This post mainly introduces the ways to check RDP Windows Server connection logs. If you want to know the incoming and outgoing RDP connection on your Windows Server, keep reading!
The answer is yes. Windows automatically records every incoming and outgoing Remote Desktop session. Whether you are auditing server security or troubleshooting connection issues, knowing how to locate these logs is essential.
In this guide, we will show you how to check RDP connection logs using Event Viewer, Registry, and PowerShell, covering Windows Server 2022/2019/2016 and Windows 11/10.
There are three primary methods to monitor who has accessed your server via Remote Desktop.
The Event Viewer is the most detailed way to track RDP history using specific Event IDs.
Step 1. Press Win + R to invoke the Run dialog box, then type in “eventvwr.msc” and press OK to open Event Viewer.
Step 2. Navigate here: Applications and Services Logs > Microsoft > Windows > TerminalServices-RemoteConnectionManager > Operational. Right-click Operational and choose Filter Current Log.
Step 3. Remote Desktop Services logs various activities using specific Event IDs. To check when a user successfully connected via RDP, enter 1149 in the filter field, this Event ID indicates a successful Remote Desktop login.
Note: Users can also input other relevant Event IDs depending on the information they’re looking for. For instance, to find out when RDP sessions were disconnected for specific users, they can use Event ID 22, which records session disconnections.
Step 4. Then you will get an event list with the history of all RDP connections to this server.
Step 5. Click one of them, then you can see the details of the RDP connection, including IP address, computer name, login time, etc.
The Registry Editor stores a quick cache of the most recent connections.
Step 1. Press Win + R to invoke the Run dialog box, then type in “regedit” and press OK to open Registry.
Step 2. Navigate here: HKEY_CURRENT_USER > SOFTWARE > Microsoft > Terminal Server Client. Expand the Default Key, it stores the history of the last 10 RDP connections.
Step 3. You can also expand the Servers Key, it contains the list of all RDP servers and usernames used previously to login. If you want to clear RDP connection history, you can right click it and delete it.
The PowerShell script listed below provides another method for inspecting Remote Desktop Connection logs on Windows Server. It displays the history of all RDP connections from the terminal RDS server event logs for the current day. The resulting table displays the connection time, the IP address of the client, the remote user name, and the logon type.
Step 1. Right-click Start, and then choose Windows PowerShell (Admin).
Step 2. Input the following script, then you’ll see the incoming RDP connection logs.
|
Get-EventLog -LogName Security -after (Get-date -hour 0 -minute 0 -second 0)| ?{(4624,4778) -contains $_.EventID -and $_.Message -match 'logon type:\s+(10)\s'}| %{ (new-object -Type PSObject -Property @{ TimeGenerated = $_.TimeGenerated ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1' UserName = $_.Message -replace '(?smi).*\s\sAccount Name:\s+([^\s]+)\s+.*','$1' UserDomain = $_.Message -replace '(?smi).*\s\sAccount Domain:\s+([^\s]+)\s+.*','$1' LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1' }) } | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP ` , @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} ` , @{N='LogType';E={ switch ($_.LogonType) { 2 {'Interactive - local logon'} 3 {'Network connection to shared folder)'} 4 {'Batch'} 5 {'Service'} 7 {'Unlock (after screensaver)'} 8 {'NetworkCleartext'} 9 {'NewCredentials (local impersonation process under existing connection)'} 10 {'RDP'} 11 {'CachedInteractive'} default {"LogType Not Recognised: $($_.LogonType)"} } }} |
If you want to know which remote computers a local user has connected to, check the client-side logs.
The following event log contains the outgoing RDP connection logs:
Application and Services Logs > Microsoft > Windows > TerminalServices-ClientActiveXCore > Microsoft-Windows-TerminalServices-RDPClient > Operational.
When a user connects to a remote Windows Server RDS host or a Windows 10/11 computer, for example, Event ID 1102 occurs.
There’s a PowerShell script that will help display the history of RDP client connections on the current computer. The script returns the SIDs of the users who initiated RDP connections on this computer, as well as the DNS names/IP addresses of the Remote Desktop hosts that the users connected to.
| $properties = @( @{n='TimeStamp';e={$_.TimeCreated}} @{n='LocalUser';e={$_.UserID}} @{n='Target RDP host';e={$_.Properties[1].Value}} ) Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational';ID='1102'} | Select-Object $properties |
While Windows native tools like Event Viewer are powerful, they are often overkill for daily monitoring, requiring you to memorize complex Event IDs and navigate deep directory trees.
AnyViewer offers a professional yet user-friendly alternative. It is a free remote desktop software for Windows that automatically tracks your connection history, allowing you to audit your remote activities in seconds without running a single command.
Why AnyViewer is Better for Tracking Connections:
How to Check Your Connection History in AnyViewer
Checking your remote session logs in AnyViewer is significantly faster than using the Windows Registry or PowerShell.
Step 1. Download and launch AnyViewer on your device.
Step 2. Sign up for a free account and log in. This allows you to sync your managed devices and history across different computers.
Step 3. Go to the Device tab and look at the Recently Connected list. This shows your latest remote sessions at a glance.
Step 4. You can also choose the specific device and click Properties. You can see the IP address of the computer you connected to, and the specific connection time.
Step 5. For users who need to maintain permanent records or export data for security audits, AnyViewer also stores local log files on your computer.
This post mainly introduces the ways to check RDP Windows Server connection logs. It would be very helpful if you want to know the incoming and outgoing RDP connections on your Windows Server. If you use AnyViewer, it will be easier for you to check the remote connection you have made.
