Home > Mobile >  Tracking the entire history of RDP sessions
Tracking the entire history of RDP sessions

Time:09-27

We are trying to get the entire history of rdp servers via powershell. I already looked at some example's like Qwinsta, quser, query user; but that is not exactly what I am looking for. I am looking for something I can write in Powershell to give me the entire history of it. from the day the machine is up.

example :

lets say I have a server I created last year. I want to know who are the users that has logged into this server in the last year, which one is diss or active (kind of like query user or qwinsta) and when was the last time someone connected to this server.

NAME_OF_SERVER

 SESSIONNAME       USERNAME                 ID  STATE        DEVICE        LAST_LOGIN
 services                                    0  Disc                        
 console                                     1  Conn                        
 rdp-tcp#29        user1                     2  Active                      
                   user2                     3  Disc

appreciate any kind of help.

CodePudding user response:

You can find the history by querying for RDP event logs. There's a handful of different events that will denote an RDP logon, but I'm going to use the RemoteConnectionManager log here:

$RDPAuths = Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' -FilterXPath @'
<QueryList><Query Id="0"><Select>
  *[System[EventID=1149]]
</Select></Query></QueryList>
'@ 

# Get specific properties from the event XML
[xml[]]$xml=$RDPAuths|Foreach{$_.ToXml()}
$EventData = Foreach ($event in $xml.Event) { 
  # Create custom object for event data
  New-Object PSObject -Property @{  
    TimeCreated = (Get-Date ($event.System.TimeCreated.SystemTime) -Format 'yyyy-MM-dd hh:mm:ss K')
    User   = $event.UserData.EventXML.Param1
    Domain = $event.UserData.EventXML.Param2
    Client = $event.UserData.EventXML.Param3
  }
}
$EventData | FT

You could pretty easily sort by user and find the last time they logged in using the output in $EventData:

TimeCreated                User   Domain   Client      
-----------                ----   ------   ------      
2021-09-23 12:02:03 -04:00 User01 MyDomain 10.10.10.10 
2021-09-23 12:00:42 -04:00 User01 MyDomain 10.10.10.10
2021-09-21 11:39:08 -04:00 User02 MyDomain 10.10.10.20

There's an obvious limitation here that you can only search as far back as your event log goes, so "from the day the machine is up." may not be possible depending on how your event logs are configured.

Another option here can be to just check C:\users\* for which users have ever logged in.

For checking current sessions, I mostly use quser. If your server is running Terminal Services, you can use the RemoteDesktop module and run commands like Get-RDUserSession.

Page link:https//www.codepudding.com/Mobile/128912.html

Prev:How to display a PowerShell output in List view using Windows Forms
Next:parallel version of find command on Linux
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding