如果發現電腦有被遠端桌面連線,想了解來源的IP,可以到事件檢視器去看,路徑是
Event Viewer > Applications and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager > Operational
可以搜尋這三個ID的事件內容:
Event ID 21 : 工作階段登入成功
Event ID 24 : 工作階段已中斷連線
Event ID 25 : 工作階段重新連線成功
也可以用指令的方式來查詢,速度比較快:
netstat -n | find ":3389" | find "ESTABLISHED"
To inquire about the source IP of a remote desktop connection, you can navigate to the Event Viewer. If you suspect that your computer has been accessed via a remote desktop connection and you wish to determine the source IP, you can follow these steps:
Open the Event Viewer.
Navigate to Applications and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager > Operational.
Search for events with the following three IDs:
- Event ID 21: Successful session login.
- Event ID 24: Disconnected session.
- Event ID 25: Reconnected session.
Alternatively, you can use the following command to perform a faster query:
netstat -n | find ":3389" | find "ESTABLISHED"