How to find Remote desktop connection Log in Windows server
Introduction
The Event Viewer is a tool in Windows that displays detailed information about significant events on your computer. Examples of these are programs that don’t start as expected, or automatically downloaded updates. Event Viewer is especially useful for troubleshooting Windows and application errors.
Prerequisites:
- An active Windows VPS
How to find out who connected to a particular server via RDP.
Using the logs written by the Windows OS, you can obtain information about which IP addresses and users connected to the virtual server, and when they did so.
The instructions below can also be used on desktop versions of Windows.
Let’s consider some of the most common codes related to the server’s startup and shutdown times.
1149: The presence of this code indicates a successful user authentication on the server. (Remote Desktop Services: User authentication succeeded)
21: This code indicates a successful logon to the system, meaning the user has seen the desktop window. (Remote Desktop Services: Session logon succeeded)
24: This event indicates a successful disconnection from RDP (Remote Desktop Services: Session has been disconnected)
25: Indicates a reconnection to the RDP session. (Remote Desktop Services: Session reconnection succeeded)
23: The user clicked Logoff and logged out of the system (Remote Desktop Services: Session logoff succeeded )
39: The user manually disconnected from the RDP session (not just closed the RDP window). Or they were disconnected by another user or administrator.
In this article we will show how to check the RDP connection logs using Windows Event Viewer (eventvwr.msc)
1. Open “Event Viewer” by clicking the “Start” button. Click “Control Panel” > “System and Security” > “Administrative Tools”, and then double-click “Event Viewer
Or you can press Windows+R -> Eventvwr
2. Navigate to the Operational logs:
Event Viewer > Applications and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager > Operational
3. Find the login event on the right side
4. There are several different logs where you can find the information about Remote Desktop connections. We’ll look at the logs and events on the main stages of an RDP connection that may be of interest to the administrator:
- Network Connection;
- Authentication;
- Logon;
- Session Disconnect/Reconnect;
- Logoff.
Network Connection is the establishment of a network connection to a server from a user RDP client. It is the event with the EventID 1149,39,25,24,23,21 (Remote Desktop Services: User authentication succeeded).
Enable the log filter for this event (right-click the log -> Filter Current Log -> EventId 1149,39,25,24,23,21).
Filter Current Log -> EventId 1149,39,25,24,23,21
Then you will get an event list with the history of all RDP connections to this server. As you can see, the logs provide a username, a domain and the IP address of the computer, from which the RDP connection has been initiated.
Authentication shows whether an RDP user has been successfully authenticated on the server or not. The log is located in “Windows -> Security”. So you may be interested in the events with the EventID 4624 (An account was successfully logged on) or 4625 (An account failed to log on). Please, pay attention to the LogonType value in the event description. If the Remote Desktop service has been use to create new session during log on, LogonType = 10. If the LogonType = 7, it means that a user has reconnected to the existing RDP session.
At the same time, you can find a user name in the event description in the Account Name field, a computer name – in Workstation Name, and an IP address – in Source Network Address.
Summary
We can observe the event log with the shutdown of our VPS server.
These events can be viewed in different sections. For example:
EventId 1149,4624,4625 – filter in Windows Logs => Security
EventId 25,24,21,39 – filter in Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational
EventId 23 – Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operationa
Now you can independently check who and when accessed your server via RDP.
