内网的一台服务器上的装机默认用户密码忘记了，但是好在别的电脑上使用RDCMan（Remote Desktop Connection Manager）连接过这台服务器，并且保存了密码。于是经过一番折腾，最后把密码找回来了：

最后成功的powershell脚本来自于这个地址：

https://www.undocumented-features.com/2019/10/03/decrypting-credentials-stored-in-remote-desktop-manager-rdcman-rdg/

但是能找到这个地址是因为这篇文章给出的三个方案，就有powershell，

https://www.cnblogs.com/Thorndike/p/15325079.html

因为不好使，就根据脚本里面的关键字去搜索，才找到的。（百度和bing都没有有效的结果，这次实际上发挥作用的是google）

最终有效的脚本是这个：

# Decrypt passwords in RDG files
param($RDGFile,$PasswordString,$RDCManSource)
If (!$RDCManSource)
{$RDCManSource = (Get-ChildItem -Path @('C:\Program Files\Microsoft', 'C:\Program Files (x86)\Microsoft') -File "RDCMan.exe" -Recurse -ErrorAction SilentlyContinue)[0]
}
If (!$RDCManSource)
{Write-Error "Remote Desktop Manager must be installed.  If it is installed, use the -RDCManSource parameter to specify the executable's location."Exit
}
else
{Write-Host "goto RDCManSource."Write-Host $RDCManSource.FullNametry{$Assembly = [Reflection.Assembly]::LoadFile($RDCManSource)}catch{$_.Exception.Message.ToString();Write-Host "Catch"; Exit}try { Import-Module $Assembly }catch{$_.Exception.Message.ToString();Write-Host "Import Exception"; exit }
}
If ($RDGFile)
{Write-Host "goto RDGFile."Write-Host[xml]$Data = Get-Content $RDGFile$CredentialValues = $Data.SelectNodes("*//logonCredentials")$global:Output = @()foreach ($obj in $CredentialValues){try{$EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings$Password = [RdcMan.Encryption]::DecryptString($obj.password, $EncryptionSettings)}catch{$_.Exception.Message.ToString(); continue}If ($Password -and ($Password -notcontains 'Failed to decrypt')){$CredObject = New-Object PSObject$CredObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $obj.ProfileName -ea SilentlyContinue -Force$CredObject | Add-Member -Type NoteProperty -Name "UserName" -Value $obj.username -ea SilentlyContinue -Force$CredObject | Add-Member -Type NoteProperty -Name "Password" -Value $Password$CredObject | Add-Member -Type NoteProperty -Name "Domain" -Value $obj.domain$global:Output += $CredObject}}If ($Output){$Output}Else{Write-Host "Nothing to show."}
}
else
{If ($PasswordString){$EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings$Password = [RdcMan.Encryption]::DecryptString($PasswordString, $EncryptionSettings)Write-Host "Cleartext password: $($Password)"}
}

需要注意的是，我电脑上使用的是绿色版，所以是传参进来的

 .\dops2 -RDGFile '.\本地电脑.rdg'  -RDCManSource 'D:\Green\RDCMan\RDCMan.exe'

其它另外一个尝试过的脚本：

Copy-Item 'C:\Program Files (x86)\Microsoft\Remote Desktop Connection Manager\RDCMan.exe' 'C:\windows\temp\RDCMan.dll'
Import-Module 'C:\windows\temp\RDCMan.dll'
$EncryptionSettings=New-Object-TypeName RdcMan.EncryptionSettings 
$lines=Get-Content RDCManpass.txt
foreach ($line in $lines){$PwdString= $line[RdcMan.Encryption]::DecryptString($PwdString,$EncryptionSettings)
}

windows 10系统直接执行脚本会报错：

解决办法：

https://blog.csdn.net/qq_15585305/article/details/131436046

另外PowerShell脚本传参，参考了这篇：

https://blog.csdn.net/wan_ghuan/article/details/104346908