使用Powershell检查RDP登录成功

时间:2018-07-23 10:29:10

标签: powershell rdp

使用Powershell,通过以下命令打开一些RDP会话:

cmdkey /generic:TERMSRV/$server /user:$user /pass:$serverPassword    
mstsc /v:$server /f

工作正常。但有时会话不会开始,例如由于服务器不可用或凭据错误。 什么是检查登录是否成功以及RDP桌面是否可见的简便方法?

1 个答案:

答案 0 :(得分:1)

在这种形式下,它与powershell无关(那些文件是纯可执行文件)。它也可以作为批处理文件运行(cmdkeymstsc都是可执行文件,您之前没有.\,也没有通过invoke-command或其他方式启动它们)。

我将使用代码和powershell中的变量(我不会将其调整为通过invoke-command或其他程序来运行。这超出了此问题的范围,对您而言将是一个好习惯): / p> 

cmdkey /generic:TERMSRV/$server /user:$user /pass:$serverPassword    
mstsc /v:$server /f

要检查您是否在Windows Event logs中通过Get-Winevent连接了会话:

Get-Winevent -comp $server -FilterHashtable @{Logname='security'; ID=4624; StartTime=(Get-Date).addMinutes(-10)} | where {$_.properties[8].value -eq 10 -and $_.properties[5].value -eq $user}

命令说明(略过):

  • -FilterHashtable

  • Logname ='security'-它是Windows日志组Security(您有 ApplicationSecuritySetupSystemForwarded events 在Windows 7中)

  • ID=4624-这是安全事件ID

    • 4624: An account was successfully logged on

  • StartTime=(Get-Date).addMinutes(-10)}从当前时间减去10分钟(注意:您应根据需要进行调整)

  • 然后使用|

    • 进行进一步过滤

  • $_.properties[8].value -eq 10 RDP(别名RemoteInteractive)会话类型为10。

这是类型表:

╔═════════════════╦═════════════════════════════════════════════════════════════════════════════╗
║ Logon Type      ║ Description                                                                 ║
╠═════════════════╬═════════════════════════════════════════════════════════════════════════════╣
║ 2               ║ Interactive (logon at keyboard and screen of system)                        ║
║ 3               ║ Network (i.e. connection to shared folder on this computer from elsewhere   ║ 
║                 ║ on network)                                                                 ║
║ 4               ║ Batch (i.e. scheduled task)                                                 ║
║ 5               ║ Service (Service startup)                                                   ║
║ 7               ║ Unlock (i.e. unnattended workstation with password protected screen saver)  ║
║ 8               ║ NetworkCleartext (Logon with credentials sent in the clear text. Most often ║
║                 ║ indicates a logon to IIS with "basic authentication")                       ║
║ 9               ║ NewCredentials such as with RunAs or mapping a network drive with alternate ║
║                 ║ credentials.  This logon type does not seem to show up in any events.  If   ║
║                 ║ you want to track users attempting to logon with alternate credentials see  ║
║                 ║ security Type ID 4648.  MS says "A caller cloned its current token and      ║
║                 ║ specified new credentials for outbound connections. The new logon session   ║
║                 ║ has the same local identity, but uses different credentials for other       ║
║                 ║ network connections."                                                       ║
║ 10              ║ RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)  ║
║ 11              ║ CachedInteractive (logon with cached domain credentials such as when        ║
║                 ║ logging on to a laptop when away from the network)                          ║
╚═════════════════╩═════════════════════════════════════════════════════════════════════════════╝
  • -and $_.properties[5].value -eq $user最后但并非最不重要的是,基于$user变量进行过滤
相关问题
最新问题