Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

Shadow Key Time Stamp

If applications are installed on a Terminal this is normally done via Add/Remove programs or via change user /install command. This sets the Terminal Server in installation mode. When an application within this installation mode writes registry keys to the HKEY_CURRENT_USER Microsoft writes this key also in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software. These values in this key, called Shadowkey, will be applied to a user when he logs on to the Terminal Server if no keys (or older keys) are found in his profile based on a time stamp. Because the checking is done on time stamp you can experience strange behaviors if a new server is applied to your infrastructure. This behavior occurs because the values in the Shadow key got the time stamp when they are installed. Users can have different settings in their profile, but with an older timestamp. When these users logs on to new server, the Shadow keys settings are written in their profile because the date is newer than the setting in the user profile, which is logically unwanted.

Shadow Key Solutions

To prevent this behavior there are basically three solutions, which are described in MS in knowledgebase article 297379.

  1. Use Sysprep and "image" new servers. This ensures that new servers inherit the registry timestamps from the original build.
  2. Write to HKEY_CURRENT_USER\Software in Install mode with the system clock set in the past. 
  3. Remove shadow keys that could potentially overwrite user preferences



In the article Basic Concepts of the Terminal Server Environments I already described the advantages or disadvantages of either solution.

Two executables

The Shadow Key Stamp is a utility set provided by unofficially by Microsoft which makes it possible to use the Shadow Key with defined date stamps. The tool support solution two but than without setting the clock back in the past.

The tool kit exists of two separate tools named RDT (Read Date Time) and SDT (Set Date Time). As the names already imply the tools can read the current time stamp and set the time stamp for the Shadowkey (only).

There is not much development done on this tool, so the date usage is limited. Actually this is not a big problem if you set the date on all your Terminal Servers on the same time. You can set the year to 2003 or earlier.

When using the STD command the following syntax is available:
Sdt <Day> <Month> <Year>. For example SDT 21 09 2002 sets the date to 21 September 2002.
There is no option to specify which keys should be altered, it just sets the data back for all (sub)keys under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software key.

With RDT the current datestamp can be read of all available keys within the Shadow Key.
Because there are several ways (like GPO objects) that can adjust your configured settings, the tool can be very useful to check if the correct settings are still configured. Probably you will use this tool in some script to check the settings and if needed to reconfigure them with the STD utility. RDT has no syntax, you run the tool which will display all the (sub)keys within the Shadowkey with their date stamp.

Image

Conclusion

I'm still advocate of solution three with removing all keys from the shadow key and add them directory to the user profile using scripting or third party management tools. In this way you can control easily the setting that will be configured for the user. If in some way you still want to use the Shadowkey this tools are the best option available.

The tools can be downloaded from the forum of BrianMadden.com.