How to see who logged into Windows Server via RDP
In any version of Windows Server, it is easy to see from where the remote desktop connection to the server or virtual machine was accessed. The operating system logs every login.
- The first step is to right-click on the Windows icon and select the “Run” option. In the pop-up window, type eventvwr.msc and press OK.
2. After sending the command, the “Event Viewer” window will pop up. In the side menu, navigate to Applications and Services Logs > Microsoft > Windows > TerminalServices-RemoteConnectionManager. Open the TerminalServices-RemoteConnectionManager folder.
3. Select the current “Operations” option, then right click on it, then select the “Filter Current Log...” menu item.
4. Enter the event code 1149 in the appropriate field and press OK. This is the event code for RDP connections.
5. After that, you will only see remote desktop logins. Each row is a login. All you have to do is select one, then right click on it and select “Event Properties“.
6. In the pop-up window, you will see the IP address of the remote login after “Source Network Address“.