I would like a log of everyone with who I have connected in the past with RDP. I know this is possible as when I go to the start menu and type RDP there is a list of "Recent Connections" but I would like everyone who I have connected to.
To log process activity you can use Windows Audit Service. Enable process tracking, object access then search for proper event records. But this service doesn't track network traffic.
If client OS is Windows Server you could use Windows Filtering Platform.
Standard "Microsoft Remote Desktop client" creates registry subkeys in HKCU\SOFTWARE\Microsoft\Terminal Server Client\Servers while connecting to remote servers.
So just read subkeys to get server list (Powershell):
dir -recurse "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers"
To get last connection time value read proper subkey's timestamp using RegQueryInfoKey.
Related
We have a few Windows 10 Pro computers with Remote Desktop enabled. There are "client" machines running Windows 10 Pro and Windows 10 Home.
Is it possible to programmatically check, from a client machine, that the remote computer is already occupied by someone? That is, if another remote client is already connected to it? If so, can I do this without breaking the existing remote connection?
When a user logs on to a Remote Desktop Services–enabled computer, a
session is started for the user. Each session is identified by a
unique session ID. Because each logon to a Remote Desktop Connection
(RDC) client receives a separate session ID.
Refer: Remote Desktop Sessions
You can use the WTSEnumerateSessions function to retrieve the identifiers of all sessions on a specified RD Session Host server.
WTSEnumerateSessions : Retrieves a list of sessions on a Remote Desktop Session Host (RD
Session Host) server.
Note:
To enumerate a session, you must enable the query information
permission. For more information, see Remote Desktop Services
Permissions.
To change permissions on a session, use the Remote Desktop Services
Configuration administrative tool.
To enumerate sessions running on a virtual machine hosted on a RD
Virtualization Host server, you must be a member of the
Administrators group on the RD Virtualization Host server.
If you want to retrieve the session ID of the current session that the remote desktop service is running, you can call WTSQuerySessionInformation and specify WTS_CURRENT_SESSION for the SessionId parameter and WTSSessionId for the WTSInfoClass parameter.
You can use the query session command from the command line.
If you're on the same local network as the remote computer, then you can directly use the query session:
Use the command query session /SERVER:<remote pc name, or IP address>
If there is someone actively logged into the console, then it returns console <username> Active as the state. However, this can also mean someone logged in, the session locked, and they walked away for coffee. It doesn't actually mean they are doing something in the session; they are simply logged into the console. This state also occurs if you use another remote login software such as TeamViewer, since it logs in as an active console.
C:\Users\Myself>query session /server:LabServerPC
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
console LabUser 1 Active
rdp-tcp 65536 Listen
If the computer is already in use by a remote desktop session, it will return it as a session as the active state. In this case rdp-tcp#1 <username> Active.
C:\Users\Myself>query session /server:LabServerPC
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
rdp-tcp#1 LabUser 1 Active
console 3 Conn
rdp-tcp 65536 Listen
If you are operating via a VPN, or off the native network, it may be easier to remotely log into the PC using SSH and then query the session directly. In this case, you would use query session only.
I have a shared folder on a windows 10 host machine. I could access it from a windows 10 client machine, where I had set "remember credentials" when first accessing the share. I changed the password on the host. Now the client cannot access the shared folder. That was expected. But I could not find a way on the client to allow the user to re-establish access to the shared folder.
I expected it would ask for credentials again. However I got a network error saying that windows cannot access the host machine.
Based on a number of entries on various forums, I tried a few things. The credentials manager on the client does not show the host. I stopped and restarted file and printer sharing on the client, without any change in the result. Network diagnosis and the windows troubleshooter gave no help.
The problem was due to some previous connections remaining in the network table, even though disconnected, as presented by the "net use" command from the command prompt.
>net use
Status Local Remote Network
--------------------------------------------------------------------------
Disconnected \\192.168.1.71\IPC$ Microsoft Windows Network
Disconnected \\HOST\IPC$ Microsoft Windows Network
After deleting them (via "net use /delete") the next attempt to access the host asked for credentials. Yay!
I began the path to the solution when I tried
net use z: \\host\shared /user:admin password
which gave system error 1219 stating multiple connections to a server are not allowed. Disconnect all previous connections and try again. Obviously, even though known to be disconnected, the entries prevented reconnection.
I'm using Windows Server 2008 R2 which runs a VB6.0 application that uses a smartcard locally.
I then connect to this machine remotely using Remote Desktop Connection (6.3). However now the application shows the following error (SmartCard):
0x8010001d The Smart card resource manager is not running.
Research so far:
I don't want to use redirection as the card is on the remote machine already.
Using RDP the way I am trying to use it for is wrong and tightVNC is more appropriate (This does fix the issue)
Unsure - SCardEstablishContext API is returning that error because it gets an Access Denied error when trying to open an event called "Global\Microsoft Smart Card Resource Manager Started" with OpenEvent API. The default security for that event on Vista and Windows 7 specifies that only SYSTEM, LOCAL SERVICE and INTERACTIVE users have access to it. NETWORK SERVICE or non-interactive users won’t be able to access the event.
Why is the SmartCard not being recognised?
Any Information would be appreciated.
NOTE: The smartcard works fine when the application is on Windows Server 2008 R2 - however only fails when connecting remotely.
It is not possible, you can't use the locally plugged smartcard of the server you RDP into, as your session is redirected to the client then only the clients smartcard is accessible in the rdp session.
Microsoft made it like this for security reasons.
But there is a turn around, like sharing the device (smartcard reader, Usb token, Usb devices ) using software or hardware :
softawre examples (i only found paid solutions), see link
or hardware using a Device server but it doesn't work through WAN only LAN.
Use VNC instead of RDP
TLDR: Use VNC as a Windows Service
If you insist on using RPD, then you'll have to patch your RDP DLLs. If you don't want to do this, then instead use ANY OTHER PROTOCOL other than RDP. If it's a vmware VM, then just use the vcenter console. If it's an Azure VM where you don't GET a console, then just install VNC-server-softer on the server that has the Smart Cards and then access from somewhere else via VNC-client. "TightVNC" (https://community.chocolatey.org/packages/tightvnc) worked nicely for me.
There are two ways to run TightVNC server:
TightVNC Server (Service Mode) -- Connecting with VNC-client will take you to the Windows logon screen.
TightVNC Server (Application Mode)
You will need to run TightVNC as a Windows Service. Then you will start a NEW session. Otherwise you'll just be on top of the existing RDP session and still not see remote Smart Cards.
Long Version
If you RDP into a remote server, then that remote server's Smart Cards will be hidden. That behavior is baked into RDP and it is BY DESIGN.
You can optionally take your LOCAL Smart Cards along into the RDP session. (Via mstsc.exe's "Local Resources" tab and then checking "Smart cards".) But these are the Smart Cards connected LOCALLY to your laptop. And NOT the Smart Cards connected to the remote server.
So if you use RDP, then you have option to either see no Smart Cards at all (neither local, nor remote) or just see your LOCAL Smart Cards. To see the REMOTE Smart Cards is NOT possible via RDP.
This is by design inside RDP. And if you want to change it, then you have to manually patch some .DLL files. And somebody has actually done this. See this question here:
How to Access Remote USB Smartcard during RDP
Before you create your Remote Desktop session, click on "Show options". Under the "Local Resources" tab there is a "Local devices and resources" panel. Click the "More" button.
Click on "Smart Cards". No complete the remote desktop session.
As part of a business solution we are offering several remote desktops to a user base. Currently the users must go system by system attempting to connect and find one that is not already being used. I'd like to see if there is a command that can be run to quickly query an IP and see if there is an active remote connection already.
I've run across a 'wmic' solution already, but this only seems to work if the person running the command has admin access on the destination machine. I don't need a username returned or any information other than if there is a currently in-use remote connection.
Any idea's?
Researched solutions that didn't pan out listed below:
wmic /node:IP ComputerSystem GET UserName ---Returns only if requestor is an admin
qwinsta /server:IP ---RPC is not enabled on all machienes
eventvwr IP ---Too technical and time consuming for end users
Thanks in advance
query session /SERVER:servername
Hey all,
I'm having trouble with PerfMon on one system out of fifteen in a development environment. Accessing it from the local machine is fine but connecting to it remotely throws a "Cannot connect" error.
Each machine is running Win 2003, is connected to the same domain and I have admin rights to all.
There were some services set to disabled which are normally enabled by default so I've set these to match the other machines on the network - still have the same problem.
Any ideas?
Cheers
**Update**
Ok - I found it was the remote registry service not running correctly causing the above error; Once that was enabled Perfmon is now telling me "No such interface supported".
If I connect through Computer Management, it fails the first time, but the second attempt is successful. Connecting through perfmon fails everytime.
Fixed - for anyone that runs into this issue, hopefully this can help you..
Enabling Remote Registry fixed my first problem.
The second issue, "No such interface supported" turned out to be permissions issues within the registry. Apparently the machine had some pretty obscure permissions set to specific registry keys a long time ago, which are now irrelevant.
Resetting permissions with secedit fixed it up -
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
Perfmon counters are now accessible remotely.
We encountered the second issue - "No such interface supported" when attempting to "Connect to another computer" in Performance monitor.
All the rules and services are running.
We found the following:
If the user was added to the local admin group, they were able to connect to another computer (irrespective of belonging to the Performance Monitor group).
If the user was not a local admin and in the performance monitor group - we were unable to connect to another computer via the "Connect to another computer" context menu.
But we were able to add the performance counters. In Performance monitor when you add a counter there is an option to "Select counters from computer". We were able to connect to the counters on the remote machine this way. Also note that if you are planning on data collecting, you would need to set the correct credentials (by default it appears to run under a local system user).
I fixed my case as follows:
Add Firewall rule Performance Logs and Alerts from the predefined rule list.
From client, run the Performance Monitor as the remote user
Eg: runas /user:remote_machine\username "mmc perfmon.msc"
Of course, the user must be at least in the user groups "Performance Log users" or "Performance Monitor Users".
The reason why perfmon.exe do not want to connect to the remote server is, it wants to connect to the Perf Monitor and the Perf Logs (Data collections).
So you have to add the user account to also the Log User group and of course to the Monitor Users.
you don't need to be local admin on the remote server!