Track IP Adress login RDP when shutdown happen

shutdown ip windows-event-log conntrack request-tracker

Today I arrived at the office of an client and the Hyper V server was turnoff. In the Windows Event log is register that the admin user has send a shutdown command. I'm not the only one that has access to this user.

How can I find out from what IP the admin user was login when this command was requested (What event ID I'm need to lookup)?

Thanks.


Solution 1:

If I understand correctly, your question is "How can I find the IP from which a RDP connection was established?".

You can take a look at the following log, in the event viewer: Application and Services Logs -> Microsoft -> Windows -> Terminal Services-LocalSessionManager -> Operational, event ID 21 in this log should be what you are looking for.

However there are multiple ways of shutting down Windows... take a look at System event log, Event ID 1074 in the User32 source, it should give you more details about who/what initiated the shutdown.

Related

In Debian-based script: how to determine if kernel changed and needs reboot?
Exclude multiple query parameters from being logged in Nginx?
Are there compelling reasons to separate BOOT and DATA on a server, to increase performance?
Subdomain hosted on AWS sometimes doesn't resolve towards 8.8.8.8
Stop Google Cloud Load Balancer
Using LDAP: how to log in with SSH, mounting the Samba home directory with autofs?
How to block mime_types by https with Squid?
Disabling Windows password changes on Samba domain
Can kubernetes cluster nodes be geologically spread out?
Postfix Multiple Sender bcc
Websocket based website behind a reverse proxy in IIS
Apache 2.4.33 Multiple IP restriction throwing error but single IP restriction works