So… someone mysteriously logged into your Windows server on Friday the 13th at exactly 3:16 AM, changed something important, and vanished like a ghost in the night?
Now the entire team is doing the classic:
“Wasn’t me.”
Luckily, Windows has receipts.
How to Check RDP Login History on Windows Server
If you want to find Remote Desktop (RDP) login history on a Windows Server, here’s the quickest way:
- Open Event Viewer
- Navigate to:
Applications and Services Logs > Microsoft > Windows > TerminalServices-RemoteConnectionManager
- Click on Operational
And there it is — the glorious timeline of every RDP login attempt and successful Remote Desktop connection made to the server. Event ID 1149 is commonly used to identify successful Remote Desktop authentication attempts.
You can:
- Scroll through the logs manually
- Filter logs by date and time
- Identify which user logged in
- Finally discover who “just quickly checked something” on production
Either way… good luck.
Happy hunting, fellow sysadmin. 🕵️♂️
0 Comments