In this text we’ll take into account the options of auditing and analyzing RDP connection logs in Windows. As a rule, the described strategies could also be helpful when investigating RDP-related exercise on RDS (terminal) Windows servers in forensics duties, when a system administrator should present the details about what customers logged on to the RDS server, when a particular RDP consumer authenticated and ended up the session, which machine (a reputation or IP tackle) an consumer related from. I believe this data shall be helpful each for the directors of company RDS farms and for homeowners of a separate RDP servers what are printed in the Internet (Windows VPS are nonetheless fairly fashionable).
The article is relevant when analyzing RDP logs each in Windows Server 2008 R2, 2012/R2, 2016 and in desktop Windows editions (Windows 10, eight.1 and 7).
You can verify the RDP connection logs utilizing Windows Event Viewer (
eventvwr.msc). Windows logs comprise lots of knowledge, and it’s fairly tough to seek out the occasion you want. When a consumer remotely connects to the distant desktop of RDS (RDP), a complete variety of occasions seems in the Windows Event Viewer. There are a number of totally different logs the place you will discover the details about Remote Desktop connections. We’ll have a look at the logs and occasions on the principle phases of an RDP connection that could be of curiosity to the administrator:
- Network Connection;
- Session Disconnect/Reconnect;
Network Connection is the institution of a community connection to a server from a consumer RDP consumer. It is the occasion with the EventID 1149 (
Remote Desktop Services: User authentication succeeded). If this occasion is discovered, it doesn’t imply that consumer authentication has been profitable. This log is situated in “Applications and Services Logs -> Microsoft -> Windows -> Terminal-Services-RemoteConnectionManager > Operational”. Enable the log filter for this occasion (right-click the log -> Filter Current Log -> EventId 1149).
Then you’re going to get an occasion listing with the historical past of all RDP connections to this server. As you may see, the logs present a username, a website (in this case the Network Level Authentication is used; , the occasion textual content seems to be in another way) and the IP tackle of the pc, from which the RDP connection has been initiated.
Authentication reveals whether or not an RDP consumer has been efficiently authenticated on the server or not. The log is situated in “Windows -> Security”. So you could have an interest in the occasions with the EventID 4624 (
An account was efficiently logged on) or 4625 (
An account failed to go browsing). Please, take note of the LogonType worth in the occasion description. If the Remote Desktop service has been use to create new session throughout go browsing, LogonType = 10. If the LogonType = 7, it signifies that a consumer has reconnected to the prevailing RDP session.
At the identical time, you will discover a consumer identify in the occasion description in the Account Name subject, a pc identify – in Workstation Name, and an IP tackle – in Source Network Address.
Please, observe the worth of the GoalLogonID fiedl. It is a novel ID of a consumer RDP session that helps to trace additional exercise of the consumer. However, if an RDP session is disconnected and a consumer reconnects to it, they are going to be assigned a brand new GoalLogonID (although an RDP session continues to be the identical).
You can get the listing of occasions associated to profitable RDP authentication (EventID 4624) utilizing this EnergyShell command:
Get-EventLog safety -after (Get-date -hour zero -minute zero -second zero) | ? | Out-GridView
Logon refers to an RDP logon to the system, an occasion that seems after a consumer has been efficiently authenticated. It is an occasion with the EventID 21 (
Remote Desktop Services: Session logon succeeded). This occasions are situated in the “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-NativeSessionManager -> Operational”. As you may see, right here you will discover the ID of a consumer RDP session — Session ID.
The occasion with the EventID – 21 (
Remote Desktop Services: Shell begin notification obtained) signifies that the Explorer shell has been efficiently began (the desktop seems in the consumer’s RDP session).
Session Disconnect/Reconnect – session disconnection / reconnection occasions have totally different IDs relying on what precipitated consumer disconnection (disconnection to inactivity, Disconnect possibility has been chosen by the consumer in the session, RDP session ended by one other consumer or an administrator, and so on.). You can discover these occasions in the logs situated in “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-NativeSessionManager -> Operational”. Let’s take into account essentially the most attention-grabbing RDP occasions:
- EventID – 24 (
Remote Desktop Services: Session has been disconnected) – a consumer has disconnected from the RDP session;
- EventID – 25 (
Remote Desktop Services: Session reconnection succeeded) – a consumer has reconnected to the prevailing RDP session on the server;
- EventID – 39 (
Session has been disconnected by session) – a consumer has disconnected from RDP session by choosing the corresponding menu possibility (as a substitute of simply closing the RDP consumer window). If the session IDs are totally different, a consumer has been disconnected by one other consumer (or an administrator);
- EventID – 40 (
Session has been disconnected, purpose code). Here you have to view the disconnection purpose code in the occasion description. For instance:
- purpose code zero (
No further data is accessible) normally signifies that a consumer has simply closed the RDP consumer window;
- purpose code 5 (
The consumer’s connection was changed by one other connection) signifies that a consumer has reconnected to the earlier RDP session;
- purpose code 11 (
User exercise has initiated the disconnect) signifies that a consumer has clicked the Disconnect button in the beginning menu.
- purpose code zero (
The occasion with the EventID 4778 in Windows -> Security log (A session was reconnected to a Window Station). A consumer has reconnected to an RDP session (a consumer is assigned a brand new LogonID).
The occasion with the EventID 4799 in “Windows -> Security” log (
A session was disconnected from a Window Station). A consumer has been disconnected from an RDP session.
Logoff refers back to the consumer logoff from the system. It is logged because the occasion with the EventID 23 (
Remote Desktop Services: Session logoff succeeded) in “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-NativeSessionManager -> Operational”.
At the identical time the occasion with the EventID 4634 (
An account was logged off) seems in the Security log.
The occasion with the EventID 9009 (
The Desktop Window Manager has exited with code ) in the System log signifies that a consumer has initiated logoff from the RDP session with each the window and the graphic shell of the consumer have been terminated.
Here is a brief EnergyShell script that lists the historical past of all RDP connections for the present day from the terminal RDS server logs. The ensuing desk reveals the connection time, the consumer’s IP tackle and the distant consumer identify (if needed, you may embrace different LogonTypes to the report).
Get-EventLog -LogName Security -after (Get-date -hour zero -minute zero -second zero)| ?| % | type TimeGenerated -Descending | Select TimeGenerated, ClientIP `
, @ `
Sometimes it may be extra handy to view and examine RDP logs in the Excel desk, so you may export any Windows occasions right into a textual content file and import it in Excel. You can export the log from the Event Viewer GUI (provided that ), from the command immediate:
WEVTUtil query-events Security > c:psrdp_security_log.txt
Or like this:
get-winevent -logname "Microsoft-Windows-TerminalServices-NativeSessionManager/Operational" | Export-Csv c:psrdp_connection_log.txt -Encoding UTF8
You can show the listing of present distant classes in your RDS server utilizing this command:
The command returns the session ID (ID), the identify of consumer (USERNAME) and the session state (Active/Disconnect). It is handy to make use of this command when it is advisable to get the ID of the consumer RDP session in case is used.
You can show the listing of the working processes in the precise RDP session (the session ID is specified):
Logs on an RDP consumer facet are usually not fairly informative, however you may verify the in the consumer’s registry.