1

Today I arrived at the office of an client and the Hyper V server was turnoff. In the Windows Event log is register that the admin user has send a shutdown command. I'm not the only one that has access to this user.

How can I find out from what IP the admin user was login when this command was requested (What event ID I'm need to lookup)?

Thanks.

Daniel Camara
  • 13
  • 2
  • Hi, a planned task or a ups monitoring solution could send such message if configured to use your admin account. Could be it easier to ask your team ? – yagmoth555 Jan 05 '21 at 18:21
  • Hi, we didn't use a ups monitor. We have more than one server in the same room and this was the only one that was turn off. Nobody of my team says that made it. We don't use admin user for Tasks. :/ – Daniel Camara Jan 05 '21 at 19:17

2 Answers2

1

If I understand correctly, your question is "How can I find the IP from which a RDP connection was established?".

You can take a look at the following log, in the event viewer: Application and Services Logs -> Microsoft -> Windows -> Terminal Services-LocalSessionManager -> Operational, event ID 21 in this log should be what you are looking for.

However there are multiple ways of shutting down Windows... take a look at System event log, Event ID 1074 in the User32 source, it should give you more details about who/what initiated the shutdown.

Swisstone
  • 6,357
  • 7
  • 21
  • 32
0

Another event to look for is event id 4624 with a Logon Type of 10 (remote desktop), see this link for more information: https://system32.eventsentry.com/security/event/4624.

This may be a bit tedious to find manually, so you may need to setup a XML query for the event viewer if you're not using a logging solution (which you probably should). Some log monitoring solution will parse logon and shutdown events and can present them in easy to use reports. You can also get emails whenever a critical server is shutdown or rebooted for example.

Lucky Luke
  • 1,555
  • 1
  • 9
  • 12