Tracking RDP Logins with PowerShell: Audit Successful Remote Logons (Event ID 4624)



Open PowerShell, run as administrator, and  type the following command


Get-EventLog -LogName Security -InstanceId 4624 -Newest 50 |
Where-Object { $_.ReplacementStrings[8] -eq 10 } |
Select-Object TimeGenerated, 
              @{Name="User"; Expression = { $_.ReplacementStrings[5] }},
              @{Name="Source IP"; Expression = { $_.ReplacementStrings[18] }} |
Format-Table -AutoSize


đź§© Step-by-Step Breakdown:

1. Get-EventLog -LogName Security -InstanceId 4624 -Newest 50

  • Get-EventLog: Fetches events from the Windows Event Log.
  • -LogName Security: Targets the Security log.
  • -InstanceId 4624: Filters only Event ID 4624Successful Logon.
  • -Newest 50: Fetches the latest 50 matching entries.

2. Where-Object { $_.ReplacementStrings[8] -eq 10 }

  • Filters the results to only include events where Logon Type is 10.
  • ReplacementStrings[8] = Logon Type in the 4624 event.
       10 = RemoteInteractive (RDP, Terminal Services)

3. Select-Object

This chooses which fields to display:

  • TimeGenerated: The time the logon occurred.
  • User: Extracted from ReplacementStrings[5]TargetUserName
  • Source IP: Extracted from ReplacementStrings[18]IP address of the client

4. Format-Table -AutoSize

  • Formats the output as a clean table with adjusted column widths.


✅ Final Output Example:

TimeGenerated        User      Source IP
--------------       -------   ---------------
7/31/2025 10:05 AM   jsmith    192.168.1.101
7/31/2025 10:07 AM   admin     10.0.0.5

You can group the logins and check the first login Time

Get-EventLog -LogName Security -InstanceId 4624 -Newest 1000 |
Select-Object TimeGenerated, 
              @{Name="User"; Expression = { $_.ReplacementStrings[5] }},
              @{Name="LogonType"; Expression = { $_.ReplacementStrings[8] }} |
Where-Object { $_.LogonType -eq '10' } |
Sort-Object User, TimeGenerated |
Group-Object User |
ForEach-Object { $_.Group | Select-Object -First 1 } |
Format-Table -AutoSize

Using this command, you can group the users and check the first login times. It will more simpler to understand the output than before command


Logon Type Number Meaning Typical Scenario
2 Interactive User logged on physically (keyboard/mouse)
3 Network Access over network (e.g., RDP, SMB, file share)
4 Batch Scheduled Task
5 Service A service started automatically (e.g., SYSTEM services)
7 Unlock User unlocked session
10 RemoteInteractive RDP or Terminal Services
11 CachedInteractive Cached domain credentials (offline logon)

🛡️ Useful For:

  • Checking who logged in via RDP
  • Viewing remote login attempts
  • Auditing recent successful logins with IP and user info


Post a Comment

Previous Post Next Post