LogParser Failed Remote Desktop Logons

This article was posted more than 1 year ago. Please keep in mind that the information on this page may be outdated, insecure, or just plain wrong today.

rdp_audit_failed_logons.cmd

@echo off
REM Rich Kreider
set LOGPARSER=logparser.exe
set TARGET=%1
set TEMPPATH=%SystemRoot%\Temp
@cls
IF NOT EXIST "%SystemRoot%\Temp" set TEMPPATH=%TEMP%
IF "%1"=="" (
set TARGET=%COMPUTERNAME%
@echo Note: You can specify a remote target on the command:
@echo.
@echo rdp_audit.cmd ^<computername^>
@echo.
@echo I am going to use this system to check for RDP activity.
@echo.
@echo.
)
@echo collecting failed logons
"%LOGPARSER%" -q:ON -i:EVT "select timegenerated, EXTRACT_TOKEN(Strings,5,'|') AS UserName, EXTRACT_TOKEN(Strings,13,'|') AS Computer, EXTRACT_TOKEN(Strings,19,'|') as IPAddress into %TEMPPATH%\rdp_audit_logon_failures.csv from "%TARGET%\security" where eventid='4625' and EXTRACT_TOKEN(Strings,10,'|')='10'"
IF NOT %ERRORLEVEL%==0 (
@echo Problem collecting logon failures.  Check to see if RemoteRegistry is enabled.
goto err_collection
)
@echo generating output
"%LOGPARSER%" -q:ON -i:CSV "select timegenerated, username, computer, ipaddress into activity_failedlogons.html from %TEMPPATH%\rdp_audit*fail*.csv order by timegenerated, username desc" -o:TPL -tpl:output_failures.tpl
IF NOT %ERRORLEVEL%==0 (
@echo No activity found.
goto eof
)
"%LOGPARSER%" "select username, count(*) as total into failedlogon.jpg from "%TEMPPATH%\rdp_audit*fail*.csv" group by username order by total,username desc" -o:chart -chartType:pieexploded3d -categories:off -charttitle:"Highest Failed Logons by User"
@echo.
@echo Collection complete.  Please view activity.html for details.
@echo.
goto eof
:err_collection
@echo.
@echo Try to enable RemoteRegistry on %TARGET%:  sc %TARGET% start RemoteRegistry
@echo.
@echo To enable it to start the service at bootup:  sc %TARGET% config RemoteRegistry start= auto
@echo.
:eof
@echo.