🖥️ PowerShell RDP Log Analysis Guide
Analyze Windows Security Logs and filter RDP (Logon Type 10) sessions using Event ID 4624.
🚀 PowerShell Command Overview
This script analyzes Windows Security Logs and extracts RDP (Remote Desktop) login activity from the last 30 days.
$StartDate = (Get-Date).AddDays(-30); Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=$StartDate} -ErrorAction SilentlyContinue | ForEach-Object { $xml=$_.ToXml(); $data=@{}; foreach($d in $xml.Event.EventData.Data){ $data[$d.Name]=$d.'#text' }; if($data['LogonType'] -eq '10'){ [PSCustomObject]@{ ComputerName=$env:COMPUTERNAME; TimeCreated=$_.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss'); TargetUserName=$data['TargetUserName']; TargetDomainName=$data['TargetDomainName']; IpAddress=$data['IpAddress']; WorkstationName=$data['WorkstationName']; LogonProcessName=$data['LogonProcessName']; AuthenticationPkg=$data['AuthenticationPackageName']; EventID=$_.Id } } } | Sort-Object TimeCreated
This command filters only successful RDP logins and helps you analyze user and IP-based connection history.
📌 What Does This Script Do?
- Scans last 30 days of Security logs
- Extracts Event ID 4624 (successful logins)
- Parses XML event data
- Filters Logon Type 10 (RDP sessions)
- Extracts username, domain, and IP details
- Sorts results by time
📌 Output Fields Explained
| Field | Description |
|---|---|
| ComputerName | Machine where log was recorded |
| TimeCreated | Login timestamp |
| TargetUserName | User account name |
| TargetDomainName | Domain information |
| IpAddress | Source IP address |
| WorkstationName | Client machine name |
| LogonProcessName | Authentication process |
| AuthenticationPkg | Authentication package used |
| EventID | Event ID (4624) |
🔒 Security Notice
This script should only be used on systems you are authorized to monitor. Unauthorized log analysis may be illegal.
📝 Conclusion
PowerShell provides a powerful way to analyze Windows Security Logs and track RDP login activity. Using Event ID 4624 and Logon Type 10 filters, you can easily monitor remote access sessions.
Arif Akyüz
Bilgi Teknolojileri
Sistem Network Yöneticisi
ve Siber Güvenlik Uzmanı
[email protected]
- What is an LLM (Large Language Model)?
- CVE-2026-31431 (Copy Fail) – Ubuntu Security Mitigation Guide
- Windows Active Directory’de AD Kullanıcıları Raporlama – PowerShell ile Adım Adım
- Learn WiFi Password Using CMD (Windows Guide)
- What is RBAC (Role-Based Access Control)?
- PowerShell Get-WinEvent for Windows Event Log Analysis, Security Auditing and Digital Forensics
- Application Security: How to Check if a Software is Safe to Use
- How to Check Windows Server Restart History Using PowerShell
- GENAI and the Growing Cyber Threat: Raising Awareness for a Safer Digital Future
- PowerShell RDP Log Analysis Guide
- Windows 11 Recovery Bölümünü Silerek Disk Genişletme
- Windows Server Installed Programs List & Software Inventory Report – PowerShell HTML Script
- Microsoft 365 Copilot Agents: Microsoft-Developed Agents
- Top Professional Titles for Experts in AI Agent Management
- Quick File Finder with Powershell
- Let’s Encrypt SSL Certificate Setup for Wazuh Dashboard
- Automatically Connecting Windows 11 Devices to a Hidden SSID Without Sharing the Password
- Ubuntu Server Initial Setup and Configuration Guide
- Intel Core i5 Processor Generations (2009–2025)
- WAZUH ile pfSense Logları ile Trafik Analizi ve Filtreleme
- Intel Core i7 Processor Generations (2008–2025)
- pfSense Log Filtering Guide for Wazuh Discover
- Intel Core i9 Processor Generations (2017–2025)
- Opening a Port and Testing TCP Connections with PowerShell
- Testing Your Antivirus with PowerShell (Safe EICAR Script)
- Python Virtual Environment (venv) Setup: Windows, Linux & macOS
- test-antivirus-powershell
- Listing Unique IP Addresses in a File with PowerShell
- Adding Entries to Windows 11 Hosts File Using CMD
- .bak the process of opening and importing a SQL file
- .NET Framework 3.5 installation fails
- 1. Change user password with CMD
- 2. Create users with CMD
- 3. Delete a user with CMD
- 4. Open Port Inquiry CMD
- 5. Learning external IP with CMD
- 6. Domaine Alma with CMD
- 8. Creating a Folder with CMD
- 9. Shut Down a Remote Computer with CMD
- Account keeps locking
- Active Directory Security
- Active Directory Unlock Account Permission
- Add a Program to the Right-Click Menu
- Add Google Ads conversion tracking code to WordPress
- Add Opencart Google Ads conversion tracking code (add snippets)
- Add Whatsapp order button
- Adobe Illustrator Convert Type to Vector
- ALL ARTICLES
- Allow a standard user to run an application as an administrator in Windows
- ARİF AKYÜZ – SITE CONTENT
- Articles
- Backup Policy
- BC Search for Files and Folders with CMD
- Bitlocker Commissioned
- C# XML File Data Pull, Add, Delete, Update Operations
- Centos 7 IP Switching
- Change MAC Address
- Change the ADD to WooCommerce cart post
- Cisco Router Configuration
- Cisco Switch Model Learning Command
- Cisco Switch Setup
- CMD commands
- Combine columns one after the other in Excel
- Convert Picture to Text Converting Picture to Word
- Create a table of contents in Word
- Critical Files on Linux
- Cryptolocker Extension List
- CSS icon Package
- Cyber Security Certifications
- Cybersecurity Courses Passive Information Collection
- Data recovery via formatted disk
- Define the same proxy address for all users on Terminal Servers
- Delete Files and Folders with Task Scheduler Delete a File and Folder with PowerShell
- Deleting User Profile Files with Powershell
- DHCP Fail-over on Windows Server 2019
- Directory Structure on Linux
- Diskpart
- DNS Cache Clearing
- DOWNLOAD
- Exchange version information learning command
- Exchange: Bypass Malware Filtering
- File commands on Linux
- File Permissions on Linux
- Find out which port the app is using in Windows
- Forti Firewall IP Export
- Forti IP Export
- Google Advertising
- Google Advertising with ADS
- Google DNS
- Google Tag Manager Click Tracking
- Google Tag Manager Installation Turkish Lecture
- Group policy see command CMD applied to the computer
- How to Build an E-Commerce Site
- How to configure Proton VPN on pfSense using WireGuard
- How to Create a Shortcut to a Hyper-V Virtual Machine
- How to Create Trusted Self-Signed SSL Certificates and Local Domains for Testing
- How to Find Out the Motherboard Model?
- How to Get Facebook Pixel Code
- How to install FortiGate FortiOS 7.0
- How to Make a Vector Logo with Adobe Illustrator
- How to Put Password on Word Document
- How to Stay Safe From Stealer Attacks
- How to write IPv6 as a URL
- How to: Create CSR Code Through IIS
- HPE StoreOnce Systems
- IE Prevent running First Run Wizard
- Import Google Chrome passwords
- Instagram ad account closed
- INSTAGRAM ADVERTISING TRAINING
- Internal Network Attacks
- IPv6 Proxy
- Kali Linux Installation
- LAPS Installation and Configuration
- Learning Exchange CU Info command
- Learning MAC address with IP
- List files in an Excel folder
- Log4j scan for Linux
- Log4j Scan for Windows
- Mbps to kbps Converter
- Microsoft Endpoint Manager
- Microsoft Intune EDR import Server
- Microsoft Security Compliance Toolkit 1.0
- Most used ports
- My Instagram Ad Account Has Been Closed, How Can I Open?
- Network Settings for Viritual Box Virtual Machines
- NMAP Commands
- Open the UBUNTU SSH Port
- Opencart social media icon pack
- Package Management on Linux
- Password Expiration Date AD User
- Password Policy
- Paste into Excel Filtered Cells
- PDF Encryption and PDF file encryption
- Persistent user account lockout
- Ping IPv6
- Process Management on Linux
- Pull List of Domain Admin Group Members
- Pull local admin accounts of devices in the domain with Powershell
- Pulling a List of Applications Installed on the Computer with CMD
- Random MAC Address Generation
- Random password generator
- Random Password Generator
- RDP Event Viewer ID
- Real-Time Cyber Threat Map
- Reliable and fast DNS Server List 2022
- Remove additional information, product description, and product review from the WooCommerce product page
- Remove vmware workstation encryption
- RVTools
- Samsung phone throwing rom
- Samsung tablet rom throwing
- See the open and closed ports on the Cisco switch
- Send Outlook future mail
- Server room Checklist
- Server Sustainability
- Showing the Lowest Price on Products with WooCommerce Options
- SMB Signing Disabled
- Social Engineering Attacks
- Speed test
- SQL Injection Attack
- SQL Server 2019 setup
- Switch commands
- This computer can't run windows 11 error solution
- Turn off Insecure TLS Versions
- User management on Linux
- What is a bot?
- What is Biometric Photography?
- What is EternalBlue?
- What is GRC?
- What is IPv6?
- WHAT IS NBTSTAT
- What is Penetration Testing? What is vulnerability scanning?
- What is Split Tunnel? What is Full Tunnel?
- Who reset the User's Password on AD
- Whoami commands
- Windows 10 Password Cracking Programless
- Windows 10 release history
- Windows 11 theme appearance customization
- Windows 2016 Startup Folder
- Woocommerce Closing to Shopping
- WordPress Search button removal hiding
- WordPress Whatsapp button add