RDP-Forensic

2.1.0

A comprehensive PowerShell toolkit for RDP forensics analysis, tracking connection attempts, authentication, sessions, and logoffs across Windows Event Logs for security monitoring and incident response.

Minimum PowerShell version

5.1

There is a newer prerelease version of this module available.
See the version list below for details.

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name RDP-Forensic -RequiredVersion 2.1.0

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name RDP-Forensic -Version 2.1.0

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2025 Jan Tiedemann. All rights reserved.

Package Details

Author(s)

  • Jan Tiedemann

Tags

RDP Forensics Security EventLog RemoteDesktop Audit Compliance Monitoring Windows Investigation

Functions

Get-RDPCurrentSessions Get-RDPForensics

PSEditions

Desktop Core

Dependencies

This module has no dependencies.

Release Notes

## [2.1.0] - 2026-03-31

### Changed

- Renamed `Get-CurrentRDPSessions` to `Get-RDPCurrentSessions` to follow
 PowerShell verb-noun naming conventions and align with the module prefix
 pattern - **BREAKING CHANGE**.
- Refactored `Get-RDPForensics` with modular internal functions:
 `Get-CorrelatedSessions`, `Get-RDPConnectionAttempts`,
 `Get-RDPAuthenticationEvents`, `Get-RDPSessionEvents`,
 `Get-RDPLockUnlockEvents`, `Get-RDPSessionReconnectEvents`,
 `Get-RDPLogoffEvents`, and `Get-OutboundRDPConnections`.
- Updated all documentation, examples, integration tests, and references to
 use the new `Get-RDPCurrentSessions` name.

### Added

- Added `-ShowProcesses` parameter to `Get-RDPCurrentSessions` to display
 running processes per session.
- Added `-Watch` and `-RefreshInterval` parameters for continuous monitoring
 mode.
- Added `-LogPath` parameter for session logging.

FileList

Version History

Version Downloads Last updated
2.1.3 5 3/31/2026
2.1.2-previe... 2 3/31/2026
2.1.1 2 3/31/2026
2.1.0 (current version) 2 3/31/2026
2.0.1-previe... 2 3/31/2026
2.0.0 4 3/31/2026
0.2.0-previe... 3 3/31/2026
0.2.0-previe... 2 3/31/2026
Show more