5
1
I specifically asked someone not to remotely access a computer running Win 7 Pro 32bit.
Now I see on the computer that Remote Access is fully set up to their laptop.
Is there a log or record somewhere in Win 7 of the times, dates and/or files they have remotely accessed via their laptop? I would like some proof before I confront them.
Mel
Posted 2011-02-04T10:46:00.700
Reputation: 51
4
I found this very helpful page about Windows 7 event log
As well as events 4624 (logon) and 4634 (logoff), I believe 4778 (session connect) and 4779 (session disconnect) are useful for monitoring remote desktop sessions.
Craig-AU
Posted 2011-02-04T10:46:00.700
Reputation: 41
1
It's not really a log file and I only had a WinXP system to verify it, but I assume the behavior hasn't changed that much: The remote desktop application (mstsc.exe) on the local machine remembers the hostname/ip address of the last few remote hosts that one connected to.
Just start it and then you should be able to see entries in the drop down list.
Using this data, there is no way to tell when the login happened and it can therefore only give an indication.
foraidt
Posted 2011-02-04T10:46:00.700
Reputation: 4 398
1
The short answer, not by default.
However if the firewall is on and logging on the firewall is enabled on the host machine, you can see logon attempts from remote machines in the Event Viewer under the Security Log. They normally have an Event ID of 10 and shows the machine name that connected at the time.
BinaryMisfit
Posted 2011-02-04T10:46:00.700
Reputation: 19 955
The firewall does NOT have to be turned on to enable logging via the security log and event viewer -- you just have to edit the policies to turn on logging of remote access. – David W. Fenton – 2011-02-05T01:56:02.323
@David Interesting. We were never able to get it to work without the firewall. – BinaryMisfit – 2011-02-05T06:19:43.690
Are you going to Control Panel | Administrative Tools | Local Security Policies | Local Policies | Audit Policy? – David W. Fenton – 2011-02-06T23:45:40.800
@David. Yes. We spent about a week trying different things. Even Microsoft couldn't get it working. – BinaryMisfit – 2011-02-07T06:36:19.660
Is this in a domain environment? – David W. Fenton – 2011-02-08T04:35:57.233
1
In Event Manager in Windows 7 all the logs regarding attempted RDP connections made from the machine are under Windows Logs > Application and Service Logs > Microsoft > Windows > TerminalServices-ClientActiveXCore > Microsoft-Windows-TerminalServices-RDPClient/Operational
Will show you addresses attempted and what happened with the connection
bob
Posted 2011-02-04T10:46:00.700
Reputation: 11
0
Just had something like this happen to me at work and I found the information in the security section of the event log. Showed a networked log-on from a remote user and included their windows logon id, IP, type of log-on (networked, local, etc), and domain name.
Migit
Posted 2011-02-04T10:46:00.700
Reputation: 71
Could you provide a step-by-step or a screenshot? This would be a lot more helpful. – user 99572 is fine – 2013-03-13T08:59:18.670
Hi, the link you posted is no longer valid, could you update the link? Thanks! – benjaminz – 2017-03-28T17:36:32.880