What is the best method to obtain RDP connection history for all users, including those not currently logged into the system?

To get the full history, you must first enumerate all user SIDs via WMI, then attempt to read each user's registry path under `HKEY_USERS\SID\...`. If a user is not logged in, their registry hive is unavailable, so you need to load their `NTUSER.DAT` file (located in `C:\Documents and Settings\Username\`) as a registry hive using `Reg load`. After loading, enumerate the keys, then unload the hive. The article details a complete PowerShell implementation that uses a loop and try-catch or if-else logic. This technique is similar to account hiding in that it manipulates registry hives for deeper access.