By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,158 Members | 917 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,158 IT Pros & Developers. It's quick & easy.

Event for Remote desktop Connection

P: 19
Hi ,

I need to monitor for Remote desktop connection is made for a particular host.
There is any WMI event ?.if not how can monitor for remote desktop connection..
(Basically i need to generate a event from remote host that connection is made by xxx user ...)

Thanks in advance..

-Sakthi
Sep 25 '08 #1
Share this Question
Share on Google+
12 Replies


balabaster
Expert 100+
P: 797
Look into using the Terminal Services API... I just googled for Terminal Services API and immedately came up with:

http://msdn.microsoft.com/en-us/libr...64(VS.85).aspx

So I imagine that's the most likely avenue to investigate.

Otherwise what you would have to do is use something like the WinPCap driver which installs a sniffer to monitor all traffic on the network card. This can then be used to determine the type of traffic (TCP/UDP) the port the request is coming in from, the computer it is coming in from. I'm doubtful that it's possible to extract the username of the person connecting though...unless you can figure out how to decode the packets.

The easiest way I can think of to determine the username of the person connecting, is to either query the client machine to see who is logged in, or wait until they actually log in on the terminal server and check which username is used - they may connect to the terminal server using a different username/password than the client they connect from.

I suspect that checking a list of users on the server using the API involves referencing the WTSEnumerateSessions which from what I see retrieves a list of sessions on a specified terminal server...this implies that you can query any terminal server to which you have authority to query, although it doesn't explicitly say that, so I could be reaching.

I think using some combination of the API and the WinPCAP driver are the way to go. The API will give you access to who they logged into the server as, along with what they're doing on the server, which processes they access etc. The WinPCAP driver will allow you to snoop on the network traffic giving you information about where they're communicating from. Querying the WMI interface on the remote computer (assuming you have access to that) will allow you to determine who is logged in at that machine. Bear in mind that the person logged into the server may also be logged into the remote machine by remote desktop/terminal services also... it may not be the user sitting at the console... and so the cycle continues.

Of course, your application may not need such complexity. I'm just a suspicious network administrator type...
Sep 25 '08 #2

Plater
Expert 5K+
P: 7,872
If the software is running on the computer that people will be remoting IN to, then it can be done.
A number of programs can tell when you are remoting in (I have two online video games that tell me when I am remoted into the computer)
If the computer supports multiple users logged in at once, I believe there is WMI/ActiveDirectory queries that can be done to get the usernames of everyone logged in.
Sep 25 '08 #3

P: 19
some forums says..to know RDP connection is made through remote desktop or using rdp protocol..enable the Audit logon events in local security settings.

http://windowsitpro.com/article/arti...n-type-10.html

...then whenever connection is made we will get security log with Logon type = 10..If logon Type is 10 the user logged as RemoteInteractive ..

http://www.windowsecurity.com/articles/Logon-Types.html

plz see the next post for my question.. since i can't able to post more than 100 characters
Sep 30 '08 #4

P: 19
cont...My question is ..

* If i see the security log through Event viewer ..I'm able to see the log with logontype = 10 .i need to retrive the same information through WMI..
* So, i connect to the system using wmi and access the win32_NTLogEvent class ...i'm getting the log but there is not parameter to retrieve logon type...If i retrive the 'message' parameter value ...logon type is coming along with other information as a single string...
* So i tried to get the Logon Type parameter from win32_LogonSession..but I'm not getting the logon type = 10 from that class

from which class can i get the correct logon type? if logon type correctly displayed in security logs..then from which class this is retrieved?
Sep 30 '08 #5

Plater
Expert 5K+
P: 7,872
win32_LogonSession has a LoginType property that you can search on
Sep 30 '08 #6

P: 19
win32_LogonSession has a LoginType property that you can search on
Hi Plater..
i searched win32_LogonSession class..but i'm not getting logn type = 10.. instead i'm getting value as 2,3,5 and 11...but logontype = 10 is displayed in security logs...
Sep 30 '08 #7

Plater
Expert 5K+
P: 7,872
Maybe you are looking for a different type of logintype? win32_SessionLogin looks like it only shows active logins. Not logins in the past?

I cannot even find where in ANY event logs, it shows a user logs in. Is in Application or System?
Sep 30 '08 #8

P: 19
Maybe you are looking for a different type of logintype? win32_SessionLogin looks like it only shows active logins. Not logins in the past?

sorry..i didn't able to find the win32_SessionLogin class..in google also i can't able to get documentation for this class..can u tell me under which namespace it present..or any documentation regarding this class..

I cannot even find where in ANY event logs, it shows a user logs in. Is in Application or System?

In security logs you can find the information...before that you need to enable the audit log events in local security settings ..to get security events..
Sep 30 '08 #9

Plater
Expert 5K+
P: 7,872
Sorry I misstyped, its loginSession like you said:
http://msdn.microsoft.com/en-us/library/aa394189.aspx

Where in the EventViewer did you find the logins?
Sep 30 '08 #10

P: 19
Sorry I misstyped, its loginSession like you said:
http://msdn.microsoft.com/en-us/library/aa394189.aspx

Where in the EventViewer did you find the logins?
Check this link..here they saying how to enable the audit log events...
After you enable.. if You make a RDP connection then security events will their in event viewer in the system where RDP connection is made ..

http://technet.microsoft.com/en-us/library/cc787567.aspx
Sep 30 '08 #11

Plater
Expert 5K+
P: 7,872
Ah ha!
I was able to look up this then:
("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventType = 4 AND EventCode = 682")
As being what happens for a remote login.

I also saw that the %SESSIONNAME% is either 'console' or like 'RDP' depending on if local or if remote
Sep 30 '08 #12

P: 19
Ah ha!
I was able to look up this then:
("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventType = 4 AND EventCode = 682")
As being what happens for a remote login.

I also saw that the %SESSIONNAME% is either 'console' or like 'RDP' depending on if local or if remote

Ya..we can get the log for console or RDP... but eventcode = 682 says
"A user has reconnected to a disconnected terminal server session."
http://technet.microsoft.com/en-us/library/cc787567.aspx
so, if we connect to the system at very first time..we can't say event code = 682....more over ..session name we can see in event viewer...how can we get the session name using win32 class ....
Sep 30 '08 #13

Post your reply

Sign in to post your reply or Sign up for a free account.