Is there a log file for RDP connections (with system-name)
Well, here it goes... (this is not going to be easy ;)
First enable auditing in secpol.msc
.
I found this is needed because the other events triggered too early to get the hostname.
- Click Start and type
secpol.msc
then hit enter.
the Local Security Policy window will be displayed - now navigate to
Local Policy
>Audit Policy
and right click theAudit account logon events
policy option and chooseProperties
. - Now check the
Success
box (failed attempts will not be logged this way) - Exit from
secpol.msc
Now create a VBScript-file (for example called c:\temp\log.vbs
):
(also edit the location of the desired logfile, here c:\temp\rdp.log
)
Function sessionNumber
Dim oShell, oExec, sOutput, iUserPos, iUserLen, iStatePos
Set oShell = CreateObject("WScript.Shell")
Set oExec = oShell.Exec("query session %username%")
sOutput = LCase(oExec.StdOut.ReadAll)
iUserPos = InStr(sOutput,LCase(oShell.ExpandEnvironmentStrings("%username%")))
iStatePos = InStr(sOutput,"active")
iUserLen = Len(oShell.ExpandEnvironmentStrings("%username%"))
sessionNumber = CInt(Trim(Mid(sOutput,iUserPos+iUserLen,iStatePos-iUserPos-iUserLen)))
End Function
Function clientName
Dim oShell
Set oShell = CreateObject("WScript.Shell")
On Error Resume Next
clientName = LCase(oShell.RegRead("HKCU\Volatile Environment\"&sessionNumber&"\CLIENTNAME"))
If Err.Number<>0 Then
clientName = "unknown"
End If
End Function
outFile="c:\temp\rdp.log"
Const ForAppending = 8
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objFile=objFSO.OpenTextFile(outFile,ForAppending,True)
objFile.Write now() & " ; " & clientName & vbCrLf
objFile.Close
Now for the last part create a scheduled task for starting this script.
- Click Start and type
taskschd.msc
then hit enter. - Choose
Create Task
in the right pane - Name it
Logon RDP
or something - In the Trigger-tab choose New and choose "Begin the task"
On an event
- In "Log" choose
Security
and in "Event ID" type4624
- Hit Ok
- In the Action-tab choose New and choose "Start a program"
- In Program type
cscript.exe
and in Add argument typec:\temp\log.vbs
- Hit Ok twice
Now when someone logs in via RDP, their hostname is logged in c:\temp\rdp.log
Note that also local logins will be logged (i haven't tested that yet because i'm on a remote :)
but i guess that's not a problem.
You could of course adapt the log.vbs
to include username, remote ip... etc.
(pfew, Windows XP was a lot easier. That one just logs the hostname in the event)
Maybe someone can come up with an easier solution :)
Edit:
I also found that in the security-event log there are Event IDs 4624. Look for the ones with Logon Type: 3
. It should contain the Workstation Name
of the machine who logged in via RDP.
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: User-PC\User
Account Name: User
Account Domain: User-PC
Logon ID: 0xcd5c10
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: XPS8500
Source Network Address: -
Source Port: -
Edit #2
This is from a completely clean Windows 7 install.
(Main machine is Test-pc
and machine with which i logged on is XPS8500
):
Related videos on Youtube
user280724
Updated on September 18, 2022Comments
-
user280724 almost 2 years
Is there any possible way to know the system name of the system which has taken the system remotely? From the logs we are able to know the username (but these are generic login IDs) and the IP (but we are using DHCP, those are changing day to day).
In the Event Viewer tree on the left side under Applications and Services Logs -> Windows -> Terminal Services-*, where * is all of the logs there. In the Terminal Service Local Session Manager Operational log we are getting the details of only IP address and username.
Is there any log where we can find the system name also?
-
Rik over 10 years
-
Deesbek over 10 yearsI would jump on the DHCP server and check the DHCP log, then match the IP's to computers that way.
-
user280724 over 10 yearssorry i forgot to mention, some of the users are connecting through VPN. so, couldn't rely on dhcp server logs.
-
user280724 over 10 yearssorry i forgot to mention, some of the users are connecting through VPN. so, couldn't rely on dhcp server logs.
-
user280724 over 10 yearswe are using windows 7 systems.
-
Rik over 10 yearsYeah, like i already stated in my first comment, Windows 7 (unlike Windows XP) doesn't log the hostname from which you logon in the event-log (only ip). Even when i tunnel with SSH to my server it shows the ip of that server and not my home-computer so you can't trust the ip either. There is hope though. There is an environment variable set. You could see it in
cmd.exe
. Do aset CLIENTNAME
. That's the hostname of the computer with which you logon. If there is a login-script. you could log it yourself like that (or maybe via the task-scheduler on a trigger of the event-logon via rdp)
-
-
user280724 over 10 yearsis there any other way for the above query. please help..!!!
-
Rik over 10 yearsCould you check your security-event log for every Event ID 4624 and look only at the ones with a
Logon Type: 3
in the text? I just discovered that that one also should have the correctWorkstation Name:
. It's not easy to find them but the information is there. -
user280724 over 10 yearsHello Rik, Thanks for your time. As you mentioned, i was searching for Event ID 4624 in Security-Event Log but couldn't find it. Do we need to start any service or enable something so that from next time the event id updated in security-event log? Please suggest.,
-
Rik over 10 years@user280724 I just checked a completely clean Windows 7 install and RDP'ed in and it showed several Event IDs 4624 in the Security-Event Log. (among them the
Logon type 3
with theWorkstation Name
). How are you searching them? (Don't use the filter at first, it can be iffy if not used right, just browse them). I added an image at the end of my answer. Do you have entries in your security-log? Maybe it's disabled. -
user280724 over 10 yearsI am unable to find previous logs like yesterday or even more previous days.
-
user280724 over 10 yearscan we set the time span for the logs. if yes, please let me know...
-
Rik over 10 yearsYou can click one event and then Properties on the right. You should see this. What is the maximum log size? Did you have any events with Keywords "Audit Success" in the Security logs?
-
user280724 over 10 yearsyes., i see keywords like "Audit Success" those are created every second.,
-
user280724 over 10 yearsi can see the security logs for only present day only.. previous logs have been over-written by the new logs,...
-
Rik over 10 yearsevery second? Then you have 3 options. 1) Check out why you have so many entries (every second) and disable a few in
secpol.msc
. 2) Increase the # of Kb the log keeps. (click on properties in the right pane and set a new number). You can also choose "Archive the old" but i'm not sure where they end up. 3) Use my method of logging the EventID 4624 to a separate file (which won't be deleted). You can skip the first step of activating Auditing because it is already on.