Wahrscheinlich ist es vielen nicht bewusst, aber euer RDP loggt jede Anmeldung inkl. IP von euch. Shoutout an den User aus dem alten Board, der darauf hingewiesen hatte. Hier als kleines Geschenk von mir ein PowerShell Script , um alle Logs aus dem Event Viewer zu deaktivieren und zu löschen . Einfach als .ps1 Datei speichern und als Administrator auf dem RDP ausführen. Wer das ganze per Hand machen möchte: Event Viewer > Applications and Services Logs > Microsoft > Windows > TerminalServices-... Dort bei jedem Ordner unter Admin und Operational die Logs deaktivieren und clearen. DisableRDPLogs.ps1 Code: #Requires -RunAsAdministrator
# Description: Disable all RDP and login-related logging on Windows
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host " RDP LOGGING DISABLER" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
Write-Host "This tweak will:" -ForegroundColor Yellow
Write-Host " - Disable RDP connection logging" -ForegroundColor White
Write-Host " - Disable Security event logging (login events)" -ForegroundColor White
Write-Host " - Disable Terminal Services logging" -ForegroundColor White
Write-Host " - Disable Remote Desktop Services logging" -ForegroundColor White
Write-Host " - Clear existing logs" -ForegroundColor White
$confirm = Read-Host "Do you want to continue? (y/n)"
if ($confirm -ne 'y') {
Write-Host "Cancelled." -ForegroundColor Yellow
return
}
Write-Host "`nDisabling RDP and login logging..." -ForegroundColor Cyan
Write-Host ""
# Static event logs to disable/clear
$eventLogs = @(
"Security",
"System"
)
# Disable and clear static event logs
foreach ($logName in $eventLogs) {
try {
Write-Host "Processing: $logName" -ForegroundColor Yellow
# Clear the log
wevtutil cl "$logName" 2>$null
Write-Host " Cleared log" -ForegroundColor Green
# Disable the log
wevtutil sl "$logName" /e:false 2>$null
Write-Host " Disabled log" -ForegroundColor Green
}
catch {
Write-Host " Warning: Could not process $logName" -ForegroundColor DarkYellow
}
}
Write-Host ""
Write-Host "Discovering all TerminalServices and RemoteDesktop event logs..." -ForegroundColor Yellow
# Get ALL TerminalServices-* and RemoteDesktop* event logs dynamically
$tsLogs = wevtutil el | Where-Object { $_ -match "TerminalServices|RemoteDesktop" }
$tsLogCount = 0
foreach ($logName in $tsLogs) {
try {
Write-Host "Processing: $logName" -ForegroundColor Yellow
# Clear the log
wevtutil cl "$logName" 2>$null
Write-Host " Cleared log" -ForegroundColor Green
# Disable the log
wevtutil sl "$logName" /e:false 2>$null
Write-Host " Disabled log" -ForegroundColor Green
$tsLogCount++
}
catch {
Write-Host " Warning: Could not process $logName" -ForegroundColor DarkYellow
}
}
Write-Host ""
Write-Host "Processed $tsLogCount TerminalServices/RemoteDesktop event logs" -ForegroundColor Cyan
Write-Host ""
# Disable Security event audit policies
Write-Host "Disabling audit policies..." -ForegroundColor Yellow
$auditPolicies = @(
"Logon/Logoff",
"Account Logon",
"Detailed Tracking",
"Object Access",
"Policy Change",
"Privilege Use",
"System",
"Account Management"
)
foreach ($policy in $auditPolicies) {
auditpol /set /category:"$policy" /success:disable /failure:disable 2>$null | Out-Null
Write-Host " Disabled: $policy" -ForegroundColor Green
}
Write-Host ""
# Registry tweaks to disable RDP logging
Write-Host "Applying registry tweaks..." -ForegroundColor Yellow
$registryTweaks = @(
# Disable TerminalServices event logging
@{
Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"
Name = "EventLogLevel"
Value = 0
Type = "DWord"
},
# Disable Security event logging
@{
Path = "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security"
Name = "MaxSize"
Value = 0
Type = "DWord"
},
# Disable RDP connection history
@{
Path = "HKLM:\SOFTWARE\Microsoft\Terminal Server Client"
Name = "DisablePasswordSaving"
Value = 0
Type = "DWord"
}
)
foreach ($tweak in $registryTweaks) {
try {
# Create path if it doesn't exist
if (-not (Test-Path $tweak.Path)) {
New-Item -Path $tweak.Path -Force | Out-Null
}
Set-ItemProperty -Path $tweak.Path -Name $tweak.Name -Value $tweak.Value -Type $tweak.Type -Force
Write-Host " Set: $($tweak.Path)\$($tweak.Name)" -ForegroundColor Green
}
catch {
Write-Host " Warning: Could not set $($tweak.Path)\$($tweak.Name)" -ForegroundColor DarkYellow
}
}
Write-Host ""
# Stop and disable Event Log service (extreme measure)
Write-Host "Event Log Service Configuration:" -ForegroundColor Yellow
Write-Host " Note: Stopping Event Log service may cause system instability" -ForegroundColor Red
Write-Host " Leaving Event Log service running but logs are disabled/cleared" -ForegroundColor Cyan
Write-Host ""
# Clear RDP cache and connection history
Write-Host "Clearing RDP connection cache..." -ForegroundColor Yellow
$rdpCachePaths = @(
"$env:USERPROFILE\AppData\Local\Microsoft\Terminal Server Client\Cache",
"$env:LOCALAPPDATA\Microsoft\Terminal Server Client\Cache"
)
foreach ($path in $rdpCachePaths) {
if (Test-Path $path) {
Remove-Item -Path "$path\*" -Force -Recurse -ErrorAction SilentlyContinue
Write-Host " Cleared: $path" -ForegroundColor Green
}
}
# Clear MRU (Most Recently Used) RDP connections
$mruPath = "HKCU:\Software\Microsoft\Terminal Server Client"
if (Test-Path $mruPath) {
Get-ChildItem -Path $mruPath | Where-Object { $_.Name -match "Default|Server" } | Remove-Item -Force -Recurse -ErrorAction SilentlyContinue
Write-Host " Cleared RDP MRU entries" -ForegroundColor Green
}
Write-Host ""
Write-Host "========================================" -ForegroundColor Green
Write-Host "RDP logging disabled successfully!" -ForegroundColor Green
Write-Host "========================================" -ForegroundColor Green
Write-Host "`nSummary:" -ForegroundColor Cyan
Write-Host " - Event logs disabled and cleared" -ForegroundColor White
Write-Host " - Audit policies disabled" -ForegroundColor White
Write-Host " - RDP connection cache cleared" -ForegroundColor White
Write-Host " - Registry tweaks applied" -ForegroundColor White
Write-Host ""
Write-Host "IMPORTANT:" -ForegroundColor Red
Write-Host " - Logs will not record RDP connections" -ForegroundColor Yellow
Write-Host " - Some logs may re-enable after Windows updates" -ForegroundColor Yellow
Write-Host " - Rerun this tweak periodically to maintain privacy" -ForegroundColor Yellow
Write-Host ""
Write-Host "To re-enable logging later:" -ForegroundColor Gray
Write-Host " wevtutil sl Security /e:true" -ForegroundColor DarkGray
Write-Host " auditpol /set /category:* /success:enable /failure:enable" -ForegroundColor DarkGray
Write-Host ""
Write-Host "Press any key to exit..." -ForegroundColor Gray
$null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")