How to get an IP Address from a disconnected terminal services session

windows command-line-interface

I'm using qwinsta and rwinsta to manage disconnected sessions at the moment. I usually get something like this:

SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
console                                     0  Conn    wdcon
rdp-tcp                                 65536  Listen  rdpwd
                  Administrator             1  Disc    rdpwd

The problem is when people log on as local Administrator or more general domain accounts.

It may not be possible, but is there a command I can use to get the IPAddress (and then machine name) where the Administrator logon occurred from? I've tried quite a lot of searching around and trying all the tools I could find (sysinternal psloggedon, nbstat etc), but none could get me this information.

Can I find out who keeps leaving sessions open!


Solution 1:

You could try GETTSCIP from http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm

It's a freeware application, but I don't know if it will work for disconnected sessions. I doubt if it will, though.

Solution 2:

You could try TCPView.

You launch it on your terminal server and filter it by local port ms-wbt-server and it should resolve the DNS name of the remote address for you. There is also logging options with the program but I have personally never used them.

Related

SSL/TLS Cipher Priority
Saving website level rewrite rules to applicationHost.config
Graylog2: Can a custom GELF field accept a JSON object
How long is the "defined grace period" for the idle scheduling class of the CFQ io scheduler?
Using puppet to distribute Apache SSL certificates
How do I get ssh to run in the background without using -f?
Windows Server 2008 BitLocker
Active Directory max photo size
PERC 6/i | ext4 | raid5 | 4 disks - improve write performance
FreeRADIUS2 and LDAP Authentication
Safely install MDM Certificate in MDM Server
RDP Data encryption error for Windows 7 Clients