How to get the IP address and Port info of a RDP client?

Lingfei Wang 1 Reputation point
2023-05-10T21:42:29.7966667+00:00

Hi,

I'm trying to find a way to discover the source public IP and port which was used to establish the RDP connection.

I tried the following ways:

  1. Audit log event 4624, only source IP is included, the source port is empty for RDP.
  2. Terminal services local session manager event 21, only IP info is there.
  3. WTSQuerySessionInformation() with WTSClientAddress. This IP is reported by the RDP client, the IP address might be not the actual public IP, and there is no port info either.
  4. I cannot use the "netstat" way to find the correct port info. Think about the following situation, there are two RDP connections from the same IP with different username, how could you tell which connection is used for each one?

So, is there any reliable way to get such info?

As only one RDP session is allowed for a desktop windows, but 2 can be made to a windows server.

Thank you very much!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,461 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,344 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Ariane Bueno 5 Reputation points
    2024-01-12T11:00:02.1833333+00:00
    C:\Windows\system32>netstat -aon | findstr ESTAB  | findstr 3389
      TCP    192.168.1.5:3389       192.168.1.2:40030      ESTABLISHED     3088
    
    1 person found this answer helpful.
    0 comments No comments

  2. MotoX80 32,531 Reputation points
    2023-05-11T00:06:24.65+00:00

  3. MotoX80 32,531 Reputation points
    2023-05-11T13:01:16.73+00:00

    Using netstat I can see the connection. (This is Win10 Pro.)

    C:\Windows\system32>netstat -aon | findstr ESTAB  | findstr 3389
      TCP    192.168.1.5:3389       192.168.1.2:40030      ESTABLISHED     3088
    

    In the Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational eventlog I see the incoming connection from client port 40030.

    User's image

    The next entry in the log shows that it was assigned to session 5, which is user admin.

    User's image