内网的一台服务器上的装机默认用户密码忘记了，但是好在别的电脑上使用RDCMan（Remote Desktop Connection Manager）连接过这台服务器，并且保存了密码。于是经过一番折腾，最后把密码找回来了：

最后成功的powershell脚本来自于这个地址：

https://www.undocumented-features.com/2019/10/03/decrypting-credentials-stored-in-remote-desktop-manager-rdcman-rdg/

但是能找到这个地址是因为这篇文章给出的三个方案，就有powershell，

https://www.cnblogs.com/Thorndike/p/15325079.html

因为不好使，就根据脚本里面的关键字去搜索，才找到的。（百度和bing都没有有效的结果，这次实际上发挥作用的是google）

最终有效的脚本是这个：

# Decrypt passwords in RDG files
param($RDGFile,
    $PasswordString,
    $RDCManSource
    )
If (!$RDCManSource)
{
    $RDCManSource = (Get-ChildItem -Path @('C:\Program Files\Microsoft', 'C:\Program Files (x86)\Microsoft') -File "RDCMan.exe" -Recurse -ErrorAction SilentlyContinue)[0]
}
If (!$RDCManSource)
{
    Write-Error "Remote Desktop Manager must be installed.  If it is installed, use the -RDCManSource parameter to specify the executable's location."
    Exit
}
else
{
    Write-Host "goto RDCManSource."

    Write-Host $RDCManSource.FullName
    try
    {
        $Assembly = [Reflection.Assembly]::LoadFile($RDCManSource)
    }
    catch
    {
        $_.Exception.Message.ToString();
        Write-Host "Catch"; Exit
    }
    try { Import-Module $Assembly }
    catch
    {
        $_.Exception.Message.ToString();
        Write-Host "Import Exception"; exit }
}
If ($RDGFile)
{
    Write-Host "goto RDGFile."
    Write-Host
    [xml]$Data = Get-Content $RDGFile
    $CredentialValues = $Data.SelectNodes("*//logonCredentials")
    $global:Output = @()
    foreach ($obj in $CredentialValues)
    {
        try
        {
            $EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings
            $Password = [RdcMan.Encryption]::DecryptString($obj.password, $EncryptionSettings)
        }
        catch
        {
            $_.Exception.Message.ToString(); continue
        }
        If ($Password -and ($Password -notcontains 'Failed to decrypt'))
        {
            $CredObject = New-Object PSObject
            $CredObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $obj.ProfileName -ea SilentlyContinue -Force
            $CredObject | Add-Member -Type NoteProperty -Name "UserName" -Value $obj.username -ea SilentlyContinue -Force
            $CredObject | Add-Member -Type NoteProperty -Name "Password" -Value $Password
            $CredObject | Add-Member -Type NoteProperty -Name "Domain" -Value $obj.domain
            $global:Output += $CredObject
        }
    }
    If ($Output)
    {
        $Output
    }
    Else
    {
        Write-Host "Nothing to show."
    }
}
else
{
    If ($PasswordString)
    {
        $EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings
        $Password = [RdcMan.Encryption]::DecryptString($PasswordString, $EncryptionSettings)
        Write-Host "Cleartext password: $($Password)"
    }
}

需要注意的是，我电脑上使用的是绿色版，所以是传参进来的

 .\dops2 -RDGFile '.\本地电脑.rdg'  -RDCManSource 'D:\Green\RDCMan\RDCMan.exe'

其它另外一个尝试过的脚本：

Copy-Item 'C:\Program Files (x86)\Microsoft\Remote Desktop Connection Manager\RDCMan.exe' 'C:\windows\temp\RDCMan.dll'
Import-Module 'C:\windows\temp\RDCMan.dll'
$EncryptionSettings=New-Object-TypeName RdcMan.EncryptionSettings 
$lines=Get-Content RDCManpass.txt
foreach ($line in $lines){
    $PwdString= $line
    [RdcMan.Encryption]::DecryptString($PwdString,$EncryptionSettings)
}

windows 10系统直接执行脚本会报错：

解决办法：

https://blog.csdn.net/qq_15585305/article/details/131436046

另外PowerShell脚本传参，参考了这篇：

https://blog.csdn.net/wan_ghuan/article/details/104346908