A Windows-oriented Python script that analyzes the CmRcService log generated by Microsoft Endpoint Configuration Manager (MECM/SCCM) Remote Control, looking for sessions granted with Full Control permissions.
It prints a summary to the console and generates two artifacts (report + evidence) in the same folder as the analyzed log.
Project reference: www.aiutocomputerhelp.it
The script searches the standard MECM client log folder:
C:\Windows\CCM\Logs
It looks for the string:
Session allowed: Full Control
It also includes a tolerance for the common typo:
Session allowed: Full Controll
For every match, it extracts context lines around the hit and tries to capture useful fields typically present in the same log block, such as:
- Timestamp (parsed from
date="..."andtime="...") - Incoming connection IP and port
- Viewer address
- Host address
- Authorized viewer user (when present)
When matches are found, the script produces:
-
report_CmRcService_full_control.txt
A compact, human-friendly summary of all detected events. -
evidence_CmRcService_full_control.log
Raw evidence blocks with surrounding lines for each event, suitable for archiving, sharing internally, or attaching to a ticket.
Both files are written into the same directory where the CmRcService log is located.
- Windows machine with MECM/SCCM client logs available
- Python 3.x
- Administrative privileges are typically required to access
C:\Windows\CCM\Logs
No external Python packages are needed (standard library only).
Open a terminal (PowerShell or CMD) as Administrator and run:
python CmRcService_full_control_checker.py