Windows RDP-Related Event Logs

48

rdp related event logs

 

Windows RDP-Related Event Logs

 

There are times when a system administrator wants to investigate or track the Remote Desktop related activity for different reasons. For example, in order to figure out what users logged on to the RDS, when a specific session ended, etc. Although Microsoft has documentations and descriptions for Windows RDP-related event logs, but unfortunately those can be very confusing and hard to understand too often. In this article we want to address this problem for those who have the same struggle trying to identify and fully comprehend these Windows event log IDs, by introducing and explaining some of the most common occurrences in Windows event logs which are related to RDP.

We will try to approach the issue and explain the event log IDs one by one in a chronological fashion. Meaning that we’ve grouped some of the related logs in several categories and placed them in an order that is most probable for users to encounter. These groups include: Network Connection, Authentication, Logon, Session Disconnect/Reconnect and Logoff. Also note that all of the Event IDs referenced in this article can be found within the logs on the endpoint machine that is receiving the remote connection.

 

  1. Network Connection

This section addresses the most usual Event ID which refers to the initial network connection to a machine.

 

Log: Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational

Log Location: %SystemRoot%System32WinevtLogsMicrosoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx

 

Event ID: 1149
Provider Name: Microsoft-Windows-Terminal-Services-RemoteConnectionManager
Description: “User authentication succeeded”

This is one of the most confusing descriptions that we mentioned before. Keep in mind that this event, despite its seemingly clear description, does not actually indicate a successful user authentication. It is instead referring to successful network authentication. Whenever somebody has been able to launch an RDP client and execute an RDP network connection to your system and it has responded with displaying a login window for that person to enter the credentials, before even entering them, you will get an 1149 Event ID within your Windows event logs.

 

  1. Authentication

The next phase we will examine in the RDP connection is where username and password are entered and different Event IDs will be produced as a result, based on success or failure of user authentication.

 

Log: Security

Log Location: %SystemRoot%System32WinevtLogsSecurity.evtx

 

Event ID: 4624
Provider Name: Microsoft-Windows-Security-Auditing
Description: “An account was successfully logged on”


This Event ID shows that the user has successfully logged on to the machine from the specified IP Address. However, the Logon Type can differ in various occasions. It can be a Type 3 logon (when NLA is enabled), followed by either a Type 10 or Type 7. Logon Type 7 will occur when it’s a reconnection to an existing RDP session which had been established before but not formally logged off.

Event ID: 4625
Provider Name: Microsoft-Windows-Security-Auditing
Description: “An account failed to log on”

Examining failed attempts to log on to our system can be helpful in identifying brute force attacks and other malicious activities. Also the Status/Sub Status Code will help us recognize the legitimate failed attempts such as “expired password”. Whereas seeing a sequence of “username does not exist” codes can indicate that we’ve been a target for some sort of attacks.

Again the Logon Types you see here also can differ. A failed RDP logon will result in a Type 3 failure if NLA is enabled. Otherwise you’ll see a 4625 Type 10 failure.

microsoft event viewer

Log on

After a Successful authentication and logon to the system, some events can occur that this section covers.

 

Log: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

Log Location: %SystemRoot%System32WinevtLogsMicrosoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

 

Event ID: 21
Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager
Description: “Remote Desktop Services: Session logon succeeded:”

When this Event ID is produced, there’s a Source Network Address containing a remote IP address which can be either local or non-local. The former does not indicate an RDP logon. This Event ID with a local Source Network Address can be generated after a system reboot or simply a local logon. But with a non-local address it’s an indication of successful RDP logon and session instantiation and you can track additional Event Log activity of the user by taking note of the Session ID.

 

Event ID: 22
Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager
Description: “Remote Desktop Services: Shell start notification received:”

This normally proceeds an Event ID 21. The same rule about Source Network Address applies to this Event ID as well. If it shows a local address, it doesn’t imply a remote RDP logon. With a non-local Address however, it would be an indication of successful RDP logon and Windows GUI Desktop start.

man working remotely

Session Disconnect/Reconnect

In the next section we will introduce other Windows RDP-related Event Logs that might be generated upon various session disconnect/reconnect events. This can happen due to either system idle, network disconnection, or purposeful user actions such as exiting RDP window, choosing Disconnect from the Start menu, or getting kicked off by another user.

 

Log: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

Log Location: %SystemRoot%System32WinevtLogsMicrosoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

 

Event ID: 24
Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager
Description: “Remote Desktop Services: Session has been disconnected:”

As long as the Source Network Address is not local and contains a remote IP address, this Event ID shows that the user has disconnected from an RDP session. Otherwise it would be just an indication of a local session disconnection. Also this is typically paired with an Event ID 40 which we will examine later. You can pay attention to the Session ID in order to track additional Event Log activity of RDP session associated with this user.

Event ID: 25
Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager
Description: “Remote Desktop Services: Session reconnection succeeded:”

Again with a non-local Source Network Address you can conclude that the user has reconnected to an existing RDP session. You can note this address for the source of the RDP connection. Just like the last one, this is also normally paired with an Event ID 40.

 

Event ID: 39
Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager
Description: “Session has been disconnected by session ”

When a user purposefully disconnects from an RDP session for example by choosing the Disconnect option from the Start Menu instead of just closing RDP window, you’ll get this Event ID. If Session ID of is different from , the given user has been disconnected and kicked off by another separate RDP session.

 

Event ID: 40
Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager
Description: “Session has been disconnected, reason code ”

Although Microsoft uses the word “disconnect” in the descriptions frequently, it may sometimes indicate reconnections as well as disconnections. Reason Code is the information that helps you figure out what exactly has happened. You can see a list of these Reason Codes here, which can be a lot helpful.

 

Log: Security

Log Location: %SystemRoot%System32WinevtLogsSecurity.evtx

 

Event ID: 4778
Provider Name: Microsoft-Windows-Security-Auditing
Description: “A session was reconnected to a Window Station.”

Typically paired with an Event ID 25, this ID also is generated if a reconnection to an existing RDP session occurs. To identify the source and track associated activity, you can use the additional information such as SessionName, ClientAddress and LogonID.

 

Event ID: 4779
Provider Name: Microsoft-Windows-Security-Auditing
Description: “A session was disconnected from a Window Station.”

This can be paired with Event IDs 24, 39 and 40 and it’s generated when a disconnection from an RDP session happens.

woman working with laptop events

Log off

The last section will cover Windows RDP-related event logs that occur after a purposeful logoff by choosing Disconnect or Logoff from the Start Menu by the user.

 

Log: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

Log Location: %SystemRoot%System32WinevtLogsMicrosoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

 

Event ID: 23
Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager
Description: “Remote Desktop Services: Session logoff succeeded:”

This Event ID is the indication that the user has initiated a formal system logoff and is usually paired with an Event ID 4634. Note that this event with a local Source Network Address could also be generated upon a system shutdown or reboot.

 

Log: Security

Log Location: %SystemRoot%System32WinevtLogsSecurity.evtx

 

Event ID: 4634
Provider Name: Microsoft-Windows-Security-Auditing
Description: “An account was logged off.”

 

This will also normally occur at the same time as an Event ID 21 and could have either the Logon Type 10 or Type 7. The latter would indicate that it was a reconnection from an existing RDP session. It will be generated whenever the user simply disconnects or formally logs off from an RDP session.

 

Event ID: 4647
Provider Name: Microsoft-Windows-Security-Auditing
Description: “User initiated logoff:”

This occurs only if a user initiates a formal system logoff. Keep in mind that this isn’t necessarily an RDP-related event log. It can be a logoff from a local interactive session and since there’s no associated Logon Type here, it needs some reasoning and analysis to find out whether or not it’s related to an RDP session.

 

Log: System

Log Location: %SystemRoot%System32WinevtLogsSystem.evtx

 

Event ID: 9009
Provider Name: Desktop Window Manager
Description: “The Desktop Window Manager has exited with code ().”

When a user has closed out an RDP connection and RDP Desktop GUI has been shut down, this Event ID is produced as a result. In order to identify a finalized RDP connection tracking this Event ID would be useful.

 

Wrap-Up

Now that we examined the most commonly encountered Windows RDP-related event logs, it is also useful to mention that there are some tools you can use to aggregate all the Windows Event Logs to display them in form of chain of events. Log2timeline is one of the most popular ones. Microsoft has also Log Parser which is a great tool for parsing event logs in an easily readable fashion.

As we brought up in the beginning, this article focuses on the logs that are created in the target system in an RDP connection. If you’re interested in tracking the event logs generated in the machine which is attempting to make an RDP connection to other systems, note that they lie within the Microsoft-Windows-TerminalServices-RDPClient/Operational log. The location on disk is: %SystemRoot%System32WinevtLogsMicrosoft-Windows-TerminalServices-RDPClient%4Operational.evtx

You will find various Event IDs logged in that direction, containing related information such as name, IP address, connection and disconnection messages, etc.

Published by Blogger at 2020 September 08