Querying Active Remote Desktop Sessions on Windows Server 2003 via Command Line and WMI


4 views

For quick session checks on Windows Server 2003, use these terminal commands:

query session /server:SERVERNAME
qwinsta /server:SERVERNAME

Sample output:

SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
console                                     0  Conn    wdcon
rdp-tcp#1         Administrator             1  Active  rdpwd
rdp-tcp                                 65536  Listen  rdpwd

Create a VBScript to pull detailed session data:

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_LogonSession")

For Each objItem in colItems
    If objItem.LogonType = 10 Then 'RDP sessions
        WScript.Echo "Session ID: " & objItem.LogonId
        WScript.Echo "Start Time: " & objItem.StartTime
    End If
Next

Even though PowerShell wasn't native to Server 2003, you can use this backported solution:

$sessions = Get-WmiObject -Class Win32_Process -Filter "Name='explorer.exe'" | 
            ForEach-Object { $_.GetOwner() } | 
            Select-Object Domain, User

$sessions | Format-Table -AutoSize

Extract session info from the legacy Terminal Services Manager COM object:

Set objTSM = CreateObject("TSAdmin.TSAdmin")
Set objSessions = objTSM.GetSessions("SERVERNAME")

For i = 1 To objSessions.Count
    WScript.Echo "User: " & objSessions.Item(i).UserName
    WScript.Echo "State: " & objSessions.Item(i).State
Next

Query security event log for RDP authentication events (EventID 528):

wevtutil qe Security /q:"*[System[EventID=528]]" /f:text

When administering Windows Server 2003 systems, monitoring active Remote Desktop Protocol (RDP) sessions is crucial for both security and resource management. Unlike newer Windows versions, Server 2003 requires specific approaches to retrieve this information programmatically.

The quickest way to check active sessions is through the built-in command-line utility:


qwinsta /server:SERVERNAME

Sample output:


SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
console                                     0  Conn    wdcon
rdp-tcp                                 65536  Listen  rdpwd
rdp-tcp#14        Administrator             1  Active  rdpwd

For programmatic access in scripts or applications, Windows Management Instrumentation (WMI) provides reliable session data:


strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_LogonSession Where LogonType = 10",,48)

For Each objItem in colItems
    WScript.Echo "Session ID: " & objItem.LogonId
Next

For C++ developers, the Terminal Services SDK offers the most control:


#include <wtsapi32.h>
#pragma comment(lib, "wtsapi32.lib")

void EnumerateSessions()
{
    PWTS_SESSION_INFO pSessionInfo = NULL;
    DWORD count = 0;
    
    if (WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pSessionInfo, &count))
    {
        for (DWORD i = 0; i < count; i++)
        {
            printf("Session %d: %s\\n", 
                   pSessionInfo[i].SessionId, 
                   pSessionInfo[i].pWinStationName);
        }
        WTSFreeMemory(pSessionInfo);
    }
}

When implementing session tracking:

  • Require administrative privileges for accurate results
  • Handle session data securely as it may contain sensitive information
  • Consider implementing rate limiting to prevent excessive queries

Common applications include:

  • Automated session cleanup scripts
  • Monitoring dashboards
  • Security auditing tools
  • Resource allocation systems