Sign in with
Sign up | Sign in
Your question

Remote Desktop Connection logs

Last response: in Windows XP
Share
Anonymous
October 4, 2004 4:35:05 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Does RDC keep ANY logs at all. errors, connections made...recent connections?
anything at all would be helpful as i have searched and can not find any as
of yet.

Thanks all!
Toybreaker at gmail dot com
--
NEXT!!!
Anonymous
October 4, 2004 6:56:17 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Look in the Event Log (Security) for a Logon/Logoff Event 528. It should have a Logon Type 10...

You can setup an Audit Policy using the Group Policy editor to log logon success and failures. Go
to "Start -> Run" and type 'gpedit.msc' (without the quotes). Navigate to "Local Computer Policy ->
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit
Policies -> Audit logon events". Highlight and right-click and select properties. Configure as
desired. Note, some folks have XP boxes setup to login without a password. Logging in
without a password counts as a "failure". This results in the security log filling up very fast if
you log failures and have a user without a password. I fell into that trap while testing a new XP
Pro box once. The result is you can not login normally. Also note, not having a password is
a potential and probable security risk.

The event log can be viewed by going to "Start -> Control Panel -> Performance and Maintenance ->
Administrative Tools" and click on "Event Viewer".

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

"Toybreaker" <toybreaker at gmail dot com> wrote in message
news:053BBE00-AE37-4B6B-85B4-40FFB72C4B67@microsoft.com...
> Does RDC keep ANY logs at all. errors, connections made...recent connections?
> anything at all would be helpful as i have searched and can not find any as
> of yet.
>
> Thanks all!
> Toybreaker at gmail dot com
> --
> NEXT!!!
Anonymous
October 4, 2004 6:56:18 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Thanks for the info. I tested it and found the event. So a 528 with a logon
type of 10 will always be a RDC or TS logon? What i need to know is if the
client keeps any logs of attempted connection whether succesful or failures.

"Sooner Al" wrote:

> Look in the Event Log (Security) for a Logon/Logoff Event 528. It should have a Logon Type 10...
>
> You can setup an Audit Policy using the Group Policy editor to log logon success and failures. Go
> to "Start -> Run" and type 'gpedit.msc' (without the quotes). Navigate to "Local Computer Policy ->
> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit
> Policies -> Audit logon events". Highlight and right-click and select properties. Configure as
> desired. Note, some folks have XP boxes setup to login without a password. Logging in
> without a password counts as a "failure". This results in the security log filling up very fast if
> you log failures and have a user without a password. I fell into that trap while testing a new XP
> Pro box once. The result is you can not login normally. Also note, not having a password is
> a potential and probable security risk.
>
> The event log can be viewed by going to "Start -> Control Panel -> Performance and Maintenance ->
> Administrative Tools" and click on "Event Viewer".
>
> --
> Al Jarvi (MS-MVP Windows Networking)
>
> Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
> The MS-MVP Program - http://mvp.support.microsoft.com
> This posting is provided "AS IS" with no warranties, and confers no rights...
>
> "Toybreaker" <toybreaker at gmail dot com> wrote in message
> news:053BBE00-AE37-4B6B-85B4-40FFB72C4B67@microsoft.com...
> > Does RDC keep ANY logs at all. errors, connections made...recent connections?
> > anything at all would be helpful as i have searched and can not find any as
> > of yet.
> >
> > Thanks all!
> > Toybreaker at gmail dot com
> > --
> > NEXT!!!
>
>
Related resources
Anonymous
October 4, 2004 8:24:44 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

If you expand the properties for the 528 event and scroll down in the "Description" window and click
on the "For more information" URL. The resulting windows lists the various logon types. You can test
against that, noting the time for each login attempt using Remote Desktop, by providing wrong
passwords for example to see now logging works... Of course this presumes you setup the audit policy
to also log failures...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

"Toybreaker" <toybreaker at gmail dot com> wrote in message
news:782A9A0F-E667-4328-BFA1-6CC25547A3AD@microsoft.com...
> Thanks for the info. I tested it and found the event. So a 528 with a logon
> type of 10 will always be a RDC or TS logon? What i need to know is if the
> client keeps any logs of attempted connection whether succesful or failures.
>
> "Sooner Al" wrote:
>
>> Look in the Event Log (Security) for a Logon/Logoff Event 528. It should have a Logon Type 10...
>>
>> You can setup an Audit Policy using the Group Policy editor to log logon success and failures.
>> Go
>> to "Start -> Run" and type 'gpedit.msc' (without the quotes). Navigate to "Local Computer
>> Policy ->
>> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit
>> Policies -> Audit logon events". Highlight and right-click and select properties. Configure as
>> desired. Note, some folks have XP boxes setup to login without a password. Logging in
>> without a password counts as a "failure". This results in the security log filling up very fast
>> if
>> you log failures and have a user without a password. I fell into that trap while testing a new XP
>> Pro box once. The result is you can not login normally. Also note, not having a password is
>> a potential and probable security risk.
>>
>> The event log can be viewed by going to "Start -> Control Panel -> Performance and Maintenance ->
>> Administrative Tools" and click on "Event Viewer".
>>
>> --
>> Al Jarvi (MS-MVP Windows Networking)
>>
>> Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
>> The MS-MVP Program - http://mvp.support.microsoft.com
>> This posting is provided "AS IS" with no warranties, and confers no rights...
>>
>> "Toybreaker" <toybreaker at gmail dot com> wrote in message
>> news:053BBE00-AE37-4B6B-85B4-40FFB72C4B67@microsoft.com...
>> > Does RDC keep ANY logs at all. errors, connections made...recent connections?
>> > anything at all would be helpful as i have searched and can not find any as
>> > of yet.
>> >
>> > Thanks all!
>> > Toybreaker at gmail dot com
>> > --
>> > NEXT!!!
>>
>>
Anonymous
October 4, 2004 8:44:59 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Misread your post...

Hmmm... I have never tested on the client...:-)

Perhaps you could test and report back. That would be a big help to others on this forum...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

"Sooner Al" <SoonerAl@somewhere.net.invalid> wrote in message
news:o 5VTRilqEHA.3728@TK2MSFTNGP09.phx.gbl...
> If you expand the properties for the 528 event and scroll down in the "Description" window and
> click on the "For more information" URL. The resulting windows lists the various logon types. You
> can test against that, noting the time for each login attempt using Remote Desktop, by providing
> wrong passwords for example to see now logging works... Of course this presumes you setup the
> audit policy to also log failures...
>
> --
> Al Jarvi (MS-MVP Windows Networking)
>
> Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
> The MS-MVP Program - http://mvp.support.microsoft.com
> This posting is provided "AS IS" with no warranties, and confers no rights...
>
> "Toybreaker" <toybreaker at gmail dot com> wrote in message
> news:782A9A0F-E667-4328-BFA1-6CC25547A3AD@microsoft.com...
>> Thanks for the info. I tested it and found the event. So a 528 with a logon
>> type of 10 will always be a RDC or TS logon? What i need to know is if the
>> client keeps any logs of attempted connection whether succesful or failures.
>>
>> "Sooner Al" wrote:
>>
>>> Look in the Event Log (Security) for a Logon/Logoff Event 528. It should have a Logon Type 10...
>>>
>>> You can setup an Audit Policy using the Group Policy editor to log logon success and failures.
>>> Go
>>> to "Start -> Run" and type 'gpedit.msc' (without the quotes). Navigate to "Local Computer
>>> Policy ->
>>> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit
>>> Policies -> Audit logon events". Highlight and right-click and select properties. Configure as
>>> desired. Note, some folks have XP boxes setup to login without a password. Logging in
>>> without a password counts as a "failure". This results in the security log filling up very fast
>>> if
>>> you log failures and have a user without a password. I fell into that trap while testing a new
>>> XP
>>> Pro box once. The result is you can not login normally. Also note, not having a password is
>>> a potential and probable security risk.
>>>
>>> The event log can be viewed by going to "Start -> Control Panel -> Performance and
>>> Maintenance ->
>>> Administrative Tools" and click on "Event Viewer".
>>>
>>> --
>>> Al Jarvi (MS-MVP Windows Networking)
>>>
>>> Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
>>> The MS-MVP Program - http://mvp.support.microsoft.com
>>> This posting is provided "AS IS" with no warranties, and confers no rights...
>>>
>>> "Toybreaker" <toybreaker at gmail dot com> wrote in message
>>> news:053BBE00-AE37-4B6B-85B4-40FFB72C4B67@microsoft.com...
>>> > Does RDC keep ANY logs at all. errors, connections made...recent connections?
>>> > anything at all would be helpful as i have searched and can not find any as
>>> > of yet.
>>> >
>>> > Thanks all!
>>> > Toybreaker at gmail dot com
>>> > --
>>> > NEXT!!!
>>>
>>>
>
Anonymous
October 4, 2004 8:45:00 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

The Client does not write anything to the event logs when you attempt a
connection. I wa hoping that there would be a .txt or .log file somewhere
that kept that info. I have a hard time believing MS has an app that does
track what you do. oh well..thanks for the info Al...much appreciated...i
learned something!!

"Sooner Al" wrote:

> Misread your post...
>
> Hmmm... I have never tested on the client...:-)
>
> Perhaps you could test and report back. That would be a big help to others on this forum...
>
> --
> Al Jarvi (MS-MVP Windows Networking)
>
> Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
> The MS-MVP Program - http://mvp.support.microsoft.com
> This posting is provided "AS IS" with no warranties, and confers no rights...
>
> "Sooner Al" <SoonerAl@somewhere.net.invalid> wrote in message
> news:o 5VTRilqEHA.3728@TK2MSFTNGP09.phx.gbl...
> > If you expand the properties for the 528 event and scroll down in the "Description" window and
> > click on the "For more information" URL. The resulting windows lists the various logon types. You
> > can test against that, noting the time for each login attempt using Remote Desktop, by providing
> > wrong passwords for example to see now logging works... Of course this presumes you setup the
> > audit policy to also log failures...
> >
> > --
> > Al Jarvi (MS-MVP Windows Networking)
> >
> > Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
> > The MS-MVP Program - http://mvp.support.microsoft.com
> > This posting is provided "AS IS" with no warranties, and confers no rights...
> >
> > "Toybreaker" <toybreaker at gmail dot com> wrote in message
> > news:782A9A0F-E667-4328-BFA1-6CC25547A3AD@microsoft.com...
> >> Thanks for the info. I tested it and found the event. So a 528 with a logon
> >> type of 10 will always be a RDC or TS logon? What i need to know is if the
> >> client keeps any logs of attempted connection whether succesful or failures.
> >>
> >> "Sooner Al" wrote:
> >>
> >>> Look in the Event Log (Security) for a Logon/Logoff Event 528. It should have a Logon Type 10...
> >>>
> >>> You can setup an Audit Policy using the Group Policy editor to log logon success and failures.
> >>> Go
> >>> to "Start -> Run" and type 'gpedit.msc' (without the quotes). Navigate to "Local Computer
> >>> Policy ->
> >>> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit
> >>> Policies -> Audit logon events". Highlight and right-click and select properties. Configure as
> >>> desired. Note, some folks have XP boxes setup to login without a password. Logging in
> >>> without a password counts as a "failure". This results in the security log filling up very fast
> >>> if
> >>> you log failures and have a user without a password. I fell into that trap while testing a new
> >>> XP
> >>> Pro box once. The result is you can not login normally. Also note, not having a password is
> >>> a potential and probable security risk.
> >>>
> >>> The event log can be viewed by going to "Start -> Control Panel -> Performance and
> >>> Maintenance ->
> >>> Administrative Tools" and click on "Event Viewer".
> >>>
> >>> --
> >>> Al Jarvi (MS-MVP Windows Networking)
> >>>
> >>> Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
> >>> The MS-MVP Program - http://mvp.support.microsoft.com
> >>> This posting is provided "AS IS" with no warranties, and confers no rights...
> >>>
> >>> "Toybreaker" <toybreaker at gmail dot com> wrote in message
> >>> news:053BBE00-AE37-4B6B-85B4-40FFB72C4B67@microsoft.com...
> >>> > Does RDC keep ANY logs at all. errors, connections made...recent connections?
> >>> > anything at all would be helpful as i have searched and can not find any as
> >>> > of yet.
> >>> >
> >>> > Thanks all!
> >>> > Toybreaker at gmail dot com
> >>> > --
> >>> > NEXT!!!
> >>>
> >>>
> >
>
>
October 7, 2004 9:52:27 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Toybreaker,

I have this line in my logon.bat file. It writes a text
file to the C drive (you can redirect it elsewhere) of
all logons.
echo %username% %clientname% %date% %time% >> c:\logon.txt
Works for me.

Scott


>-----Original Message-----
>The Client does not write anything to the event logs
when you attempt a
>connection. I wa hoping that there would be a .txt
or .log file somewhere
>that kept that info. I have a hard time believing MS has
an app that does
>track what you do. oh well..thanks for the info
Al...much appreciated...i
>learned something!!
>
>"Sooner Al" wrote:
>
>> Misread your post...
>>
>> Hmmm... I have never tested on the client...:-)
>>
>> Perhaps you could test and report back. That would be
a big help to others on this forum...
>>
>> --
>> Al Jarvi (MS-MVP Windows Networking)
>>
>> Please post *ALL* questions and replies to the news
group for the mutual benefit of all of us...
>> The MS-MVP Program - http://mvp.support.microsoft.com
>> This posting is provided "AS IS" with no warranties,
and confers no rights...
>>
>> "Sooner Al" <SoonerAl@somewhere.net.invalid> wrote in
message
>> news:o 5VTRilqEHA.3728@TK2MSFTNGP09.phx.gbl...
>> > If you expand the properties for the 528 event and
scroll down in the "Description" window and
>> > click on the "For more information" URL. The
resulting windows lists the various logon types. You
>> > can test against that, noting the time for each
login attempt using Remote Desktop, by providing
>> > wrong passwords for example to see now logging
works... Of course this presumes you setup the
>> > audit policy to also log failures...
>> >
>> > --
>> > Al Jarvi (MS-MVP Windows Networking)
>> >
>> > Please post *ALL* questions and replies to the news
group for the mutual benefit of all of us...
>> > The MS-MVP Program - http://mvp.support.microsoft.com
>> > This posting is provided "AS IS" with no warranties,
and confers no rights...
>> >
>> > "Toybreaker" <toybreaker at gmail dot com> wrote in
message
>> > news:782A9A0F-E667-4328-BFA1-
6CC25547A3AD@microsoft.com...
>> >> Thanks for the info. I tested it and found the
event. So a 528 with a logon
>> >> type of 10 will always be a RDC or TS logon? What i
need to know is if the
>> >> client keeps any logs of attempted connection
whether succesful or failures.
>> >>
>> >> "Sooner Al" wrote:
>> >>
>> >>> Look in the Event Log (Security) for a
Logon/Logoff Event 528. It should have a Logon Type 10...
>> >>>
>> >>> You can setup an Audit Policy using the Group
Policy editor to log logon success and failures.
>> >>> Go
>> >>> to "Start -> Run" and type 'gpedit.msc' (without
the quotes). Navigate to "Local Computer
>> >>> Policy ->
>> >>> Computer Configuration -> Windows Settings ->
Security Settings -> Local Policies -> Audit
>> >>> Policies -> Audit logon events". Highlight and
right-click and select properties. Configure as
>> >>> desired. Note, some folks have XP boxes setup to
login without a password. Logging in
>> >>> without a password counts as a "failure". This
results in the security log filling up very fast
>> >>> if
>> >>> you log failures and have a user without a
password. I fell into that trap while testing a new
>> >>> XP
>> >>> Pro box once. The result is you can not login
normally. Also note, not having a password is
>> >>> a potential and probable security risk.
>> >>>
>> >>> The event log can be viewed by going to "Start ->
Control Panel -> Performance and
>> >>> Maintenance ->
>> >>> Administrative Tools" and click on "Event Viewer".
>> >>>
>> >>> --
>> >>> Al Jarvi (MS-MVP Windows Networking)
>> >>>
>> >>> Please post *ALL* questions and replies to the
news group for the mutual benefit of all of us...
>> >>> The MS-MVP Program -
http://mvp.support.microsoft.com
>> >>> This posting is provided "AS IS" with no
warranties, and confers no rights...
>> >>>
>> >>> "Toybreaker" <toybreaker at gmail dot com> wrote
in message
>> >>> news:053BBE00-AE37-4B6B-85B4-
40FFB72C4B67@microsoft.com...
>> >>> > Does RDC keep ANY logs at all. errors,
connections made...recent connections?
>> >>> > anything at all would be helpful as i have
searched and can not find any as
>> >>> > of yet.
>> >>> >
>> >>> > Thanks all!
>> >>> > Toybreaker at gmail dot com
>> >>> > --
>> >>> > NEXT!!!
>> >>>
>> >>>
>> >
>>
>>
>.
>
!