5,100 questions
C:\Windows\system32>netstat -aon | findstr ESTAB | findstr 3389
TCP 192.168.1.5:3389 192.168.1.2:40030 ESTABLISHED 3088
How to get the IP address and Port info of a RDP client?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 3%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELW%3C/text%3E%3C/svg%3E)
Lingfei Wang
1
Reputation point
Hi,
I'm trying to find a way to discover the source public IP and port which was used to establish the RDP connection.
I tried the following ways:
- Audit log event 4624, only source IP is included, the source port is empty for RDP.
- Terminal services local session manager event 21, only IP info is there.
- WTSQuerySessionInformation() with WTSClientAddress. This IP is reported by the RDP client, the IP address might be not the actual public IP, and there is no port info either.
- I cannot use the "netstat" way to find the correct port info. Think about the following situation, there are two RDP connections from the same IP with different username, how could you tell which connection is used for each one?
So, is there any reliable way to get such info?
As only one RDP session is allowed for a desktop windows, but 2 can be made to a windows server.
Thank you very much!
Windows for business Windows Client for IT Pros User experience Remote desktop services and terminal services
Windows for business Windows Server User experience Other
20,212 questions
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 57.99999999999999%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Ariane Bueno 5 Reputation points2024-01-12T11:00:02.1833333+00:00 -
MotoX80 36,291 Reputation points2023-05-11T00:06:24.65+00:00 Have you tried the quser command?
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser
-
Lingfei Wang 1 Reputation point
2023-05-11T01:37:51.2033333+00:00 I can NOT find any IP/Port related info from the output of "quser".
-
Lingfei Wang 1 Reputation point
2023-05-11T01:43:57.1333333+00:00 I can NOT find any IP/Port related info from the output of "quser".
Sign in to comment -
-
MotoX80 36,291 Reputation points
2023-05-11T13:01:16.73+00:00 Using netstat I can see the connection. (This is Win10 Pro.)
C:\Windows\system32>netstat -aon | findstr ESTAB | findstr 3389 TCP 192.168.1.5:3389 192.168.1.2:40030 ESTABLISHED 3088In the Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational eventlog I see the incoming connection from client port 40030.
The next entry in the log shows that it was assigned to session 5, which is user admin.
-
Lingfei Wang 1 Reputation point
2023-05-12T02:57:53.6266667+00:00 Thank you very much for your reply, but that's not the answer.
Think about the following situation, there are two RDP connections from the same IP with different username almost at the same time, how could you tell which connection is used for each one?
-
MotoX80 36,291 Reputation points
2023-05-12T05:48:25.1833333+00:00 What is the real problem you are having? Because I can't think of a reason why I would care which socket is used for any connection. You should see an event 131 followed immediately by an event 65 which tells you the session number. Are you seeing back to back 131 events?
-
Lingfei Wang 1 Reputation point
2023-05-12T06:07:00.07+00:00 The actual need is the problem itself, I need to get the detail info for any RDP session, including ip, port, sesstion id, username under any situation.
It seems there is no such API. There was an undocumented API named WinStationQueryInformation(), it was deprecated.
-
MotoX80 36,291 Reputation points
2023-05-12T06:46:20.57+00:00 Filter that event log for 131 and 65 events. Do you ever see a 131 event followed by another 131 event? Or do you always see a 131 followed by a 65? Unless you are having some kind of denial of service attack on RDP, I would expect to see a 131+65 sequence which should give you the information that you want.
-
Lingfei Wang 1 Reputation point
2023-05-12T07:14:32.99+00:00 I have no idea about the event sequence as there is no doument.
If these two events are not interlaces with other's, that can be a solution. Thank you very much!
Besides this, is there any reliable way or official way to fulfill this task?
-
MotoX80 36,291 Reputation points
2023-05-12T13:03:17.6633333+00:00 -
Lingfei Wang 1 Reputation point
2023-05-12T16:32:36.2766667+00:00 There is no clear hint that software succeeded to get the port info, it just mentioned "client IP", that might be the client reported one, or just the actual IP from event log.
-
MotoX80 36,291 Reputation points
2023-05-12T22:44:37.92+00:00 Why do you need the port number? It's just a random available port on the client side, is it not?
-
Lingfei Wang 1 Reputation point
2023-05-12T22:59:21.1666667+00:00 If you dumpped the network traffic, without the source port, these two connections would mix together if we can not distinguish them. Think about the relationship between the network traffic, RDP session ID, username, LogonId, and all other activities/events.
-
Lingfei Wang 1 Reputation point
2023-05-12T23:04:29.9033333+00:00 If you dummped the traffic of RDP connections, you can not seprate them without source port.
Think about the relationship between network traffic, RDP session ID, LogonId, username and all other activities/events.
Due to the lack of IPv4 addresses, many users may share the same public IP by sitting behind a NAT gateway.
-
Lingfei Wang 1 Reputation point
2023-05-12T23:39:07.5966667+00:00 Sorry for the dumplicated message, maybe I am new to this forum, I found the posted message might not be displayed, so I retried it again.
I cannot understand the logic how the comment be displayed.
-
Lingfei Wang 1 Reputation point
2023-05-12T23:43:31.22+00:00 Sorry for the duplicated message. I have no idea why the first comment might not be displayed. Maybe because I am a new guy here.
I just tried to post the comment again.
Sign in to comment -