The aim of this bat file is to record RDP connections and log them to a file when the user logs on, it works ok but it records all RDP connections, so it is not accurate... is it possible just to run the netstat cmd for a single user at logon? i.e. only record that users RDP session, not all RDP sessions?
hope this makes sense...
@echo off
for /f "delims=" %%i in ('netstat -anp TCP^| find "ESTABLISHED"^| find "3389"') do (
echo %date% %time% %%i >> \\DC\Logs$\Logon\RDP.csv
)
Instead of netstat, use qwinsta or quser, or their more sensible aliases query session or query user.
set "user=foo"
for /f "delims=" %%I in ('query user %user% ^| find "rdp"') do (
>>\\DC\Logs$\Logon\RDP.csv echo(%%I
)
(quser / query user includes the logon datetime stamp already.)
Or if I've misunderstood and you're actually asking how to trigger the bat file only when a particular user logs on, put it in that user's %userprofile%\Start Menu\Programs\Startup or put a REG_SZ entry in that user's HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Be advised that it won't fire if the user disconnects and reconnects -- only if he performs a login action from a logged-out state. If you want to log an event on reconnect to active session, you can try adding a scheduled task to fire on an unlock event.
If you're asking how to pair a remotely logged in user with his IP address when there is more than one user logged in remotely, I've not found an easy way to do that, other than to use a 3rd party tool. TSListUsers seems to work though. But I'll keep looking.
