Terminal Services – Exploring the Shadows

Hello folks, my name is Madhurjya and I would like to talk a bit about an interesting feature in Terminal services which is known as the Terminal Services Shadow Region.

On a terminal server, whenever applications are installed, it first writes the new application registry entries to the HKeyCurrentUser\Software registry location. At the same time, to ensure that these new entries are available for all the users on the terminal server, the new registry entries are propagated to another location in the registry called the shadow region:

 HKeyLocalMachine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software

So, how does the Shadow Region work?

Once the new keys are written to the shadow region; it updates an entry called LatestRegistryKey located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\INIFile Times. This key is updated with the number of seconds elapsed since midnight (UTC) of January 1, 1970, not counting leap seconds. This is known as epoch time or Unix time and is used by many OSs to keep track of time. To know more about Unix time and its significance I would suggest you to refer to this link:


When a new user logs on to the terminal server, Userinit.exe reads a registry entry called LastUserIniSyncTime entry located in HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server and compares its value with the LatestRegistryKey. Both  LatestRegistryKey and LastUserIniSyncTime hold the value in seconds. If the LastUserIniSyncTime has an entry that has a lesser value than LatestRegistryKey, the OS assumes that new software has been installed on the box and to make these new registry entries available to the current user by writing it to the HKCU\Software key.

There are instances when we might need to make certain changes for applications which are already installed on a terminal server. In these scenarios, we might need to manually add or modify the registry entries in the Shadow Region. However, manually created entries will not propagate to the current user profile unless the LatestRegistryKey entry is updated. To achieve this, we need to manually update the LatestRegistryKey entry once the required changes are made in the Shadow Region. This entry holds the value in seconds elapsed since Jan 1st 1970 and in order to propagate the changes, we need to update this entry with the number of seconds elapsed since the epoch till the current time. This will ensure that the LatestRegistryKey entry has a higher value than LastUserIniSyncTime and hence help us add the changes to the current user profile. 

There are many tools and websites which can be used to calculate UTC seconds elapsed. For example:


Here are the steps to manually propagate the shadow key to the current user profile – HKeyCurrentUser\Software:

1. Create the required customized registry keys in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software

2. Create the INIFile Times key if it’s not present in the following location:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\

3. In the INIFile Times key, create a new DWORD entry and name it LatestRegistryKey. Compute the seconds using the above link for the current date and time and set it as the value for LatestRegistryKey

4. Logon to the terminal server as a different user and check if the new keys are present in HKCU\Software and that’s it.


Until next time …


Share this post :