How to find Remote desktop connection Log in Windows server
The Event Viewer is a tool in Windows that displays detailed information about significant events on your computer. Examples of these are programs that don’t start as expected, or automatically downloaded updates. Event Viewer is especially useful for troubleshooting Windows and application errors.
- an active Windows VPS
In this article we will show how to check the RDP connection logs using Windows Event Viewer (
1. Open “Event Viewer” by clicking the “Start” button. Click “Control Panel” > “System and Security” > “Administrative Tools”, and then double-click “Event Viewer
Or you can press Windows+R -> Eventvwr
2. Navigate to the Operational logs:
Event Viewer > Applications and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager > Operational
3. Find the login event on the right side
4. There are several different logs where you can find the information about Remote Desktop connections. We’ll look at the logs and events on the main stages of an RDP connection that may be of interest to the administrator:
- Network Connection;
- Session Disconnect/Reconnect;
Network Connection is the establishment of a network connection to a server from a user RDP client. It is the event with the EventID 1149 (
Remote Desktop Services: User authentication succeeded).
Enable the log filter for this event (right-click the log -> Filter Current Log -> EventId 1149).
Filter Current Log -> EventId 1149
Then you will get an event list with the history of all RDP connections to this server. As you can see, the logs provide a username, a domain and the IP address of the computer, from which the RDP connection has been initiated.
Authentication shows whether an RDP user has been successfully authenticated on the server or not. The log is located in “Windows -> Security”. So you may be interested in the events with the EventID 4624 (
An account was successfully logged on) or 4625 (
An account failed to log on). Please, pay attention to the LogonType value in the event description. If the Remote Desktop service has been use to create new session during log on, LogonType = 10. If the LogonType = 7, it means that a user has reconnected to the existing RDP session.
At the same time, you can find a user name in the event description in the Account Name field, a computer name – in Workstation Name, and an IP address – in Source Network Address.
Logon refers to an RDP logon to the system, an event that appears after a user has been successfully authenticated. It is an event with the EventID 21 (
Remote Desktop Services: Session logon succeeded). This events are located in the “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational”.
Enable the log filter for this event (right-click the log -> Filter Current Log -> EventId 21).
The event with the EventID – 21 (
Remote Desktop Services: Shell start notification received) means that the Explorer shell has been successfully started (the desktop appears in the user’s RDP session).
Session Disconnect/Reconnect – session disconnection / reconnection events have different IDs depending on what caused user disconnection (disconnection to inactivity, Disconnect option has been selected by the user in the session, RDP session ended by another user or an administrator, etc.). You can find these events in the logs located in “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational”
EventID – 24 (
Remote Desktop Services: Session has been disconnected) – a user has disconnected from the RDP session;
EventID – 25 (
Remote Desktop Services: Session reconnection succeeded) – a user has reconnected to the existing RDP session on the server;
Logoff refers to the user logoff from the system. It is logged as the event with the EventID 23 (
Remote Desktop Services: Session logoff succeeded) in “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational”.