10

We have a pool of develop machines where developers log in through RDP and usually they doesn't log off but just disconnect. As local administrator I can force the log off but I would like to check when the user disconnected.

From task manager I can see only the user name and its status

enter image description here

Is there a way to discover when the user disconnected using task manager, powershell, cmd or whatever?

Naigel
  • 9,086
  • 16
  • 65
  • 106

4 Answers4

12

You can use windows command query user UserName /server:ServerName or you can just enter query user /server:ServerName to find out all active or disconnected sessions.

Below is the sample output, I have blurred out my info for privacy:

enter image description here

I have also created a PowerShell script to do this task automatically, here is the link Powershell to find out disconnected RDP session and log off at the same time

Community
  • 1
  • 1
LT-
  • 673
  • 2
  • 7
  • 19
  • This is nice, but it appears some copies of Windows have the RPC service disabled by default. – tresf Dec 14 '22 at 15:51
  • @tresf this is from 2017 so may not be relevant anymore – LT- Dec 14 '22 at 17:26
  • It's still the most upvoted, so it's meant as no slight against the solution, but rather a warning for others. Meanwhile -- albeit a lot more code -- I found [this solution](https://www.reddit.com/r/PowerShell/comments/306mcn/wtsenumeratesessions/.) on reddit which works without RPC available. I've made a minimal example of this [here](https://gist.github.com/tresf/b0d3d06728236fe988384a8e14c0d019) tested on Windows 11. Unfortunately, the solution does not have the username, which is critical for what I was looking for. In the end, I used another solution entirely, but wanted to share. :) – tresf Dec 14 '22 at 17:39
3

As far as I know this is not in the security logs. The correct place to look for is in Microsoft Event Viewer under Applications and Services Logs => Microsoft => Windows => TerminalServices-LocalSessionManager => Operational and then under the Operational logs.

The eventID to look for is ID24 (disconnected user session). EventID 25 is a reconnect.

Naigel
  • 9,086
  • 16
  • 65
  • 106
bluuf
  • 936
  • 1
  • 6
  • 14
  • perfect, thank you! I corrected the path, it was incomplete. In that view I can find only real user connection, exactly what I was looking for – Naigel Aug 24 '15 at 14:20
1

You can start the Windows Event Viewer and check under Windows logs --> Security. Filter by 'Task Category = Logoff'.

You can export it to xml for easier reading.

enter image description here

Naigel
  • 9,086
  • 16
  • 65
  • 106
Nissim
  • 6,395
  • 5
  • 49
  • 74
  • Why don't you edit your previous answer and include this, instead of posting two answers (which are the same)? – Patrick Aug 24 '15 at 08:46
  • ok answer nearly correct, of course I can't find the logoff because he didn't logged off, but just disconnected. Anyway I can't find any details, my security logs history is just too short – Naigel Aug 24 '15 at 09:17
  • 1
    a Logoff is something completely different as a disconnect in RDP. – bluuf Aug 24 '15 at 12:07
0

Start-->Run-->Eventvwr-->Windows logs-->Security. Filter by 'Task Category = Logoff'

Nissim
  • 6,395
  • 5
  • 49
  • 74