AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of Dustin Saunders
Dustin Saunders
Flag for United States of America asked on

Event Logged when session stolen.

Hey Experts,

We have an RDS farm which uses a gateway to distribute connections to servers.  My question is, is there an event logged for when a session is taken by another login?  (i.e. user johnsmith logs in from home stealing the session he left open at work)

If so, is that logged on the server level or gateway level and in which log?

Thanks!
Remote AccessWindows Server 2012Microsoft Server OS
Avatar of undefined
Last Comment
Dustin Saunders
8/22/2022 - Mon
bbao
try this script, the IP address can tell you where a user logs on from.

http://gallery.technet.microsoft.com/scriptcenter/e8c3af96-db10-45b0-88e3-328f087a8700
Dustin Saunders
ASKER
But how would I distinguish that it was a stolen session?  Wouldn't it look the same if they logged off vs had the session taken over at a different location?
bbao
good question. :)

to be honest i didn't try that script before. if I was you, i would try it and compare the outputs of the two kinds of login.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
Dustin Saunders
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Albert Widjaja
Dustin,

Does that script must be executed on the terminal servers or can be executed remotely from our laptop ?
Dustin Saunders
ASKER
It can be executed from a PC so long as you can reach the computer in question, but you need to invoke it in a PSSession.

$server = "TestServer123" #define the server to connect to
    $session = New-PSSession -ComputerName $server #Create a new remote PS Session.
    $events = Invoke-Command -Session $session -ScriptBlock {Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"; ID=40}}
    Remove-PSSession $session

Open in new window


This gives you the object $events which you can dump to a CSV, or do whatever with.
Dustin Saunders
ASKER
The event appears to be Event ID 40 from TerminalServices-LocalSessionManager\Operational where reason code is 5.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent