• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

Are there Log files for RDP connections?

We have a user that is concerned that someone is accessing their computer remotely.  

Is there any place I can find a record of when remote connection are made to a computer and where those connections are coming from on  windows XP system?
1 Solution
Look in the Event Log (Security) for a Logon/Logoff Event 528. It should have a Logon Type 10...

You can setup an Audit Policy using the Group Policy editor to log logon success and failures. Go
to "Start -> Run" and type 'gpedit.msc' (without the quotes). Navigate to "Local Computer Policy ->
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit
Policies -> Audit logon events". Highlight and right-click and select properties. Configure as
desired. Note, some folks have XP boxes setup to login without a password. Logging in
without a password counts as a "failure". This results in the security log filling up very fast if
you log failures and have a user without a password. I fell into that trap while testing a new XP
Pro box once. The result is you can not login normally. Also note, not having a password is
a potential and probable security risk.

The event log can be viewed by going to "Start -> Control Panel -> Performance and Maintenance ->
Administrative Tools" and click on "Event Viewer".

Also see this page for other Audit Logon information...

http://www.microsoft.com/resources [...] us/518.asp

Lastly, you might look at the Port Reporter tool for additional logging...Specifically the PR-Ports
log file...

apilkingtonAuthor Commented:
Ok, I know about using the event viewer to view events.  We have not previously setup to log account events so I will set that up so that I can see what is happening in this case.  

The real reason I was posting was is question was that I had done some looking on the internet and I was seeing posts about different event ID's that weren't explaining all of the steps I needed to go through to set things up for the auditing of these type of events.

I will setup auditing on the computer in question and let you know if I any problems.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now