Key Points
- Identify the relevant Windows event channels and RDP-related event IDs, and use logon attributes (such as LogonType) to distinguish remote sessions from console logons.
- Use PowerShell scripts to extract, filter, and export Security, Local Session Manager, and Remote Connection Manager logs into CSV format.
- Combine logon, logoff, and connection events to create a chronological timeline of remote desktop activity, linking usernames, IP addresses, and session durations.
- Enhance remote desktop monitoring by enabling Windows Event Forwarding, setting larger log sizes, and using NinjaOne to automate collection, alerting, and documentation.
Remote Desktop Protocol (RDP) leaves traces across Windows logs. Separating remote interactive sessions from console logons and stitching events into a single story is the challenge. This article will provide event IDs, filters, and a simple correlation pattern, along with client-side artifacts and practical tips drawn from field forensics and administrative guides.
Checking desktop connection history and building a timeline
Checking desktop connection history and building a timeline involves mapping event sources, pulling history, correlating events into sessions, capturing failures, adding artifacts, centralizing and retaining data, and analyzing outcomes.
📌 Prerequisites:
- Local admin or equivalent on target systems
- PowerShell remoting or direct Event Viewer access
- A central share or SIEM to store exports and run logs
- Optional Windows Event Forwarding to avoid log rollover gaps
Step 1: Map the event sources
📌 Use Case: You need to identify which Windows event channels record authentication events and which provide RDP session and connection context for investigation.
- Press Win + R, type eventvwr.msc, and press Enter.
- Navigate the following:
- Security Applications and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager > Operational TerminalServices-RemoteConnectionManager > Operational
- Review key event IDs by context
- Authentication (Security log): 4624, 4625, 4634, 4647
- RDP connection (before login): 1149
- RDP session activity (after login): 21, 22, 23, 24, 25
Step 2: Pull history with PowerShell
📌 Use Case: Export relevant RDP events from multiple channels for analysis or archiving.
- Press Win, type PowerShell, then click Run as Administrator.
- Copy and paste the following script into the prompt, then press Enter:
# Security Log (success & failure)
|
- Afterward, use the following script:
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" |
|
Step 3: Correlate into sessions
📌 Use Case: Build session timelines by connecting user logins, IP addresses, and durations.
- Match Event 1149 (RCM) with 4624 (LogonType 10):
- Correlate on username and timestamp ± 1 minute.
- Match LSM 22 (shell start) to confirm an active session.
- Use LSM 23 or 24 to determine the session end.
- Calculate session duration using timestamps.
Step 4: Capture failures and anomalies
📌 Use Case: Detect brute-force, credential spray, or account misuse attempts.
- Open Event Viewer > Windows Logs > Security.
- On the right, click Filter Current Log…
- In Event IDs, type “4625”, then click OK.
- Double-click any event to open it. In the General or Details tab, look for:
- TargetUserName (who was targeted)
- IpAddress (where it came from)
- Status/SubStatus (why it failed)
Step 5: Add artifacts
📌 Use Case: Correlate from the operator’s workstation when server-side logs are missing.
- Press Win + R, type regedit, then press Enter.
- Navigate to:
- HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
- On the right, you’ll see entries such as MRU0, MRU1, and MRU2, which include server names or IP addresses.
- Write down the targets that matter.
Note: The Terminal Server Client registry keys are only populated when the native Windows RDP client (mstsc.exe) is used. If RDP was not initiated from this workstation or a third-party remote access tool was used, these artifacts may not be present.
Afterward, follow the steps below:
- Open File Explorer.
- In the address bar, paste:
- %AppData%\Microsoft\Windows\Recent\AutomaticDestinations\
- Sort by Date modified.
- Look for large or recent files. These can be parsed with forensic tools, but even the presence and timestamps are informative.
Next, follow the steps below:
- In File Explorer, go to:
- C:\Users\<username>\Documents\
- In the top-right search box, type:
- *.rdp
- Note any file names and their modified dates
Note: .rdp files are optional client-side artifacts and are only present if a user manually saved an RDP connection file. Their absence does not rule out RDP usage.
Step 6: Centralize and retain
📌 Use Case: Ensure continuous visibility and prevent log loss.
- Press Win + R, type eventvwr.msc, then press Enter.
- Go to Windows Logs > Security.
- Right-click Security, choose Properties.
- Set the Maximum log size to something larger.
- Choose ‘Overwrite events’ as needed or ‘Archive the log when full,’ then click OK.
Note: There is no single recommended size for the Security log. A common approach is to size the log based on expected event volume and desired retention.
To save a copy, follow the steps below:
- In Event Viewer, right-click Security > Save All Events As…
- Select a location, such as C:\Logs\Security_<date>.evtx.
- Do the same for:
- TerminalServices-LocalSessionManager / Operational
- TerminalServices-RemoteConnectionManager / Operational
Step 7: Operate outcomes
📌 Use Case: Turn data into action and maintain audit integrity.
- Open tickets for repeated failures, new source IPs, or missing log coverage.
- Attach the timeline to incident narratives and quarterly service reviews.
- Review session recording coverage and access exceptions on a monthly basis.
Best practices when checking remote desktop connection history
The table below summarizes the best practices to follow when checking remote desktop connection history:
| Practice | Purpose | Value delivered |
| Focus on Security, LSM, and RCM | Broader coverage | Faster, confident triage |
| Filter by LogonType 10 and IDs | Correct classification | Clear separation of RDP vs console |
| Join pre-auth and auth events | Source attribution | Accurate user and IP mapping |
| Normalize to CSV and JSON | Evidence | Repeatable audits and QBRs |
| Forward and retain logs | Reliability | Timelines available when needed |
NinjaOne services that help check the remote desktop connection history
With NinjaOne, you can deploy collection and monitoring scripts by device role, centrally collect and analyze event log data, attach relevant findings to IT documentation, and configure alerts that can create tickets for notable conditions (such as failure spikes or unusual activity). Some Windows-specific configurations, like Event Forwarding, must be enabled at the OS level.
Ensure the RDP history is straightforward
Precise filters and a simple correlation pattern ensure the RDP history is straightforward. Combine server events with client artifacts and schedule exports to track who connected, when, and from where, which also prepares artifacts for audits and investigations.
Related topics:
- What Is Remote Desktop Protocol (RDP)?
- Enable or Disable Remote Desktop Protocol (RDP) on Workstations Using PowerShell
- How to Configure Remote Desktop Users in Windows
- How to Monitor for Unexpected RDP Sessions Using Event Logs and PowerShell
- Best Practices for Securing Remote Desktop Access in SMB Environments
