远程桌面连接事件 [英] Event for Remote desktop Connection

问题描述

我需要监控远程桌面连接是针对特定主机进行的。

有任何WMI事件吗？。如果不是如何可以监控远程桌面连接..

（基本上我需要从远程主机生成一个由xxx用户连接的事件......）


在此先感谢..


-Sakthi

Hi ,

I need to monitor for Remote desktop connection is made for a particular host.
There is any WMI event ?.if not how can monitor for remote desktop connection..
(Basically i need to generate a event from remote host that connection is made by xxx user ...)

Thanks in advance..

-Sakthi

推荐答案

查看使用终端服务API ...我只是用Google搜索终端服务API立即提出：

http://msdn.microsoft.com/en-us/libr...64(VS.85).aspx


所以我想这是'最有可能调查的途径。


否则你需要做的就是使用类似WinPCap驱动程序的东西来安装一个嗅探器来监控所有的流量。网卡。然后，这可以用于确定请求进入的端口的流量类型（TCP / UDP），它来自的计算机。我怀疑是否有可能提取连接人的用户名...除非你能弄清楚如何解码数据包。


最简单的方法我可以想到确定连接人的用户名，是查询客户端机器以查看谁登录，或者等到他们实际登录终端服务器并检查使用了哪个用户名 - 他们可以连接到终端使用与他们连接的客户端不同的用户名/密码的服务器。

我怀疑使用API​​检查服务器上的用户列表涉及引用WTSEnumerateSessions，这是我所看到的检索指定终端服务器上的会话列表...这意味着您可以查询您有权查询的任何终端服务器，尽管它没有明确说明，所以我可以到达。


我认为使用API​​和WinPCAP驱动程序的某种组合是可行的方法。 API将允许您访问他们登录服务器的人员，以及他们在服务器上执行的操作，他们访问的进程等.WinPCAP驱动程序将允许您窥探网络流量，为您提供有关哪里的信息他们正在沟通。查询远程计算机上的WMI接口（假设您可以访问该接口）将允许您确定在该计算机上登录的用户。请记住，登录到服务器的人也可能通过远程桌面/终端服务登录到远程计算机......也可能不是用户坐在控制台...所以循环继续。


当然，您的应用程序可能不需要这么复杂。我只是一个可疑的网络管理员类型...

Look into using the Terminal Services API... I just googled for Terminal Services API and immedately came up with:

http://msdn.microsoft.com/en-us/libr...64(VS.85).aspx

So I imagine that''s the most likely avenue to investigate.

Otherwise what you would have to do is use something like the WinPCap driver which installs a sniffer to monitor all traffic on the network card. This can then be used to determine the type of traffic (TCP/UDP) the port the request is coming in from, the computer it is coming in from. I''m doubtful that it''s possible to extract the username of the person connecting though...unless you can figure out how to decode the packets.

The easiest way I can think of to determine the username of the person connecting, is to either query the client machine to see who is logged in, or wait until they actually log in on the terminal server and check which username is used - they may connect to the terminal server using a different username/password than the client they connect from.

I suspect that checking a list of users on the server using the API involves referencing the WTSEnumerateSessions which from what I see retrieves a list of sessions on a specified terminal server...this implies that you can query any terminal server to which you have authority to query, although it doesn''t explicitly say that, so I could be reaching.

I think using some combination of the API and the WinPCAP driver are the way to go. The API will give you access to who they logged into the server as, along with what they''re doing on the server, which processes they access etc. The WinPCAP driver will allow you to snoop on the network traffic giving you information about where they''re communicating from. Querying the WMI interface on the remote computer (assuming you have access to that) will allow you to determine who is logged in at that machine. Bear in mind that the person logged into the server may also be logged into the remote machine by remote desktop/terminal services also... it may not be the user sitting at the console... and so the cycle continues.

Of course, your application may not need such complexity. I''m just a suspicious network administrator type...

如果软件正在人们将远程处理IN的计算机上运行，​​那么就可以完成。

许多程序可以告诉你什么时候进行远程处理（我有两个在线视频游戏告诉我什么时候我被转移到电脑里）

如果计算机支持多个用户登录曾经，我相信可以通过WMI / ActiveDirectory查询来获取每个登录的用户名。

If the software is running on the computer that people will be remoting IN to, then it can be done.
A number of programs can tell when you are remoting in (I have two online video games that tell me when I am remoted into the computer)
If the computer supports multiple users logged in at once, I believe there is WMI/ActiveDirectory queries that can be done to get the usernames of everyone logged in.

一些论坛说..知道RDP连接是通过远程桌面或使用rdp protocol..enable本地安全设置中的审核登录事件。

http://windowsitpro.com/article/arti...n-type-10.html


...然后每当建立连接时，我们将获得Logon type = 10的安全日志。 。如果登录类型为10，则用户登录为RemoteInteractive ..

http://www.windowsecurity.com/articles/Logon-Types.html


plz查看我的问题的下一篇文章..因为我不能发布超过100个字符

some forums says..to know RDP connection is made through remote desktop or using rdp protocol..enable the Audit logon events in local security settings.

http://windowsitpro.com/article/arti...n-type-10.html

...then whenever connection is made we will get security log with Logon type = 10..If logon Type is 10 the user logged as RemoteInteractive ..

http://www.windowsecurity.com/articles/Logon-Types.html

plz see the next post for my question.. since i can''t able to post more than 100 characters

这篇关于远程桌面连接事件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！