Remote Desktop Connection/FTP: Date/time/duration tracking?

[Tom]

WinXP Pro SP3, all MS updates

Is it possible via the Event Log or whatever to determine the date/time and
duration for a remote desktop connection? I've looked in the Event Logs and
I'm not able to see anyplace that records a date, time, duration or IP/remote
address etc.
Is there such a way/place? If so, where is it?

Same for FTP site tracking.
TIA!

 

[Pegasus [MVP]]

WinXP Pro SP3, all MS updates

Is it possible via the Event Log or whatever to determine the date/time
and
duration for a remote desktop connection? I've looked in the Event Logs
and
I'm not able to see anyplace that records a date, time, duration or
IP/remote
address etc.
Is there such a way/place? If so, where is it?

Same for FTP site tracking.
TIA!

If you enable auditing of logon events in the policy setting of the Remote
Desktop host then you can see every logon attempt and also the client name
(=the Remote Desktop client) used for the RDP session.

 

[Tom]

What about relative to MY workstation and NOT the host? I've seen it on the
host but I'm looking for it relative to my workstation and if/when I use RDC
or when someone else has used my workstation to logon via RDC.
TIA!

 

[Pegasus [MVP]]

In this case you need a process monitor. You could use the script below,
which is based on a script issued by the Microsoft Scripting Guy. Here is
what you need to do:
1. Save the code in c:\Windows\TomsMonitor.vbs. Make sure the file has a
..vbs and not a .txt extension. Use copy & paste - do not retype it.
2. Unwrap any lines that your newsreader might have wrapped.
3. Remove the line numbers, then save the file.
4. Start a Command Prompt.
5. Invoke the script like so: cscript //nologo c:\Windows\TomsMonitor.vbs
6. Launch a Remote Desktop session.
7. See if the Command Prompt shows the event.
8. If it did, kill the Command Prompt.
9. Create a scheduled task that launches this command at boot time:
cscript //nologo c:\Windows\TomsMonitor.vbs >>
c:\Windows\TomsMonitor.log
10. Start the scheduled task manually.
11. Launch a Remote Desktop session.
12. Use notepad.exe to see if this RDP session was logged in
c:\Windows\TomsMonitor.log.

[01] sProcess = "mstsc"
[02] Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
[03] Set colMonitoredProcesses = objWMIService. _
[04] ExecNotificationQuery("select * from __instanceCreationEvent " _
[05] & " within 1 where TargetInstance isa 'Win32_Process'")
[06]
[07] Do
[08] Set objProcess = colMonitoredProcesses.NextEvent
[09] If InStr(objProcess.TargetInstance.CommandLine, sProcess) Then
[10] WScript.Echo Date, Time, objProcess.TargetInstance.CommandLine
[11] End If
[12] Loop

 

[Tom]

THanks... shouldn't "Bill Gates" have supplied this feature? ;-) Enabling
the Event log would be such a neat solution that MS missed!
Great code!

In this case you need a process monitor. You could use the script below,
which is based on a script issued by the Microsoft Scripting Guy. Here is
what you need to do:
1. Save the code in c:\Windows\TomsMonitor.vbs. Make sure the file has a
..vbs and not a .txt extension. Use copy & paste - do not retype it.
2. Unwrap any lines that your newsreader might have wrapped.
3. Remove the line numbers, then save the file.
4. Start a Command Prompt.
5. Invoke the script like so: cscript //nologo c:\Windows\TomsMonitor.vbs
6. Launch a Remote Desktop session.
7. See if the Command Prompt shows the event.
8. If it did, kill the Command Prompt.
9. Create a scheduled task that launches this command at boot time:
cscript //nologo c:\Windows\TomsMonitor.vbs >>
c:\Windows\TomsMonitor.log
10. Start the scheduled task manually.
11. Launch a Remote Desktop session.
12. Use notepad.exe to see if this RDP session was logged in
c:\Windows\TomsMonitor.log.

[01] sProcess = "mstsc"
[02] Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
[03] Set colMonitoredProcesses = objWMIService. _
[04] ExecNotificationQuery("select * from __instanceCreationEvent " _
[05] & " within 1 where TargetInstance isa 'Win32_Process'")
[06]
[07] Do
[08] Set objProcess = colMonitoredProcesses.NextEvent
[09] If InStr(objProcess.TargetInstance.CommandLine, sProcess) Then
[10] WScript.Echo Date, Time, objProcess.TargetInstance.CommandLine
[11] End If
[12] Loop

What about relative to MY workstation and NOT the host? I've seen it on
the
host but I'm looking for it relative to my workstation and if/when I use
RDC
or when someone else has used my workstation to logon via RDC.
TIA!

 

[Pegasus [MVP]]

THanks... shouldn't "Bill Gates" have supplied this feature? ;-)
Enabling
the Event log would be such a neat solution that MS missed!
Great code!

Thanks for the feedback. Considering that this is the first time in many
years of newsgroup work that I have seen this type of request, I have my
doubts that there is a widespread need for it . . .

 

[Pegasus [MVP]]

THanks... shouldn't "Bill Gates" have supplied this feature? ;-)
Enabling
the Event log would be such a neat solution that MS missed!
Great code!

I just realised that I went a little overboard with my code. I recommend you
change the line
within 1 where TargetInstance isa 'Win32_Process'")
to
within 60 where TargetInstance isa 'Win32_Process'")
because monitoring the creation of new processes once every second places a
heavy burden on the CPU. Once every 60 seconds should be enough.