25

Is there a way to determine the IP address of a remote desktop client using PowerShell (or some other method) on the server? (Windows Server 2008 R2 x64 is what I'm using)

EDIT: I find that I can grep netstat's stdout to retrieve this information which is very feasable, so how can I trigger a script/shell-command when a client connects?

chaz
  • 481
  • 1
  • 4
  • 13
  • Within what context? Will this script be run as the user, administrator, or someone else? – Zoredache Feb 19 '12 at 08:25
  • Is this within a LAN, WAN, or internet? – Zapto Feb 19 '12 at 08:29
  • I leave RDP open to the internet, so I know what IPs are mine and what aren't. I'm not sure who it'll run under, I guess whatever lets me retrieve that information. – chaz Feb 19 '12 at 22:37
  • I did some searching, and this post ( http://serverfault.com/questions/314386/listing-users-using-rdp ) looks to be very close to what you need. I'm just not proficient enough in Powershell to make it target/return and IP – Skawt Feb 20 '12 at 00:13
  • That event type and the information it provides still doesn't give me the remote IP, closest thing it's giving me in the event log is 'COMPUTER' – chaz Feb 20 '12 at 22:32

4 Answers4

25

From a command prompt you can run the following command to get a list of the remote IPs that are connected to RDP (port 3389).

netstat -n | find ":3389" | find "ESTABLISHED"

I'm certain this can be scripted in powershell (or even just a plain old batch file). I can provide an example tomorrow if you're interested.

John Homer
  • 1,293
  • 10
  • 10
  • I've used this before it it works very effectively, now I just need to find a way to trigger a script when a RDP client connects. – chaz Feb 23 '12 at 01:53
13

Alright I figured out that the task scheduler application that comes with windows is configurable to where I can run a batch script, triggered when an event in the event log is generated. Via the UI you choose the event type, event source and event ID, in which case I used 4264 (and yes is captures all logon types). Here I used a simple batch script instead:

SET logfile="rdp_ip_logs.log"
date /T>>%logfile%
time /T>>%logfile%
netstat -n | find ":3389" | find "ESTABLISHED">>%logfile%

Also I found a this super-useful example on how to subscribe/listen to event writes in .NET: http://msdn.microsoft.com/en-us/library/bb552514(v=vs.90).aspx I'm gonna end up using that instead to to write certain events to to a database for web-based examination.

The only drawback of this solution is that if you have Remote Desktop Services enabled and multiple people are connected, you cannot differentiate between them in the netstat output.

youcantexplainthat
  • 215
  • 1
  • 2
  • 11
chaz
  • 481
  • 1
  • 4
  • 13
  • 1
    That's actually quite an elegant solution when you put it all together. I wasn't aware of the enhanced task scheduler functionality either. Great job! – John Homer Feb 23 '12 at 20:08
  • for older versions scheduler you could do it with batch file and evtmon.vbs script see https://blogs.technet.microsoft.com/netmon/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event/ – Scott R Feb 03 '18 at 08:04
7

If you don't need to script it, you can look in the Security event log for event ID 4624. There will be a line:

Source Network Address: 192.168.xxx.xxx

Tamerz
  • 412
  • 3
  • 6
  • 14
  • 4264 is for logins and is useful for logging active domain controller type logins. I need the current IP of the connect RDP client, which account logged in is irrelevant and I believe is feasibly retrievable through grepping/piping netstat's stdout. I mean right now if there was a way to trigger the execute of a shell-command/script/program on an RDP connect, that'd be great. – chaz Feb 23 '12 at 02:01
  • Actually 4624(typo) is correct, there are multiple logon types that showup on that event ID. – chaz Mar 01 '12 at 07:47
  • The source address field is blank for me on Server 2019. – bparker Sep 12 '20 at 00:01
4

All this information is available in Windows Server 2016 and 2019:

You can view who logged in remotely, the session ID they have been given and from which IP address by going to:

Event Viewer Applications and Services Logs Microsoft Windows TerminalServices-RemoteConnectionManager Operational Event ID 1149 (To view which account was used at the NLA connection level)

AND

TerminalServices-LocalSessionManager Operational Event ID 21 (To view which account was used for the RDP log in)

Note you might need to enable "Audit account logon events: success and failure" in the local security group policy for these events to be logged.

You can go further by identifying from exactly where in the world the log in came from:

Download the currports utility and associated Geolite2 csv files from https://www.nirsoft.net/utils/cports.html It's portable so there's nothing to install and all the info to do this is on that site. Just apply a filter to only show RDP traffic (include:local:tcp:3389)

After some customizing of columns you can see absolutely everything about all the connections to your RDS server.

Ben

user611043
  • 41
  • 2
  • Brilliant! I'd note that the provider being debugged used a different set of NAT/proxies for RDP traffic. – Federico Oct 26 '21 at 01:21