{"id":2279,"date":"2022-08-04T18:36:34","date_gmt":"2022-08-04T16:36:34","guid":{"rendered":"https:\/\/itsimple.info\/?p=2279"},"modified":"2022-08-04T18:40:52","modified_gmt":"2022-08-04T16:40:52","slug":"remote-desktop-service-or-rdp-access-log","status":"publish","type":"post","link":"https:\/\/itsimple.info\/?p=2279","title":{"rendered":"Remote Desktop Service Or RDP access LOG"},"content":{"rendered":"\n

The way to see how was connected to windows server through RDP is the EventLog at this location:<\/p>\n\n\n\n

\n
\"\"<\/figure>\n<\/figure>\n\n\n\n
\n
\"\"<\/figure>\n<\/figure>\n\n\n\n

Getting Remote Desktop Login History with PowerShell<\/h2>\n\n\n\n

Here is a short PowerShell script that lists the history of all RDP connections for the current day from the terminal RDS server event logs. The resulting table shows the connection time, the client\u2019s IP address (DNS computername), and the remote user name (if necessary, you can include other LogonTypes in the report).<\/p>\n\n\n\n

Get-EventLog -LogName Security -after (Get-date -hour 0 -minute 0 -second 0)| ?{(4624,4778) -contains $_.EventID -and $_.Message -match 'logon type:\\s+(10)\\s'}| %{
(new-object -Type PSObject -Property @{
TimeGenerated = $_.TimeGenerated
ClientIP = $_.Message -replace '(?smi).*Source Network Address:\\s+([^\\s]+)\\s+.*','$1'
UserName = $_.Message -replace '(?smi).*\\s\\sAccount Name:\\s+([^\\s]+)\\s+.*','$1'
UserDomain = $_.Message -replace '(?smi).*\\s\\sAccount Domain:\\s+([^\\s]+)\\s+.*','$1'
LogonType = $_.Message -replace '(?smi).*Logon Type:\\s+([^\\s]+)\\s+.*','$1'
})
} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `
, @{N='Username';E={'{0}\\{1}' -f $_.UserDomain,$_.UserName}} `
, @{N='LogType';E={
switch ($_.LogonType) {
2 {'Interactive - local logon'}
3 {'Network connection to shared folder)'}
4 {'Batch'}
5 {'Service'}
7 {'Unlock (after screensaver)'}
8 {'NetworkCleartext'}
9 {'NewCredentials (local impersonation process under existing connection)'}
10 {'RDP'}
11 {'CachedInteractive'}
default {\"LogType Not Recognised: $($_.LogonType)\"}
}
}}<\/code><\/p>\n\n\n\n

\"powershell:<\/figure>\n\n\n\n

Good Luck<\/p><\/blockquote><\/figure>\n","protected":false},"excerpt":{"rendered":"

The way to see how was connected to windows server through RDP is the EventLog at this location: Getting Remote Desktop Login History with PowerShell Here is a short PowerShell script that lists the history of all RDP connections for the current day from the terminal RDS server event logs. The resulting table shows the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,12,14,15],"tags":[],"class_list":["post-2279","post","type-post","status-publish","format-standard","hentry","category-operating-systems","category-tutorials","category-windows","category-windows-server"],"_links":{"self":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/2279","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2279"}],"version-history":[{"count":0,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/2279\/revisions"}],"wp:attachment":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}