password is coming, sometimes it’s like winter is coming 😀
      If interested I will post the command monday.

  6. Thank you works well except when you use a port number in the Server address then it will not pass username and password

    Any Ideas ?

    1. Hi Lone Baggie, I just tried it with a non-standard port in the HOST:PORT format (ex: myserver.com:1111) and it worked ok. Can you show me the command you have configured? Do you have any strange characters in your password that might throw off the parsing in cmd.exe – there are several chars that can cause problems. Btw, I noticed WordPress converted the ampersands in my post to “amp;” and I have since fixed that (not sure if that would cause issues or not)

    2. Hello Lone,

      it depends on the parameter “{URL:RMVSCM}”. It must be changed to “{URL:HOST}”. I had the same Problem. And additional if you have some “strange” characters in your password wrap double quotes around. This sequence should work carefully as it does for me:

      [code]cmd://cmd /c “cmdkey /generic:TERMSRV/{URL:HOST} /user:”{USERNAME}” /pass:”{PASSWORD}” && mstsc /v:{URL:RMVSCM} && timeout /t 5 /nobreak && cmdkey /delete:TERMSRV/{URL:HOST}”[/code]

      Regards

      Holger

      1. I try this on Win 10 but the login window disappears in a split of a second and nothing happens. The initial code works, but not with different ports.

  7. Thanks.
    My improved vbs version – without disturbing shell window during launch 🙂

    URL override command:
    cmd://wscript.exe rdp.vbs {URL:RMVSCM} {USERNAME} {PASSWORD}

    rdp.vbs script located direct in keypass dir:

    srv=Wscript.Arguments(0)
    usr=Wscript.Arguments(1)
    pwd=Wscript.Arguments(2)

    cmd1=”cmdkey /generic:TERMSRV/” & srv & ” /user:” & usr &” /pass:” & pwd
    cmd2=”mstsc /v:” & srv
    cmd3=”cmdkey /delete:TERMSRV/” & srv

    Set WshShell = WScript.CreateObject(“WScript.Shell”)
    return = WshShell.Run(cmd1, 0, true)
    return = WshShell.Run(cmd2, 1, false)
    WScript.Sleep 4000
    return = WshShell.Run(cmd3, 0, true)

    1. URL override command: (improved , supports blank space in parameters)
      cmd://wscript.exe rdp.vbs “{URL:RMVSCM}” “{USERNAME}” “{PASSWORD} “

    2. Ive got this working great with one exception, when the server im connecting to has a specific port, eg: myserver:6412, it prompts me to enter my password, any way round this? being playing around in cmd calling the vb but cant find a way round it

    1. aha no need. I was using my normal password file on a vm loaded from a shared folder and it seems that the url override must be somehow configured to be stored in windows not in the local database – or keepass separates url overrides out by host name. I added it again and it works fine.

Leave a Reply to Jarod Cancel reply