Logout a remote desktop user from command line

Here’s a command line hack that you can use to figure out what sessions are connected to the server. Note that you could substitute the IP address for the server name.

query session /server:servername

 

 

 

Now we know that the session ID of the offending session is 2. We can use that in the next step, which is using the reset command to log off that user.

reset session [ID] /server:servername

 

This command won’t display any output, but when we run the query command again, we should see that the session has now been disconnected:


Find a specific user events in Windows Security Logs

Event searching in windows security logs is too difficult, because of there are too many events in a short time.

To overcome this issue we must use “Filer Current Log” in the action menu. But options in the filter windows is not enough, if you want to filter security event logs by User . (User option in Filter Window is useless for our concern)

So what can we do?

Read More