Viewing and analyzing RDP connection logs in Windows

[Teacher]

In this article, we will look at the features of auditing / analyzing RDP connection logs in Windows. As a rule, the described methods can be useful in investigating various incidents on Windows terminal / RDS servers, when the system administrator is required to provide information: which users logged into the RDS server, when a specific user logged in and ended the session, from which device (name or IP address) the RDP user was connected. I think this information will be useful both for administrators of corporate RDS farms and for owners of RDP servers on the Internet (Windows VPS turned out to be quite popular).

The article is applicable when examining RDP logs both in Windows Server 2008 R2, 2012 / R2, 2016 and in the corresponding desktop versions of Windows (Windows 7, 8.1, 10).
Like other events, Windows RDP connection logs are stored in event logs. Open the Event Viewer console. There are several different logs in which you can find information regarding RDP connections.

Windows logs contain a lot of information, but it can be difficult to quickly find the event you are looking for. Many events are generated in Windows logs when a user remotely connects to an RDS server or Remote Desktop (RDP). We will look at the logs and events at the main stages of the RDP connection, which may be of interest to the administrator:

1. Network connection
2. Authentication
3. Logon
4. Session Disconnect / Reconnect
5. Logoff

Network Connection: - establishing a network connection to the server from the user's RDP client. Event with EventID - 1149 ( Remote Desktop Services: User authentication succeeded ). The presence of this event does not indicate successful user authentication. This log is located under Applications and Services Logs -> Microsoft -> Windows -> Terminal-Services-RemoteConnectionManager -> Operational. Enable the filter for this event (RMB on the log -> Filter Current Log -> EventId 1149).

1149 Terminal-Services-RemoteConnectionManager

As a result, you will get a list with the history of all network RDP connections to this server. As you can see, the logs indicate the username, domain (NLA authentication is used, with NLA disabled, the event text looks different) and the IP address of the computer from which the RDP connection is made.

Remote Desktop Services: User authentication succeeded

Authentication: - successful or unsuccessful user authentication on the server. Windows Log -> Security. Accordingly, we may be interested in events with EventID - 4624 (successful authentication - An account was successfully logged on) or 4625 (authentication error - An account failed to log on). Notice the LogonType value in the event. When logging in through the terminal service RDP - LogonType = 10 or 3. If LogonType = 7, then you have reconnected to an existing RDP session.

You can use events with authentication failures to protect against remote brute-force passwords for RDP. You can automatically block such IP addresses on the firewall with a simple PowerShell script.

RDP authentication event An account was successfully logged on

In this case, the username is contained in the description of the event in the Account Name field, the computer name in the Workstation Name, and the username in the Source Network Address.

Pay attention to the value of the TargetLogonID field - this is a unique identifier of the user's session with which you can track the further activity of this user. However, when disconnecting from the RDP session (disconnect) and reconnecting to the session, the user will be given a new TargetLogonID (although the RDP session remains the same).
You can get a list of successful RDP authorization events (event 4624) by using this PowerShell command.

Get-EventLog security -after (Get-date -hour 0 -minute 0 -second 0) | ?{$_.eventid -eq 4624 -and $_.Message -match 'logon type:\s+(10)\s'} | Out-GridView

[IMG"]https://winitpro.ru/wp-content/uplo...al-rdp-vhodov-s-pomoshyu-powershell.png[/IMG]
Get log of RDP logins using PowerShell

Logon: - RDP login, event that appears after successful user authentication. Event with EventID - 21 (Remote Desktop Services: Session logon succeeded). This log is located under Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational. As you can see here you can find out the RDP session identifier for the user - Session ID.

An event with EventID - 21 (Remote Desktop Services: Shell start notification received) means successful launch of the Explorer shell (the appearance of a desktop window in an RDP session).

Session Disconnect / Reconnect - events of disconnecting / reconnecting to a session have different codes depending on what caused the disconnection of the user (disconnection by inactivity, selecting the Disconnect item in the session, terminating an RDP session by another user or administrator, etc.). These events are located under Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational. Consider RDP events that might be interesting:

• EventID - 24 (Remote Desktop Services: Session has been disconnected) - the user disconnected from the RDP session.
• EventID - 25 (Remote Desktop Services: Session reconnection succeeded) - the user reconnected to his existing RDP session on the server.
• EventID - 39 (Session <A> has been disconnected by session <B>) - the user himself disconnected from his RDP session by selecting the appropriate menu item (and not just closing the RDP client window). If the session IDs are different, then the user was disconnected by another user (or administrator).
• EventID - 40 (Session <A> has been disconnected, reason code <B>). Here you need to look at the disabling reason code in the event. For example:
  • reason code 0 (No additional information is available) - usually indicates that the user just closed the RDP client window.
  • reason code 5 (The client's connection was replaced by another connection) - the user reconnected to his old session.
  • reason code 11 (User activity has initiated the disconnect) - the user himself pressed the Disconnect button in the menu.

Event with EventID - 4778 in the Windows log -> Security (A session was reconnected to a Window Station). The user reconnected to the RDP session (the user is given a new LogonID).

Event with EventID 4799 in the Windows log -> Security (A session was disconnected from a Window Station). Disconnect from RDP session.

Logoff: - user logout from the system. At the same time, an event with EventID 23 (Remote Desktop Services: Session logoff succeeded) is recorded in the Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational log.

Remote Desktop Services: Session logoff succeeded

In this case, in the Security log, you need to look at the EventID 4634 (An account was logged off) event.

Event 9009 (The Desktop Window Manager has exited with code (<X>) in the System log indicates that the user initiated the termination of the RDP session, and the user's window and graphical shell were terminated.

Below is a small PowerShell that dumps the history of all RDP connections for the current day from the logs of the terminal RDS server. The resulting table shows the connection time, client IP address and RDP username (if necessary, you can include other types of logins in the report).

Get-EventLog -LogName Security -after (Get-date -hour 0 -minute 0 -second 0)| ?{(4624,4778) -contains $_.EventID -and $_.Message -match 'logon type:\s+(10)\s'}| %{
(new-object -Type PSObject -Property @{
TimeGenerated = $_.TimeGenerated
ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'
UserName = $_.Message -replace '(?smi).*Account Name:\s+([^\s]+)\s+.*','$1'
UserDomain = $_.Message -replace '(?smi).*Account Domain:\s+([^\s]+)\s+.*','$1'
LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'
})
} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `
, @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} `
, @{N='LogType';E={
switch ($_.LogonType) {
2 {'Interactive - local logon'}
3 {'Network conection to shared folder)'}
4 {'Batch'}
5 {'Service'}
7 {'Unlock (after screensaver)'}
8 {'NetworkCleartext'}
9 {'NewCredentials (local impersonation process under existing connection)'}
10 {'RDP'}
11 {'CachedInteractive'}
default {"LogType Not Recognised: $($_.LogonType)"}
}
}}

Logs of RDP connections to the RDS server with IP addresses and accounts

Sometimes it is convenient with logs in an Excel spreadsheet, in this case you can unload any Windows log into a text file and import it into Excel. Exporting the log can be done from the Event Viewer console (of course, provided that the logs are not cleared) or through the command line:

WEVTUtil query-events Security > c:\ps\security_log.txt

Or like this:

get-winevent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | Export-Csv c:\ps\rdp-log.txt  -Encoding UTF8

The list of current RDP sessions on the server can be displayed with the command:

Qwinsta

The command returns both session identifier (ID), username (USERNAME) and status (Active / Disconnect). This command is useful when you need to determine the RDP session ID of a user with a shadow connection.

Qwinsta

List of running processes in a specific RDP session (the session ID is indicated):

qprocess /id:157

qprocess

On the RDP client, the logs are not so informational, the main thing that is often used is the information about the history of RDP connections in the registry.