This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 3%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELW%3C/text%3E%3C/svg%3E)
Hi,
I'm trying to find a way to discover the source public IP and port which was used to establish the RDP connection.
I tried the following ways:
So, is there any reliable way to get such info?
As only one RDP session is allowed for a desktop windows, but 2 can be made to a windows server.
Thank you very much!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 57.99999999999999%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
C:\Windows\system32>netstat -aon | findstr ESTAB | findstr 3389
TCP 192.168.1.5:3389 192.168.1.2:40030 ESTABLISHED 3088
Have you tried the quser command?
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser
I can NOT find any IP/Port related info from the output of "quser".
I can NOT find any IP/Port related info from the output of "quser".
Using netstat I can see the connection. (This is Win10 Pro.)
C:\Windows\system32>netstat -aon | findstr ESTAB | findstr 3389
TCP 192.168.1.5:3389 192.168.1.2:40030 ESTABLISHED 3088
In the Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational eventlog I see the incoming connection from client port 40030.
The next entry in the log shows that it was assigned to session 5, which is user admin.
Thank you very much for your reply, but that's not the answer.
Think about the following situation, there are two RDP connections from the same IP with different username almost at the same time, how could you tell which connection is used for each one?
What is the real problem you are having? Because I can't think of a reason why I would care which socket is used for any connection. You should see an event 131 followed immediately by an event 65 which tells you the session number. Are you seeing back to back 131 events?
The actual need is the problem itself, I need to get the detail info for any RDP session, including ip, port, sesstion id, username under any situation.
It seems there is no such API. There was an undocumented API named WinStationQueryInformation(), it was deprecated.
Filter that event log for 131 and 65 events. Do you ever see a 131 event followed by another 131 event? Or do you always see a 131 followed by a 65? Unless you are having some kind of denial of service attack on RDP, I would expect to see a 131+65 sequence which should give you the information that you want.
I have no idea about the event sequence as there is no doument.
If these two events are not interlaces with other's, that can be a solution. Thank you very much!
Besides this, is there any reliable way or official way to fulfill this task?
There is no clear hint that software succeeded to get the port info, it just mentioned "client IP", that might be the client reported one, or just the actual IP from event log.
Why do you need the port number? It's just a random available port on the client side, is it not?
If you dumpped the network traffic, without the source port, these two connections would mix together if we can not distinguish them. Think about the relationship between the network traffic, RDP session ID, username, LogonId, and all other activities/events.
If you dummped the traffic of RDP connections, you can not seprate them without source port.
Think about the relationship between network traffic, RDP session ID, LogonId, username and all other activities/events.
Due to the lack of IPv4 addresses, many users may share the same public IP by sitting behind a NAT gateway.
Sorry for the dumplicated message, maybe I am new to this forum, I found the posted message might not be displayed, so I retried it again.
I cannot understand the logic how the comment be displayed.
Sorry for the duplicated message. I have no idea why the first comment might not be displayed. Maybe because I am a new guy here.
I just tried to post the comment again.