How to find out who connected to a particular server via RDP.
Using the logs written by the Windows OS, you can obtain information about which IP addresses and users connected to the virtual server, and when they did so.
The instructions below can also be used on desktop versions of Windows.
Let's consider some of the most common codes related to the server's startup and shutdown times.
1149: The presence of this code indicates a successful user authentication on the server. (Remote Desktop Services: User authentication succeeded)
21: This code indicates a successful logon to the system, meaning the user has seen the desktop window. (Remote Desktop Services: Session logon succeeded)
24: This event indicates a successful disconnection from RDP (Remote Desktop Services: Session has been disconnected)
25: Indicates a reconnection to the RDP session. (Remote Desktop Services: Session reconnection succeeded)
23: The user clicked Logoff and logged out of the system (Remote Desktop Services: Session logoff succeeded )
39: The user manually disconnected from the RDP session (not just closed the RDP window). Or they were disconnected by another user or administrator.
How to view event data?
Press Win+R and enter eventvwr
In the left panel, open "Windows Logs => System"
In the Event ID column, we will see a list of events that occurred during the operation of Windows. The event log can be sorted by event ID.
To filter the events we need, on the right side, select "Filter Current Log"
Now enter the desired events, separated by commas, 1149,39,25,24,23,21 and click OK.
Now we can observe the event log with the shutdown of our VPS server.
These events can be viewed in different sections. For example:
EventId 1149,4624,4625 - filter in Windows Logs => Security
EventId 25,24,21,39 - filter in Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational
EventId 23 - Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operationa
Now you can independently check who and when accessed your server via RDP.