Remote Access Β· RDP & Remote Tools

Windows Remote Access and RDP Forensics

Prove whether a Windows computer was accessed remotely, by whom, from what IP address, at what time, and what they saw or did on screen β€” including through third-party remote-support tools.

← Canonical HubThis page is part of the Windows Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. Remote-access forensics on Windows combines the Terminal Services operational logs (TerminalServices-LocalSessionManager, TerminalServices-RemoteConnectionManager, RemoteDesktopServices-RdpCoreTS), Security events 4624 LogonType 10 (RemoteInteractive), 4778/4779 (session reconnect/disconnect), 1149 (successful RDP authentication with source IP), RDP bitmap cache (bcache*.bmc) that reconstructs actual on-screen content, Prefetch and Amcache for the RDP client (mstsc) and remote-support tools (TeamViewer, AnyDesk, ScreenConnect, LogMeIn), and default gateway / firewall logs.

The RDP event trail

Event IDChannelWhat it means
1149TerminalServices-RemoteConnectionManager/OperationalRemote authentication accepted; includes User, Domain, and Source Network Address (IP)
21TerminalServices-LocalSessionManager/OperationalSession logon succeeded, with source IP
22SameShell (explorer.exe) started
24SameSession disconnected (user closed but did not log off)
25SameSession reconnected (typically after a network drop)
23SameSession logoff
4624 (LogonType 10)SecurityRemoteInteractive logon
4778 / 4779SecuritySession reconnected / disconnected (also fires for Fast User Switching)
4625SecurityFailed RDP authentication (Sub Status 0xC000006A wrong password, etc.)
131RdpCoreTS/OperationalClient connected before authentication (useful for brute-force detection)
140RdpCoreTS/OperationalClient failed authentication with source IP

RDP bitmap cache: reconstructing what was on screen

Windows caches portions of the remote screen at the RDP client for performance. These cache files (bcache22.bmc, bcache24.bmc, cache0000.bin and similar) live at %LOCALAPPDATA%\Microsoft\Terminal Server Client\Cache\ and contain thousands of 64×64 tile fragments of past sessions. Reassembly regenerates recognizable screenshots β€” messages, file names, spreadsheets β€” of remote work performed. This is often the single most persuasive artifact in an unauthorized-remote-access case.

Remote-support and unattended-access tools

Third-party remote tools leave equally strong evidence, both on the target and on the operator side:

  • TeamViewer β€” %APPDATA%\TeamViewer\Connections_incoming.txt (target) and Connections.txt (operator) log ID, name, start, and end.
  • AnyDesk β€” %APPDATA%\AnyDesk\connection_trace.txt, ad_svc.trace, and ad.trace.
  • ScreenConnect / ConnectWise Control β€” service install (System 7045), ScreenConnect.ClientService in Services, and session logs under %PROGRAMDATA%\ScreenConnect Client (<GUID>)\.
  • LogMeIn β€” event log entries plus %PROGRAMDATA%\LogMeIn\logs\.
  • Chrome Remote Desktop β€” CRD host service events and %LOCALAPPDATA%\Google\Chrome Remote Desktop\logs.

Client-side traces on the machine that initiated RDP

The operator machine keeps its own trail: NTUSER.DAT\Software\Microsoft\Terminal Server Client\Default stores MRU0..MRU9 of last connected hostnames; Servers\<host>\UsernameHint records the last user; .rdp files may be saved to Documents; Prefetch and Amcache record mstsc.exe execution; jump lists for mstsc list recently connected hosts.

Building the end-to-end remote access timeline

  1. Establish inbound activity on the target (1149, 21/22/24/25, 4624 LogonType 10).
  2. Identify the source IP and, where possible, geolocate and reconcile with VPN/firewall logs.
  3. Reconstruct the on-screen content from RDPCache (target) or the operator’s cache.
  4. Correlate to program execution artifacts to prove what the remote user did (see Program Execution).
  5. Attribute to a specific user account via 4624 SID and, where domain-joined, DC-side Kerberos records.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.

Related Windows forensics pages

Frequently asked questions

Can you tell if someone RDP’d in even after they turned RDP off?

Usually yes. The Terminal Services operational logs are separate from the RDP service state, and 4624 LogonType 10 remains in Security.evtx. RDPCache bitmap fragments also survive.

What if the attacker used a VPN?

The Windows target sees only the VPN’s private IP. We correlate with VPN concentrator logs, cloud-VPN provider records, and timing against ISP-side records subpoenaed via counsel.

Are Windows Home editions RDP-visible?

Windows Home cannot host RDP by default but can be the RDP client. When Home shows LogonType 10, it is almost always via Fast User Switching or a third-party server component; we flag and explain.

Do remote-support tools leave less evidence than RDP?

No β€” often more. TeamViewer, AnyDesk, and ScreenConnect each maintain their own detailed session logs including counterparty ID, duration, and file-transfer records.

Ready to move on your windows remote access and rdp matter?

Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Microsoft: Terminal Services event log. learn.microsoft.com
  2. Microsoft: Event 4624 (LogonType). learn.microsoft.com

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#RDPForensics #RemoteAccess #TeamViewer #AnyDesk #WindowsForensics #UnauthorizedAccess #DFIR #EliteDigitalForensics

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder