使用Powershell检查RDP登录成功
使用Powershell,我使用以下命令打开一些RDP会话:使用Powershell检查RDP登录成功,powershell,rdp,Powershell,Rdp,使用Powershell,我使用以下命令打开一些RDP会话: cmdkey /generic:TERMSRV/$server /user:$user /pass:$serverPassword mstsc /v:$server /f 很好。但有时会话无法启动,例如,由于服务器不可用或凭据错误。 检查登录是否成功以及RDP桌面是否可见的简单方法是什么 在这种形式下,它与powershell无关(那些是普通的可执行文件)。它也可以作为批处理文件运行(cmdkey和mstsc都是
cmdkey /generic:TERMSRV/$server /user:$user /pass:$serverPassword
mstsc /v:$server /f
检查登录是否成功以及RDP桌面是否可见的简单方法是什么 在这种形式下,它与powershell无关(那些是普通的可执行文件)。它也可以作为批处理文件运行(
cmdkeymstsc\调用命令或其他方式启动它们)
我将使用您的代码和powershell中的变量(我不会将其调整为通过invoke command
或其他方式运行。这超出了本问题的范围,对您来说是一种良好的做法):
要在-viaGet Winevent
中检查您是否已连接会话:
Get-Winevent -comp $server -FilterHashtable @{Logname='security'; ID=4624; StartTime=(Get-Date).addMinutes(-10)} | where {$_.properties[8].value -eq 10 -and $_.properties[5].value -eq $user}
命令说明(跳过明显的命令):
- Logname='security'-它是Windows日志组
security
(您有
应用程序
,安全
,设置
,系统
和转发事件
在Windows 7中)
ID=4624
-这是安全事件的ID
4624:帐户已成功登录
StartTime=(Get Date).addMinutes(-10)}
从当前时间减去10分钟(注意:您应该根据需要调整)- 然后使用
|
$\属性[8]。值-eq 10
RDP(别名RemoteInteractive)会话的类型为10
以下是类型表:
╔═════════════════╦═════════════════════════════════════════════════════════════════════════════╗
║ Logon Type ║ Description ║
╠═════════════════╬═════════════════════════════════════════════════════════════════════════════╣
║ 2 ║ Interactive (logon at keyboard and screen of system) ║
║ 3 ║ Network (i.e. connection to shared folder on this computer from elsewhere ║
║ ║ on network) ║
║ 4 ║ Batch (i.e. scheduled task) ║
║ 5 ║ Service (Service startup) ║
║ 7 ║ Unlock (i.e. unnattended workstation with password protected screen saver) ║
║ 8 ║ NetworkCleartext (Logon with credentials sent in the clear text. Most often ║
║ ║ indicates a logon to IIS with "basic authentication") ║
║ 9 ║ NewCredentials such as with RunAs or mapping a network drive with alternate ║
║ ║ credentials. This logon type does not seem to show up in any events. If ║
║ ║ you want to track users attempting to logon with alternate credentials see ║
║ ║ security Type ID 4648. MS says "A caller cloned its current token and ║
║ ║ specified new credentials for outbound connections. The new logon session ║
║ ║ has the same local identity, but uses different credentials for other ║
║ ║ network connections." ║
║ 10 ║ RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) ║
║ 11 ║ CachedInteractive (logon with cached domain credentials such as when ║
║ ║ logging on to a laptop when away from the network) ║
╚═════════════════╩═════════════════════════════════════════════════════════════════════════════╝
-和$\.properties[5]。值-eq$user
最后但并非最不重要,根据$user
变量进行筛选
在这种形式下,它与powershell无关(那些是普通的可执行文件)。它也可以作为批处理文件运行(cmdkey
和mstsc
都是可执行文件,前面没有\
,也没有通过调用命令或其他方式启动它们)
我将使用您的代码和powershell中的变量(我不会将其调整为通过invoke command
或其他方式运行。这超出了本问题的范围,对您来说是一种良好的做法):
要在-viaGet Winevent
中检查您是否已连接会话:
Get-Winevent -comp $server -FilterHashtable @{Logname='security'; ID=4624; StartTime=(Get-Date).addMinutes(-10)} | where {$_.properties[8].value -eq 10 -and $_.properties[5].value -eq $user}
命令说明(跳过明显的命令):
- Logname='security'-它是Windows日志组
security
(您有
应用程序
,安全
,设置
,系统
和转发事件
在Windows 7中)
ID=4624
-这是安全事件的ID
4624:帐户已成功登录
StartTime=(Get Date).addMinutes(-10)}
从当前时间减去10分钟(注意:您应该根据需要调整)- 然后使用
|
$\属性[8]。值-eq 10
RDP(别名RemoteInteractive)会话的类型为10
以下是类型表:
╔═════════════════╦═════════════════════════════════════════════════════════════════════════════╗
║ Logon Type ║ Description ║
╠═════════════════╬═════════════════════════════════════════════════════════════════════════════╣
║ 2 ║ Interactive (logon at keyboard and screen of system) ║
║ 3 ║ Network (i.e. connection to shared folder on this computer from elsewhere ║
║ ║ on network) ║
║ 4 ║ Batch (i.e. scheduled task) ║
║ 5 ║ Service (Service startup) ║
║ 7 ║ Unlock (i.e. unnattended workstation with password protected screen saver) ║
║ 8 ║ NetworkCleartext (Logon with credentials sent in the clear text. Most often ║
║ ║ indicates a logon to IIS with "basic authentication") ║
║ 9 ║ NewCredentials such as with RunAs or mapping a network drive with alternate ║
║ ║ credentials. This logon type does not seem to show up in any events. If ║
║ ║ you want to track users attempting to logon with alternate credentials see ║
║ ║ security Type ID 4648. MS says "A caller cloned its current token and ║
║ ║ specified new credentials for outbound connections. The new logon session ║
║ ║ has the same local identity, but uses different credentials for other ║
║ ║ network connections." ║
║ 10 ║ RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) ║
║ 11 ║ CachedInteractive (logon with cached domain credentials such as when ║
║ ║ logging on to a laptop when away from the network) ║
╚═════════════════╩═════════════════════════════════════════════════════════════════════════════╝
-和$\.properties[5]。值-eq$user
最后但并非最不重要,根据$user
变量进行筛选
正如您所知,这两个命令实际上都不是Powershell命令。是的,但是如果您搜索“Powershell rdp会话”,您将大部分得到这些命令。我在更长的powershell脚本中使用它。因此,我不需要上述命令的帮助,我会在以后查找powershell解决方案进行检查。您应该始终提供尽可能多的信息。它使我们能够更好地帮助您。如果您只发布摘录,您将得到较差的答案。正如您所知,这两个命令实际上都不是Powershell命令。对,但如果您搜索“Powershell rdp会话”,您将大部分得到这些命令。我在更长的powershell脚本中使用它。因此,我不需要上述命令的帮助,我会在以后查找powershell解决方案进行检查。您应该始终提供尽可能多的信息。它使我们能够更好地帮助您。如果你只发布摘录,你会得到较差的答案。