How Do You Check Logs for Failed RDP Login Attempts? Print

  • 0

We can check the logs of failed RDP login attempts from the Event Viewer.

Event Viewer is a great tool to record all activity on your server, and it is explicitly used for troubleshooting Windows and application errors. It monitors each user's actions performed on the device. Additionally, it logs errors, critical messages, and warnings from Windows Server. 

Failed RDP login attempts are recorded in the Windows Security Logs. In addition, logs of failed login attempts and unknown access patterns are typically stored in security records. 

An authentication error occurs when an individual or application submits incorrect or invalid credentials to the server.
This is identified by Event ID 4625.

This event will show all failed attempts to log on to a system. It may be due to someone trying to hack your system. However, it is also possible that someone has forgotten their password, the account has expired, or an application was configured with the wrong password. 

These events include the following pieces of information –  

  • Log details – name, source, and other log information.
  • Subject – account name, domain, and security information about the login.
  • Login type – a method used to log on, such as using the local or remote keyboard (over the network).
    This field value is expressed as an integer, the most common being 2 (local keyboard) and 3 (network).
  • Account for Which Login Failed – name, domain, and other details for the failed login.
  • Failure Information – failure reason and status of the attempt.
  • Process Information – name and ID of the originating process.
  • Network Information – name, IP address, and port where the remote login request originated. These values are left blank for local logins or if the information can't be found.
  • Detailed Authentication Information – details about this specific login request.

How to check the log of Failed RDP Login attempts from Windows Server?

Below are the steps to check the logs for Failed RDP Login attempts –

  • Step 1: Login into your VPS with an administrator user.
  • Step 2: Go to the taskbar and click on the Windows Start button.
  • Step 3: Click the Search box on the screen's upper right side and type Event Viewer.

  • Step 4: Once you type the Event Viewer on it, the Event viewer application will be visible below; click to open it.
  • Step 5: Click on the Windows Logs option in the Event Viewer window. Then, click on the Security option.

  • Step 6: In the security window, you can see a list of the Failed Logged Attempts.


Was this answer helpful?

« Back