Remote Desktop Login Success / Failure Email Notification

It is possible to create Remote Desktop Login Success / Failure Email Notification in windows. Follow the below steps to do the same :

Go to Administrative Tools > Event Viewer  > Windows Logs > Security

Right Click the Security and Click on “Attach a task to this Log

Give a name and description and then click Next and Click Next Again.

In the next screen select “Send an Email “ and click Next

In this screen fill all the details as you wish , be sure to put a valid SMTP Server.

On the next screen be sure to check “Open the properties dialog for this task when I click finish”

On the properties window, check Run whether user is logged in or not .

Also check option : “Run with highest privileges

Next go to Triggers tab and click on edit .

On the Settings panel on the Triggers tab , click on Custom and then click on New Event Filter.

Now click on XML Tab and then check “Edit Query Manually” and click  YES

Paste the following code into the Text Area  and then click ok . Click ok and Enter Administrator Login Info.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=10)]]</Select>
  </Query>
</QueryList>

Now Open Task Scheduler  > Task Scheduler Library > Event Viewer Tasks . You will see the Task that was created above. Right Click the Task and Click Export and Export it .

Now open the Exported XML file with a text editor .

Find the Section Below :

<EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=10)]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
    </EventTrigger>

Now Paste the Following code after </Subscription> but before </EventTrigger> and make it look like code below, or just copy and paste the following code :

<EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=10)]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
    <ValueQueries>
	<Value name="IpAddress">Event/EventData/Data[@Name="IpAddress"]</Value>
	<Value name="TargetUserName">Event/EventData/Data[@Name="TargetUserName"]</Value>
</ValueQueries>
	</EventTrigger>

Scroll Down and Find the <Body> Section and You can reference the IP and Username as below :

<Body>Login Alert on ServerName  IP : $(IpAddress)  User: $(TargetUserName). Please take necessary action  .</Body>

Now Save the XML File, Remove the task from task scheduler , click on Import and Import the XML File. Now you should receive Login Email Alert on Every Successful Login.

Email Notification on RDP Login Failure :

In order to Receive RDP Login Failure notification, You can follow the above steps, but you would have to replace the Event ID by 4265  in the following section :

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4625)]] and *[EventData[Data[@Name='LogonType'] and (Data=10)]]</Select>
  </Query>
</QueryList>

By Default RDP Does not log the IP Address if the login fails, so in order to receive that notification , you have to make some changes.

In the run menu type the following command :

tsconfig.msc

Go to RDP-TCP properties  and change security layer to RDP Security Layer.

This should now do the trick. If you want to disable displaying last username in the login screen, in the run menu type the following command :

gpedit.msc

Now go to windows settings > Security Settings > Local Policies > Security Options >

Find the following Key and Enable the Option:

Interactive Logon : Do not Display last user name

Now you should be all set to receive email notification on login success and Failure.