31
11
I connect to my work PC via VPN/RDP and I would like to find a log file on my work PC that would include some information on when I used it last, from where my connection originated and how long it lasted. Where in Windows 7 would I look to find that out?
Darius
Posted 2012-04-05T22:19:05.350
Reputation: 2 016
40
If you look at the event viewer as the administrator there are server logs but not for login/logout as far as I know.
Please check the Event Viewer tree on the left side under "Applications and Services Logs -> Windows -> TerminalServices-*" where * is all of the logs there. I think you are most interested in the TerminalService-LocalSessionManager Operational log. Event ID 21 will provide the IP address of the incoming connection.
There is also a "RemoteDesktopServices-RemoteDesktopSessionManager" node in the event viewer tree on the left side under "Applications and Services Logs -> Windows". Only the Administrator role is allowed to view the file I believe. Please confirm and let me know if this addresses your use case.
Maybe try this for logging login/logout as well: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/aptopnode.mspx?mfr=true
Jarrod Wageman
Posted 2012-04-05T22:19:05.350
Reputation: 713
3Actually either TerminalService-LocalSessionManager Operational or TerminalService-RemoteConnectionManager Operational work for me. I can see the username and the dhcp IP from there. Thanks. – Darius – 2012-04-05T23:26:30.633
3
Look under 'Application and Services Logs' > 'Microsoft' > 'Windows' > 'TerminalServices-ClientActiveXCore' > 'Microsoft-Windows-TerminalServices-RDPClient/Operation' ,
This log will have events which contain the server name which the end user attempted to connect RDP into.
Thor N
Posted 2012-04-05T22:19:05.350
Reputation: 31
and if that is empty, you may be lucky and have entries in TerminalServices-RemoteConnectionManager. – mbx – 2017-06-07T08:02:13.067
1
I can't tell you how to check from your work machine when you established a VPN as presumably it isn't the VPN server (?). However, if you're using Remote Desktop Connection to control that work PC you may be able to pull the logon / logoff times from the Event Viewer.
Look in the Security logs for those. RDP logons are an Event ID 4624 but just searching for 4624 won't work. Within the event you need the Logon Type value to be "10" and the SecurityID value to be yours. Not sure how to filter those...
Chris_K
Posted 2012-04-05T22:19:05.350
Reputation: 7 943
You can open the XML tab on the Filter dialog, check the Edit manually box and enter `<QueryList>
<Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and Data=10]]</Select> </Query> </QueryList>`. – mynetx – 2019-09-01T16:58:25.120
This works as well but the log that I can get from Jarod's answer are easier to digest. – Darius – 2012-04-05T23:44:40.610
0
Use the command quser to show sessions.
Then you will see something like ID 1 or 2 or 4. Then type Logoff 4 to log off that session.
You can also type query session or qwinsta (both are the same thing) Show's who's on and what port is listening etc.
Norcal Helpdesk
Posted 2012-04-05T22:19:05.350
Reputation: 1
0
I found the information in the Event Viewer under Windows Logs/Security you will see under task category logon and logoff events.
Howard Mitchell
Posted 2012-04-05T22:19:05.350
Reputation: 11
Not entirely sure where you were looking but that area does not provide the information I was asking for. – Darius – 2014-07-17T19:39:32.357
1RDP can also reconnect to an existing session, in which case there won't be a logon event. – Ben Voigt – 2014-07-17T20:37:20.603
@BenVoigt, The logon logoff might also not be from RDP right? – Pacerier – 2015-06-26T07:44:48.987
0
In your case, you need to review TerminalServices-LocalSessionManager and TerminalServices-RemoteConnectionManager logs from your computer.
You can also check an excellent third party tool called SysKit, formerly Terminal Services Log. It will generate you all sort of reports from logs and will save you a bunch of time if you want to get all of the details about RDP connections and other stuff.
Please note: I am affiliated with Acceleratio, the makers of the tool mentioned above, so I might be a little bit biased here.
MatijaB
Posted 2012-04-05T22:19:05.350
Reputation: 9
1the syskit price is a little steep :( – sdjuan – 2016-01-20T17:21:34.543
If you mentioned a tool that was open source as well in your answer I would like it even more :) – Darius – 2016-07-04T06:49:49.797
Shouldn't this be on serverfault? – Pacerier – 2015-06-26T07:38:49.440