A PowerShell module that searches Windows RDP Logon events for a specified user, on a specified system, for a specified timeframe.
Run as Administrator
- Audit Logon Success and Failure must be enabled in Group Policy for Security-Auditing 4624 Events
- LocalSessionManager Events require no pre-requisites
The categories below describe which Events withing which Providers are searched: ======================================================================= Microsoft-Windows-TerminalServices-LocalSessionManager/Operational ======================================================================= Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager Event ID: 21 Event Type: Logon Log Size: 1028KB (~14 days of events for a terminal server) Description: Remote Desktop Services: Session logon succeeded: User: GLOBALDYNAMICS\jcarter Session ID: 46 Source Network Address: 192.168.0.123 ----------------------------------------------------------------------- ======================================================================= Microsoft-Windows-Security-Auditing ======================================================================= *WARNING: Searching 4624 events can take a while, especially if querying multiple days* Provider Name: Microsoft-Windows-Security-Auditing Event ID: 4624 Event Type: Type 7 (Reconnection) & 10 (Remote Interactive) Log Size: 20480KB (~6 days of events for a terminal server) Description: An account was successfully logged on. Subject: Security ID: SYSTEM Account Name: SARAH$ Account Domain: GLOBALDYNAMICS Logon ID: 0x6A9 Logon Type: 10 Impersonation Level: Impersonation New Logon: Security ID: GLOBALDYNAMICS\jcarter Account Name: jcarter Account Domain: GLOBALDYNAMICS Logon ID: 0x3G7C926C1 Logon GUID: {123a45c7-8901-d2e3-4cdb-d2e3af58d2e3} Process Information: Process ID: 0x652c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: SARAH Source Network Address: 192.168.0.123 Source Port: 0 ----------------------------------------------------------------------- ======================================================================= Microsoft-Windows-Security-Auditing ======================================================================= Provider Name: Microsoft-Windows-Security-Auditing Event ID: 4801 Event Type: Windows Unlock Log Size: 20480KB (~6 days of events for a terminal server) Description: The workstation was unlocked. Subject: Security ID: GLOBALDYNAMICS\jcarter Account Name: jcarter Account Domain: GLOBALDYNAMICS Logon ID: 0x3AC282179 Session ID: 22 ----------------------------------------------------------------------- BOLD = Mandatory
User - This is the user you want to search logon events for.
Server - This is the system (workstation or server) that you want to search.
Days - This is the number of days prior to today you want to search.
Max - This is the maximum number of events you want to search through.
PS C:\>. .\Get-UserRDPLogon.ps1 PS C:\>Get-UserRDPLogon -User jcarter -Server sarah -Days 5Thank you to Jonathon Poling for his extremely detailed write-up on Windows RDP-Related Event Logs. His blog post provided very insightful information that made it much easier to pick out the specific events I was looking for. https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/