Automatically block RDP attacks using Windows Firewall and PowerShell

By accident I discovered, that in one of my eventlogs (“Applications and Services Logs\Microsoft\Windows\RemoteDesktopServices-RdpCoreTS\Operational”) several Entries with ID 140 are present. This events are logging attempts of users to login to my server via RDP but using wrong credentials. Obviously there should not be any attempt or maybe just one or two by myself. But in my case there are hundreds.

First I checked if my local and my domain administrator account are both disabled. This was the case so most of the login attempts will now also fail because the user is disabled. I assume most of them are trying to use this user. The user isn’t locked because of the attempts because there is enough time between the retries.

The text of the login attempt in the eventlog is “A connection from the client computer with an IP address of failed because the user name or password is not correct.”.

So I created a PowerShell script that is reading this messages, filtering the IP out of it and add it to the Windows Firewall Blacklist.
One prerequirement is, that there is already a firewall rule with at least 2 blocked IP addresses. I was just too lazy to solve this in my script. To create this rule, start the Windows Firewall Settings and create a new rule at “Inbound Rules”.

Select “Custom” auswählen. Leave “All programs” (just click “Next“). Leave any Protocol Type and Port (just “Next“). In the Scope section at “Which remote IP addresses does this rule apply to” select “These IP addresses” and add two dummy addresses. i.e. and We need at least two addresses for the script. Click “next“.

Select “Block the connection“.

At “Profile” check all profiles. At the last page enter a good name for your rule. We will need the name in our script. Now your rule configuration is done.


Now the script. This is the code that works with the already stated prerequirements. Copy the text to a file with the ending .ps1.

### Variables ###
# The name of the firewall rule in Windows Firewall
$firewallRuleName = "Block RDP Attackers"

# IPs that will not be blacklisted. i.e. your home IP if you are using Dyndns or any other static IP
$whiteList = @(
   [System.Net.Dns]::GetHostAddresses("").IPAddressToString, #Example for DNS entry
   "" #Example for IP

### Script ###
Write-Host "Running at $(Get-Date)"
$regExIp = "\d\d?\d?.\d\d?\d?.\d\d?\d?.\d\d?\d?"
$regExIp6 = "((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?"

# Get the current Eventlogs with the 140 event
$currentAttackers = @(Get-Winevent Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational | Where-Object {$_.Id -eq 140} | Select Message -ExpandProperty Message)

# If there is no response, there are no attacks
if ($currentAttackers -eq $null) {
   Write-Host "No current attackers"

# Get each attackermessage and filter the IP from it using the regex above
for ($i = 0; $i -lt $currentAttackers.Count; $i++) {
   if ($currentAttackers[$i] -match $regExIp -or $currentAttackers[$i] -match $regExIp6){
      $currentAttackers[$i] = $Matches[0]

# Get the already known attackers from the firewall rule
$knownAttackers = (Get-NetFirewallRule -DisplayName $firewallRuleName | Get-NetFirewallAddressFilter).RemoteAddress
if ($knownAttackers -eq $null){
   $knownAttackers = @()
$knownAttackers = $knownAttackers | Sort-Object -Unique

# Check each logged attacker and check if it is already known
foreach($newAttacker in $currentAttackers) {
   if ($knownAttackers.Contains($newAttacker)) { #If it is known, don't do anything
   elseif ($whiteList -contains $newAttacker) { #If it is whitelisted, don't do anything
      Write-Host "$newAttacker is dynamically whitelisted"
   else{ #otherwise it is a new attacker and add it to the blacklist
      $knownAttackers += $newAttacker
      Write-Host "Added $newAttacker"

# remove dublicates (should not be there, but anyway...)
$knownAttackers = $knownAttackers | Sort-Object -Unique
Write-Host "$($knownAttackers.Count) IPs on blacklist"

# Setting Firwall rules with all known and all new attackers
Set-NetFirewallRule -DisplayName $firewallRuleName -RemoteAddress $knownAttackers
Write-Host ""

Latest changes: (23.01.2021) IPv6 added and fixed an issue when only one Event exists. Thanks to Joachim

If you have a different name than “Block RDP Attackers” for the firewall rule, you have to change the line “$firewallRuleName = “Block RDP Attackers”” to your rule name.

Run the script “as administrator”. It will scan your eventlog and get all IPs that are mentioned in the events with the ID 140 in the corresponding log. This IPs will be added to the rule we created before and will block this IPs in the future.

I have a scheduled task for this script to run it frequently. In a timespan of just some hours already about 600 IP addresses are on my blocklist. If you configure the scheduled task, be sure that the checkbox “run with highest privileges” is checked.

Install VMware Remote Console (VMRC) silently

After I struggled some hours with doing this, I finally figured out the following command to install VMRC silently without a reboot and with setting the automatic software update procedures to disabled. Use this command:


To uninstall use this command (the GUID may be different on other VMRC versions):

MsiExec.exe /X{09E3AC7C-395C-47C6-9F66-4B9FB8325341} /qn /norestart


Update Certificate of VMware vCenter

I just had to update the certificate on my VMware lab environments vCenter and searched for a good manual about this. I didn’t find one complete one so I decide to post one here.

Here we go:

  1. Login to SSH on the vCenter Server (you need to activate SSH if it is disabled)
  2. Type shell into the console.
  3. Create a directory where we will store everything: mkdir /tmp/cert
  4. Execute chsh -s /bin/bash root to make it possible to connect via WinSCP later on
  5. Start the Certificate Manager: /usr/lib/vmware-vmca/bin/certificate-manager 
  6. Select the first option (“Replace Machine SSL certificate with custom certificate”)
  7. Enter the local administrator (i.e. administrator@vsphere.local)
  8. Select the first option (“1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate”)
  9. Type the path to the folder we created in step 3 (/tmp/cert)
  10. State the parameters of the Certificate. For the options “Name” and “Hostname” you need to state the FQDN of the server
  11. The CSR to create the certificate by your CA is stored in the output directory
  12. Download the CSR via WinSCP and create a certificate based on this. The certificate needs to be in Base64 format and you will need the public root certificate of your CA.
  13. Upload the Certificate and the root certificate to the /tmp/cert-Folder
  14. Continue the dialog (option 1) of if you had some time between, you can start allover again and select option 2 after starting the certificate manager instead of option 1.
  15. Now you have to state the paths to the Certificate, the Key and the root certificate of your CA
  16. When this is done, the wizard will install the certificate. This takes a while and will reconfigure and restart almost all services.

Tested on vCenter 6.5 and vCenter 6.7


Welcome to the website of Kristian Reukauff. This site is about my public projects, apps and programming stuff as well as some topics about Smart Home.

Retro meets Modern: Settlers 3 and HyperV

Some days ago I remembered one old game I liked to play: Settlers 3 (“Siedler 3” in German). Like it is on old games, they are not running without any problems on modern operating systems. So I decided to buy the of Settlers 3 and it works. The next step was to try to run a multiplayer session with a friend of mine. The problem we had was, that we didn’t see the sessions of our games in the lobby. After some researching on the internet we didn’t find any hints about our issue. So we started to dig.
When we started Settlers 3 the first time, DirectPlay was installed. It is a kind of old network “Framework”. So maybe we have problems with network.
We figured out, that the problem is because of the multiple network adapters of my computer. Physically there is just one but I have Hyper-V running on my PC for development purposes and Hyper-V installs several additional pseudo adapters. After uninstall Hyper-V (just for testing), it works. So we are now sure it is because of the network adapters. I don’t want to uninstall or disable Hyper-V everytime I want to play Settlers. Hyper-V is for virtualization – why not running Settlers 3 in a virtual Machine?
I installed a Windows 10 VM, installed all Updates and Settlers 3 (GoG-Edition). I started the game for the first time and it crashed. I restarted the VM. When Windows was starting there was a dialog to “connect” to the VM. In my Microsoft Trainings I learned, that this is the connection dialog for the enhanced session – a kind of RDP connection. I also know that if you are connected via RDP, the graphic card is just an emulated one for the session. So I didn’t click the “connect” button and stay in the default session instead of changing to the enhanced session. I additionally disabled all windows firewalls before starting Settlers 3 again. And voila: it started. Also the Multiplayer session was running without any problems. Ingame I recommend to press F3 to change the resolution to the largest possible.

So in summary what to do if you want to play Settlers 3 on an Hyper-V enabled machine:
1. Install a new VM on Windows XP or higher
2. Connect to that VM WITHOUT enhanced session (you can also disable this in the VM settings)
3. Disable all firewalls in the VM
4. Install Settlers 3 GoG Edition and also DirectPlay on the first start in the VM
5. Happy gaming!

Visual Studio Emulator and Android 7 or higher

This post is about how to debug Android with using Hyper-V to debug Android 7 or higher machines in Visual Studio. This is a scenario because it is not possible to use the Intel HAXM virtualization driver in parallel with Hyper-V but this driver is required to run a performant Android emulated machine using the official Android emulator.

So here is how to debug Android version that are not available in the “Visual Studio Emulator for Android” set of machines.
First you need to download Android by using the Android x86 project as a source:
Download the Android version of your favor.

While downloading, you can create a new Hyper-VM. The important step is, that you disable Secure Boot in the “Security” section. You can use a Gen2 machine (tested with Android 7.1). You also have to select an External Network adapter that has access to the internet. Otherwise you will have problems to configure the virtual Android later on.

When your download is done, you can mount the ISO to the virtual DVD-driver of your VM and start the VM. Follow the dialog to setup the VM until you are at the desktop of your Android VM.
Remark: the usage of the cursor is pretty strange. You can only move it when you click the mouse button. But this also results in a swipe gesture. I haven’t found another way of moving the cursor without clicking. Using the latest Release 7.1 R2 fixes this issue.

When you are at the desktop of the Android VM, you can open the main Menu and open the “Termial Emulator” to get a command prompt. Enter “ifconfig” to show the IP of your VM. Switch to Visual Studio. I expect you have the “Visual Studio Emulator for Android” installed, so you have the control buttons in the toolbar. Click the button, that opens the Android Adb command prompt.



Type the following command in this prompt:

adb connect <ip of VM>

(i.e. “adb connect”)

You should see the message “connected to <ip>:5555”
You can verify the connect by executing “adb devices” and you should see your VM in this list.
Additionally you should have an entry called “Microsoft Corporation Virtual Machine (…)” in your “Start Debugging” combobox that lists all your devices available for debugging.



Now you can start debugging almost every version of Android that is available. Have fun with it!

Hint: If your VM goes to sleep, hold any of the arrow keys for a while (let’s say 30 sec) and connect it again via Adb Command Prompt.

Solving Problems with RDS License Manager

Lately I had a RDS Terminalserver that was a Stand-Alone server. So all services were installed on this one Server (Windows Server 2012 R2).

I had a RDS User CAL for 10 User CALs. They were installed. After a crash of the server because the connection to the Shared Storage for the VM was lost, the users were not able to login to the server anymore. In the Remotedesktop License Manager the CAL was available with a Total of 10 CALS but with 0 available and 0 in use. In general it should be available + in user = total.

I reinstalled the RDS License Manger Feature without any changes. I searched the Web and finally found the solution here:

The solution is:
1. Disable the License Server in the License Manager (Right Click the Server => Advanced => Deactivate Server)
2. Uninstall the License Server Feature. Your server have to restart to finish this action.
3. Rename the Folder C:\Windows\System32\lserver to lserver.old (or something else). This resets the License server incl. the currently available CALs. That way you will be able to reinstall them.
4. Install the License Server Feature (no restart required)
5. Activate the Server in the License Server Manager (Right Click the Server => Activate Server)
6. Install and activate the CALs

The result will be a total amount of 10 CALs where 10 are available and 0 are in use (until the first users will connect).

Optimize Ads with Microsoft AdMediator or Universal Ad Client SDK

Hello everybody,

the last days I tested many possibilities according to Ad platforms on Windows Phone 8.1 and Windows 8.1 (Windows UI). My biggest challenge was, that there is a leak of SDKs for the Windows platform in general. The most annoying thing is, that Google isn’t supporting Windows (Phone) 8.1 and above, if you are using the default XAML/C#-Apps. They have an SDK for WP8 but its worthless for WP8.1. That thing is so annoying, because if you ask anybody that is developing apps for mobile platforms and is using ads to finance them, they say: use Google. But obviously this is not possible on modern Windows Phone/Windows Mobile platforms at the moment.

So I had to check, what I can do, because I was unsatisfied with this ugly text-banners, that want sell me strage things. I also found no option to disable this gambling- and diet-ads in the Dev-Center of Microsoft.

The first thing was: Search another provider for AdMediation that has more than two providers (Microsoft and Smaato), that pay you for ads. (AdDuplex is a third one, but it is a click-trade-provider without monetization).
I found some recommendations for MobFox and setup an account to test it. The first thing I recognized: they don’t have a SDK for Windows Phone. The second thing I recognized: they have an API (Google has not!). So I created a control for myself to present the MobFox provided ads. I simply used a WebView and show the HtmlString-Property MobFox provides. The problem is: the WebView is performing a fit-to-width of the content and the content MobFox provides has a width of 1024px, even if you tell them you want 320px banners. After some researching I also fixed this and started testing. It worked until Amazon Audibles provided an App that is larger than 320px. That was really frustrating. I figured out, that there is another option to get ads from MobFox by API. I used the “TextAd”-API for my first attempt. But there is also a “native”-API, that provides images instead of HTML. That would solve my problem, so I implemented also the native-API… and was frustrated again. Except my Fallback-Ad for this Blog, there was no Ad delivered. A whole day long.

I finally came back to the Microsoft AdMediator. But not because I want to use Microsofts Ugly-Text-Ads. There is another option I wasn’t aware of: Smaato. They are also able to do admediation with ads from other networks. Also with ads from MobFox. So I setup the networks in the Smaato-Environment and configured the AdMediator to use 100% Smaato and Microsoft only for Backup. Right after doing this, I got nicer banner-ads instead of text-ads. And this ads were for games and not for diet, fitness, getting rich in just one minute and so on.

So at the moment my recommendation for using ads is to use Smaato. But: Don’t ask me about CPMs. Currently I have to wait and check what will happen after I released my next App update in the next weeks.

One more thing about the old Microsoft AdMediator for Windows Phone 8.1 and the new Microsoft Universal Ad Client SDK:
Currently I only have a Windows Phone 8.1 app and I am using the Microsoft AdMediator but when I will switch to Windows Universal App for Windows 10 (Mobile), I will not use the Microsoft Universal Ad Client SDK. There are MANY problems with this regarding the comments in the Visual Studio Gallery. I will switch to the Windows 10 (Mobile) SDK of Smaato! Yes, they have an SDK for Windows 10 that seems to work!

Microsoft AdMediator
Microsoft Universal Ad Client SDK
Smaato Windows 10 SDK (also Available via Nuget)

Originally posted on February 20th 2016

More from the AdMediator Control

Hi Guys,

I’m still working on the AdMediator Control for my app and I though I found a bug, that is more a misconfigure of the control, but I like to share it with you.

I created an Ad UnitId in the DevCenter of Microsoft with the type “Video interstitial”. My expectation was to get animated banner for my app. So I entered the new UnitId to my app and start debugging. After some refreshes (sometimes some more refreshes, sometimes the first load) my app crashed because of an UnhandledException in win32. I am catching UnhandledExceptions in my app, so I was confused. I figured out, that if I disabled “Microsoft Advertisement”-Network for my AdMediator Control, the problem was gone. So I continued testing and figured out, that the problem only exists, if compile my app in x64. If I compile my app in x86 the app don’t crashes, but I get a text in my banner called “FreeWheelFreeWheel” or “FreeWheelFreeWheelFreeWheel”.

I reported this to Microsoft and get a rapid answer (much faster than I assumed!):

Kristian, if the unit was created for video interstitials, it cannot be used in mediation or with AdControl.  The only use case for such an AdUnit is in the RequestAd method from InterstitialAd class.
That said, we should never crash, and for that behavior I’ve filed bug 4786896.
My guess is that if text “freewheel” showed up in the WebView control, it means we injected the VAST payload (meant for video ads) into the container. WebView itself, or the edge engine is probably going to show in the stack.

That is a clear and good answer! Thanks Microsoft!

Originally posted on October 1st 2015

WNS PushChannelURI is…

I just wasted two hours to figure out why the PushChannelURI in my Windows Phone Emulator has a PushChannelURI that is…… but usually it should be something like…..

When this PushChannelURI is detected and you’re trying to send something to that URI, you would get an error, that this servername is not resolvable. The answer is simple: You have the Notifications-Simulation activated in your Emulator. Disable it, reinstall the app on the Emulator and your will have a regular Channel URI for the WNS back.

Happy testing!

Originally posted on September 12th 2015