C:\Windows\system32>netstat -aon | findstr ESTAB | findstr 3389
TCP 192.168.1.5:3389 192.168.1.2:40030 ESTABLISHED 3088
How to get the IP address and Port info of a RDP client?
Hi,
I'm trying to find a way to discover the source public IP and port which was used to establish the RDP connection.
I tried the following ways:
- Audit log event 4624, only source IP is included, the source port is empty for RDP.
- Terminal services local session manager event 21, only IP info is there.
- WTSQuerySessionInformation() with WTSClientAddress. This IP is reported by the RDP client, the IP address might be not the actual public IP, and there is no port info either.
- I cannot use the "netstat" way to find the correct port info. Think about the following situation, there are two RDP connections from the same IP with different username, how could you tell which connection is used for each one?
So, is there any reliable way to get such info?
As only one RDP session is allowed for a desktop windows, but 2 can be made to a windows server.
Thank you very much!
3 answers
Sort by: Most helpful
-
Ariane Bueno 5 Reputation points
2024-01-12T11:00:02.1833333+00:00 -
MotoX80 32,911 Reputation points
2023-05-11T00:06:24.65+00:00 Have you tried the quser command?
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser
-
MotoX80 32,911 Reputation points
2023-05-11T13:01:16.73+00:00 Using netstat I can see the connection. (This is Win10 Pro.)
C:\Windows\system32>netstat -aon | findstr ESTAB | findstr 3389 TCP 192.168.1.5:3389 192.168.1.2:40030 ESTABLISHED 3088
In the Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational eventlog I see the incoming connection from client port 40030.
The next entry in the log shows that it was assigned to session 5, which is user admin.