Fix ERROR_CTX_SHADOW_NOT_RUNNING (0X00001B91) on Remote Desktop

When This Error Happens

You're sitting at your desk, remote into a Windows Server 2019 or 2022 box, and you run mstsc /shadow:1 /v:server-name to shadow another user's session. Instead of seeing their desktop, you get a popup: ERROR_CTX_SHADOW_NOT_RUNNING (0X00001B91). The exact error text reads: "The Remote Desktop Services Shadow Session service is not running." This usually happens on freshly patched servers or after a reboot, especially if you've just installed the Remote Desktop Services role manually.

Root Cause

Three things can cause this. First, the TermServiceShadow service (short name RDShadow) is stopped or set to manual instead of automatic. Second, the service is running but crashed because of a permissions issue — the Local System account doesn't have the right privileges to shadow. Third (and most common on domain controllers), Group Policy blocks shadowing via the Set rules for remote control of Remote Desktop Services user sessions policy.

The real fix is a combination of service config and policy tweaks. Skip restarting the whole server — that's overkill. Let's walk through the actual steps.

Step-by-Step Fix

1. Check the Shadow Service Status
   Open an elevated command prompt or PowerShell. Run:

   sc query RDShadow

   If the state is STOPPED or PAUSED, you need to start it. If it's RUNNING, skip to step 3.
2. Set the Service to Automatic and Start It
   Still in the admin prompt, run:

   sc config RDShadow start= auto
   sc start RDShadow

   Note: the space after start= is required. If you get an access denied error, you're not running as admin — Ctrl+Shift+Enter that prompt.
3. Verify the Service Runs Under Local System
   Run services.msc, find Remote Desktop Services Shadow Session. Right-click, Properties, Log On tab. It should be Local System account. If it's something else (like a domain account), change it, apply, and restart the service.
4. Check Group Policy
   On the target server, open gpedit.msc. Go to:

   Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections

   Find Set rules for remote control of Remote Desktop Services user sessions. Set it to Enabled, then choose Full control with user's permission or Full control without user's permission. The latter skips the consent prompt — useful for admin scenarios but may violate your org's policy.
5. Apply the Policy and Retry
   Run gpupdate /force in the admin prompt. Then try shadowing again:

   mstsc /shadow:1 /v:localhost

   Replace 1 with the actual session ID from qwinsta on the target server.

When It Still Fails

If you still see 0X00001B91 after all that, check these:

• Firewall rules: RDP shadow uses dynamic ports (default 3389, but shadow adds another). Make sure Windows Firewall has the Remote Desktop Services inbound rule enabled, or temporarily disable the firewall to test.
• Event Viewer: Look under Applications and Services Logs -> Microsoft -> Windows -> RemoteDesktopServices-RemoteFX-SessionManager for error events. Common ones: 0x800706be or 0x80070005 — those indicate permission or dependency failures.
• Third-party RDP wrappers: If you're using RDP Wrapper or similar, remove them. They interfere with the official shadow service and cause exactly this error.

One more trick: temporarily add the user account you're shadowing from to the Remote Desktop Users group on the target machine. This forces the permissions through. Remove it after testing if needed.

I've seen this error on dozens of servers, and 90% of the time it's the shadow service being stopped after a Windows Update. The rest is Group Policy. You've got this.