Is there a log file for RDP connections (with system-name)

windows remote-desktop event-log event-viewer

32,269

Well, here it goes... (this is not going to be easy ;)

First enable auditing in secpol.msc.
I found this is needed because the other events triggered too early to get the hostname.

Click Start and type secpol.msc then hit enter.
the Local Security Policy window will be displayed
now navigate to Local Policy > Audit Policy
and right click the Audit account logon events policy option and choose Properties.
Now check the Success box (failed attempts will not be logged this way)
Exit from secpol.msc

Now create a VBScript-file (for example called c:\temp\log.vbs):
(also edit the location of the desired logfile, here c:\temp\rdp.log)

Function sessionNumber
 Dim oShell, oExec, sOutput, iUserPos, iUserLen, iStatePos
 Set oShell = CreateObject("WScript.Shell")
 Set oExec = oShell.Exec("query session %username%")
 sOutput = LCase(oExec.StdOut.ReadAll)
 iUserPos = InStr(sOutput,LCase(oShell.ExpandEnvironmentStrings("%username%")))
 iStatePos = InStr(sOutput,"active")
 iUserLen = Len(oShell.ExpandEnvironmentStrings("%username%"))
 sessionNumber = CInt(Trim(Mid(sOutput,iUserPos+iUserLen,iStatePos-iUserPos-iUserLen)))
End Function

Function clientName
 Dim oShell
 Set oShell = CreateObject("WScript.Shell")
 On Error Resume Next
 clientName = LCase(oShell.RegRead("HKCU\Volatile Environment\"&sessionNumber&"\CLIENTNAME"))
 If Err.Number<>0 Then
 clientName =  "unknown"
 End If
End Function

outFile="c:\temp\rdp.log"

Const ForAppending = 8

Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objFile=objFSO.OpenTextFile(outFile,ForAppending,True)
objFile.Write now() & " ; " & clientName & vbCrLf
objFile.Close

Now for the last part create a scheduled task for starting this script.

Click Start and type taskschd.msc then hit enter.
Choose Create Task in the right pane
Name it Logon RDP or something
In the Trigger-tab choose New and choose "Begin the task" On an event
In "Log" choose Security and in "Event ID" type 4624
Hit Ok
In the Action-tab choose New and choose "Start a program"
In Program type cscript.exe and in Add argument type c:\temp\log.vbs
Hit Ok twice

Now when someone logs in via RDP, their hostname is logged in c:\temp\rdp.log

Note that also local logins will be logged (i haven't tested that yet because i'm on a remote :)
but i guess that's not a problem.

You could of course adapt the log.vbs to include username, remote ip... etc.

(pfew, Windows XP was a lot easier. That one just logs the hostname in the event)
Maybe someone can come up with an easier solution :)

enter image description here

Edit:

I also found that in the security-event log there are Event IDs 4624. Look for the ones with Logon Type: 3. It should contain the Workstation Name of the machine who logged in via RDP.

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

New Logon:
    Security ID:        User-PC\User
    Account Name:       User
    Account Domain:     User-PC
    Logon ID:       0xcd5c10
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   XPS8500
    Source Network Address: -
    Source Port:        -

Edit #2

This is from a completely clean Windows 7 install.
(Main machine is Test-pc and machine with which i logged on is XPS8500):

enter image description here

32,269

user280724

Updated on September 18, 2022

Comments

user280724 almost 2 years

Is there any possible way to know the system name of the system which has taken the system remotely? From the logs we are able to know the username (but these are generic login IDs) and the IP (but we are using DHCP, those are changing day to day).

In the Event Viewer tree on the left side under Applications and Services Logs -> Windows -> Terminal Services-*, where * is all of the logs there. In the Terminal Service Local Session Manager Operational log we are getting the details of only IP address and username.

Is there any log where we can find the system name also?
- Rik over 10 years
  
  Mmm, I thought with "Auditing" on it would show your source computers hostname (in Windows XP it does work, like this). But i just tested this with windows 7 and there, only the "Source Network Address" shows up in the "Security-log" :( What systemversion is the computer you login to?
- Deesbek over 10 years
  
  I would jump on the DHCP server and check the DHCP log, then match the IP's to computers that way.
- user280724 over 10 years
  
  sorry i forgot to mention, some of the users are connecting through VPN. so, couldn't rely on dhcp server logs.
- user280724 over 10 years
  
  sorry i forgot to mention, some of the users are connecting through VPN. so, couldn't rely on dhcp server logs.
- user280724 over 10 years
  
  we are using windows 7 systems.
- Rik over 10 years
  
  Yeah, like i already stated in my first comment, Windows 7 (unlike Windows XP) doesn't log the hostname from which you logon in the event-log (only ip). Even when i tunnel with SSH to my server it shows the ip of that server and not my home-computer so you can't trust the ip either. There is hope though. There is an environment variable set. You could see it in cmd.exe. Do a set CLIENTNAME. That's the hostname of the computer with which you logon. If there is a login-script. you could log it yourself like that (or maybe via the task-scheduler on a trigger of the event-logon via rdp)
user280724 over 10 years

is there any other way for the above query. please help..!!!
Rik over 10 years

Could you check your security-event log for every Event ID 4624 and look only at the ones with a Logon Type: 3 in the text? I just discovered that that one also should have the correct Workstation Name:. It's not easy to find them but the information is there.
user280724 over 10 years

Hello Rik, Thanks for your time. As you mentioned, i was searching for Event ID 4624 in Security-Event Log but couldn't find it. Do we need to start any service or enable something so that from next time the event id updated in security-event log? Please suggest.,
Rik over 10 years

@user280724 I just checked a completely clean Windows 7 install and RDP'ed in and it showed several Event IDs 4624 in the Security-Event Log. (among them the Logon type 3 with the Workstation Name). How are you searching them? (Don't use the filter at first, it can be iffy if not used right, just browse them). I added an image at the end of my answer. Do you have entries in your security-log? Maybe it's disabled.
user280724 over 10 years

I am unable to find previous logs like yesterday or even more previous days.
user280724 over 10 years

can we set the time span for the logs. if yes, please let me know...
Rik over 10 years

You can click one event and then Properties on the right. You should see this. What is the maximum log size? Did you have any events with Keywords "Audit Success" in the Security logs?
user280724 over 10 years

yes., i see keywords like "Audit Success" those are created every second.,
user280724 over 10 years

i can see the security logs for only present day only.. previous logs have been over-written by the new logs,...
Rik over 10 years

every second? Then you have 3 options. 1) Check out why you have so many entries (every second) and disable a few in secpol.msc. 2) Increase the # of Kb the log keeps. (click on properties in the right pane and set a new number). You can also choose "Archive the old" but i'm not sure where they end up. 3) Use my method of logging the EventID 4624 to a separate file (which won't be deleted). You can skip the first step of activating Auditing because it is already on.