Tutorial: How to Check RDP Windows Server Connection Logs

This post mainly introduces the ways to check RDP Windows Server connection logs. If you want to know the incoming and outgoing RDP connection on your Windows Server, keep reading!

Ellie

By Ellie / Updated on December 28, 2022

Share this: instagram reddit

Is there a log file for RDP connections?

Is a log file kept for RDP connections? Of course, you can monitor the incoming and outgoing RDP connections. Information about these events is saved when a user connects to a Remote Desktop host. You just need to know how to find them.

Howto check RDP Windows Server connection logs

Here three ways are listed to help you check incoming and outgoing RDP Windows Server connection logs. These ways areapplicable when analyzing RDP logs for both Windows Server 2022/2019/2016/2012 R2 and to desktop editions (Windows 11, 10, 8.1, 8, and 7).

Part 1. How to check incoming RDP Windows Server connection logs

There are three ways to help you check incoming RDP Windows Server connection logs.

Way 1. Check incoming RDP connection logs via Event Viewer

The first way to check incoming RDP connection logs on Windows Server is using the Event Viewer.

Step 1.Press Win + R to invoke the Run dialog box, then type in “eventvwr.msc” and press OK to open Event Viewer.

Run Event Viewer

Step 2. Navigate here: Applications and Services Logs > Microsoft > Windows > TerminalServices-RemoteConnectionManager > Operational. Right-click Operational and choose Filter Current Log.

Event Viewer Event ID Filter

Step 3. The Event ID of Remote Desktop Services is 1149. Then enter 1149 to filter the log.

Event 1149

Step 4. Then you will get an event list with the history of all RDP connections to this server.

Event Viewer Log History

Step 5. Click one of them, then you can see the details of the RDP connection, including IP address, computer name, login time, etc.

Details of the RDP Connection

Way 2. Check incoming RDP connection logs via Registry

You can also check the incoming RDP connection logs on Registry.

Step 1. Press Win + R to invoke the Run dialog box, then type in “regedit” and press OK to open Registry.

Run Box Regedit

Step 2. Navigate here: HKEY_CURRENT_USER > SOFTWARE > Microsoft > Terminal Server Client. Expand the Default Key, it stores the history of the last 10 RDP connections.

RDP Connection History Default

Step 3. You can also expand the Servers Key, it contains the list of all RDP servers and usernames used previously to login. If you want to clear RDP connection history, you can right click it and delete it.

RDP Connection History Servers

Way 3. Check incoming RDP connection logs via PowerShell

The PowerShell script listed below provides another method for inspecting Remote Desktop Connection logs on Windows Server 2012 R2/2016/2019/2022. It displays the history of all RDP connections from the terminal RDS server event logs for the current day. The resulting table displays the connection time, the IP address of the client, the remote user name, and the logon type.

Step 1. Right-click Start, and then choose Windows PowerShell (Admin).

Windows PowerShell Admin

Step 2. Input the following script, then you’ll see the incoming RDP connection logs.

Get-EventLog -LogName Security -after (Get-date -hour 0 -minute 0 -second 0)| ?{(4624,4778) -contains $_.EventID -and $_.Message -match 'logon type:\s+(10)\s'}| %{

(new-object -Type PSObject -Property @{

TimeGenerated = $_.TimeGenerated

ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'

UserName = $_.Message -replace '(?smi).*\s\sAccount Name:\s+([^\s]+)\s+.*','$1'

UserDomain = $_.Message -replace '(?smi).*\s\sAccount Domain:\s+([^\s]+)\s+.*','$1'

LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'

})

} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `

, @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} `

, @{N='LogType';E={

switch ($_.LogonType) {

2 {'Interactive - local logon'}

3 {'Network connection to shared folder)'}

4 {'Batch'}

5 {'Service'}

7 {'Unlock (after screensaver)'}

8 {'NetworkCleartext'}

9 {'NewCredentials (local impersonation process under existing connection)'}

10 {'RDP'}

11 {'CachedInteractive'}

default {"LogType Not Recognised: $($_.LogonType)"}

}

}}

PowerShell List RDP Logs

Part 2. How to check outgoing RDP Windows Server connection logs

Outgoing RDP connection logs can also be viewed on the client side. There are two options.

Way 1. Check outgoing RDP connection logs via Event Viewer

The following event log contains the outgoing RDP connection logs: Application and Services Logs > Microsoft > Windows > TerminalServices-ClientActiveXCore > Microsoft-Windows-TerminalServices-RDPClient > Operational. When a user connects to a remote Windows Server RDS host or a Windows 10/11 computer, for example, Event ID 1102 occurs.

Outgoing RDP Connection Log

Way 2. Check outgoing RDP connection logs via PowerShell

There’s a PowerShell script that will help display the history of RDP client connections on the current computer. The script returns the SIDs of the users who initiated RDP connections on this computer, as well as the DNS names/IP addresses of the Remote Desktop hosts that the users connected to.

$properties = @( @{n='TimeStamp';e={$_.TimeCreated}} @{n='LocalUser';e={$_.UserID}} @{n='Target RDP host';e={$_.Properties[1].Value}} ) Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational';ID='1102'} | Select-Object $properties

Outgoing RDP Connection Logs PowerShell

AnyViewer: Check outgoing connection logs on Windows with ease

If you usethe free remote desktop software AnyViewer, it would be easy for you to check the outgoing remote connection you have made from your computer. AnyViewer supports both Windows Servers and Windows operating systems. Check out the detailed steps below.

Step 1. Download, install, launch AnyViewer on your computer.

Download Freeware Win PCs & Servers
Secure Download

Step 2. If you already have an AnyViewer account, you can login directly. If not, fill in the signup information and click Sign up to create an AnyViewer account.

Log In AnyViewer

Step 3. Then you can see you successfully logged in to AnyViewer. Go to the Device tab, check Currently connected list. Here listed the last 10 remote connections you have made.

Currently Connected

Step 4. You can also choose the specific device, and click Properties. You can see the IP address of the computer you connected to, and the specific connection time.

Device Properties

Conclusion

This post mainly introduces the ways to check RDP Windows Server connection logs. It would be very helpful if you want to know the incoming and outgoing RDP connection on your Windows Server. If you use AnyViewer, it will be easier for you to check the remote connection you have made.