What is it

RDP-Parser extracts RDP activities from Microsoft Windows Event Logs. This tool has been designed for any investigation involving exploitation of RDP service. It supports Evt and Evtx formats.

How it works

This is a command line tool and there is no installer. You should unzip and copy the program where you want to use it.

Open a command line in the directory where the program is. You can print help message using "RDP-Parser --h":

usage: RDP-Parser [options]
Options and arguments:
--p     : Path: default is current or C:\Windows\System32\winevt\Logs
--t     : Type:
          1: minimal (default, event with public IP addresses only, less event details)
          2: minimal with all IP addresses
          3: normal (event with public IP addresses only)
          4: normal with all IP addresses
          5: full (all RDP and login events)
--s     : Date start [format: yyyy-mm-dd]
--e     : Date end [format: yyyy-mm-dd]
--r     : Report format: 1: xlsx (default), 2: text, 3: html
--l     : Data strings on a single line
--o     : Open report at the end
--b     : Copy all Event logs from live system.
--h     : Print this help message and exit
- RDP-Parser (without any argument): Print *minimal* type for Event Logs in current
  dir or system
- RDP-Parser --t 2 --s 2018-01-01 --e 2019-01-01: Print *normal* type for Event
  Logs in current dir or system, all events in 2018

More details about options:

  • --p: By default, RDP-Parser will check in the current directory, so you can copy the program in the same folder as the Event Logs you want to parse. If there is no given path and current directory doesn't contain Event Logs, RDP-Parser will copy the live system Event Logs in the current directory. This command require admin priviledge and it doesn't work for old format logs.
  • --t: There are three types of report:
    • 1: minimal: This is the default type. The report will contain following columns: TimeGenerated, Source, EventID and Details. Only events with public IP addresses will be extracted and all details will be removed except IP address.
    • 2: minimal with all IP addresses: Same as type 1, but it also includes private IP addresses.

    • XLSX Report Type 2

    • 3: normal: The report will contain all columns and all details. Columns are: TimeGenerated, Timewritten, Computer, Source, RecordNumber, Category, EventID, EventType and Details. Only events with public IP addresses will be extracted but all details will be included.
    • 4: normal with all IP addresses: Same as type 3, but it also includes private IP addresses.

    • XLSX Report Type 4

    • 5: full: All events related to RDP or login activities will be included. Included events IDs are:
      • New format (evtx):
        • From Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx, event ids 21 to 25, 39 and 40;
        • From Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx, event ids 261 and 1149;
        • From Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx, event ids 131 and 140;
        • From Security.evtx, event ids 4624, 4625, 4634, 4647, 4778 and 4779;
        • From System.evtx, event ids 56.
      • Old format (security.evt or SecEvent.Evt):
        • Event ids 528 to 540, 552, 682 and 683. Also, all events that contain IP addresses involved with RDP activities will be included. Some events may be not extracted (See known problems about this).
  • --l: With this option, all strings in Details column are on a single line.
  • --b: This is the backup function. It copies all Event logs from live system. All other options will be ignored. This command require admin priviledge and it doesn't work for old format logs.

In the command line interface, RDP-Parser provides some important informations about logs as the date and time of the first entry, the last entry and the total number of entries.

RDP-Parser 1.1
Listing Event Logs in D:\Logs...
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx found.
Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx found.
Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational found.
Security.evtx found.
System.evtx found.

Parsing D:\Logs\Security.evtx...
First entry date: 2018-09-01 18:28:47
Last entry date: 2018-12-09 04:51:32
Number of entries: 40553

Parsing D:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx...
First entry date: 2018-08-23 20:50:20
Last entry date: 2018-12-07 11:21:55
Number of entries: 1874

Parsing D:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx...
First entry date: 2018-10-24 08:05:13
Last entry date: 2018-12-09 04:51:31
Number of entries: 2019

Parsing D:\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx...
First entry date: 2018-11-28 19:54:55
Last entry date: 2018-12-09 04:51:34
Number of entries: 2008

Parsing D:\Logs\System.evtx...
First entry date: 2017-09-15 04:19:41
Last entry date: 2018-12-09 01:22:17
Number of entries: 13087

1715 activities have been found.
Creating report_2018-12-09_08-30-04.xlsx...
Report has been created.

What do you need

  • Windows XP SP2 or newer

Version History

  • New: Extraction of Event IDs 131 and 140 from Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx
  • Fixed: Details were not correctly extracted for event 56 and 1149 with types 2, 4 or 5.
First release.

Known Problems

  • For old format (evt), parsing string for event id 528 (and probably the whole range 528 to 540) is buggy, so you won't get all events, because strings are not correctly parsed.


Copyright (c) 2018 Alain Rioux

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.


If you have any problem, suggestion, comment, or you found a bug in my utility, contact the author.


  • The icon of RDP-Parser have been created by Saki (Alexandre Moore) (http://sa-ki.deviantart.com) and distributed under GNU General Public License.


Source code is hosted on SourceForge and GitHub. Binaries are hosted on SourceForge.

Filename MD5 SHA256
RDP-Parser 1.1.zip 143e3d5b91e7e8839c8c4c49dfd0bdd0 864b715ca58f1216472f3cb6d8b7899eb575c0e901da0158780b1ab4919ab1ed


If you want to download the standalone version or an older version, check on SourceForge.


Credits to Free Website Templates for the template of this Website