Skip to content

Retrieve Remote Desktop Activity (Via windows Event logs)

Like most companies out there in 2020, most us have had to take extreme measures to adjust to employees working remotely 100% remotely. In my case, a lot of requests came in as having a need to access non standard applications on the office desktops. Over time, management inquired about the amount staff actually remoting into the office PCs.

That information can easily be located in the Windows Event Viewer:

You need to navigate to:

Microsoft-Windows-TerminalServices-RemoteConnectionManager

The event entry confirms authentication through remote desktop services, it also provides day, time and the affected username.

PS: I have removed the domain name and computer name from the screenshot above.

Finally, You can also script it in PowerShell in order to produce a nice report iterating through the records (Event 1149). Please let me know if this is something that you could use.

Thanks.