Automatically generated based on tag:

ETW - Remote Desktop - Destination host Page Destination host of a Remote Desktop access.

Main events:

Channel: Security.
Event ID 4624: "An account was successfully logged on", with LogonType 10.

Event ID 1149: "Remote Desktop Services: User authentication succeeded".

Event ID 21: "Remote Desktop Services: Session logon succeeded".
Event ID 23: "Remote Desktop Services: Session logoff succeeded".
Event ID 25: "Remote Desktop Services: Session reconnection succeeded".

Event: 4624 (LogonType 10).

Event: 1149.

Events: 21, 22, 23, 25.

Events: 131.
ETW - Remote Desktop - Remote Desktop Gateway Page For Remote Desktop access through a Remote Desktop Gateway (Windows server role that implements Remote Desktop Protocol (RDP) over HTTPS.

Main events:

Channel: Microsoft-Windows-TerminalServices-Gateway/Operational.
Event ID 200: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> met resource authorization policy [...] to access the TS Gateway server".
Event ID 302: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> connected to <REMOTE_HOST_FQDN>".
Event 303: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> disconnected from <REMOTE_HOST_FQDN>. Before <DOMAIN>\<USERNAME> disconnected, the client transferred <BYTES_SENT> bytes and received <BYRES_RECEIVED> bytes. The client session duration was <SESSION_DURATION> seconds".

Events: 200, 300, 302, 303, 308, 312, 313.
ETW - Remote Desktop - Source host Page Source host initiating a Remote Desktop access.

Main events:

Channel: Microsoft-WindowsTerminalServicesRDPClient/Operational.
Event ID 1024: "RDP ClientActiveX is trying to connect to the server (<HOSTNAME>)".
Event ID 1102: "The client has initiated a multi-transport connection to the server <IP>".
Event ID 1029: "Base64(SHA256(UserName)) is = <HASH>".

Events: 1024, 1029, 1102.
Jumplists Page Introduced in Windows 7, Jumplists are linked to a taskbar user experience-enhancing feature that allows users to "jump" to files, folders or others elements by right-clicking on open applications in the Windows taskbar.

Information of interest: target file absolute path, size, attributes, and Modified, Access, and Birth timestamps (updated whenever the file is "jumped" to).

Remote desktop connections made using the Windows built-in mstsc.exe client will generate an entry in the AutomaticDestinations JumpList that may reference the remote host.

RDP - Processes Page The following processes are related to RDP activity:

- mstsc.exe: Windows built-in RDP. The remote host may (but not necessarily) specified using the command-line parameter "/v:".

- rdpclip.exe: RDP Clipboard Monitor, executed on the remote host every time a remote interactive RDP session is successfully established.

- TSTheme.exe: TSTheme Server Module, starting with Windows 7, executed on the remote host every time a remote interactive RDP session is successfully established and upon session closure.
RDP Bitmap Cache Page The RDP Bitmap Cache contains partial image captures, in the bitmap format, of the remote host screen from Remote Desktop sessions. This feature is implemented to reduce the amount of data sent by the server.

Information of interest: small bitmap images, with a width of 64 pixels and a height of up to 64 pixels, that represent pieces of the content displayed in past Remote Desktop sessions of the user.

Thousands of tiles may be available for a given user RDP Bitmap Cache folder.
"bcache*.bmc" and "cache????.bin" files under the "Terminal Server Client\Cache" directory.

Windows XP / Windows Server 2003:
<SYSTEMDRIVE>:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*

Windows 7 and later:
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Terminal Server Client\Cache\*
Registry - Terminal Server Client\Servers Page The Terminal Server Client\Servers registry key tracks the remote hosts the associated user connected to using the built-in mstsc.exe Remote Desktop client.

Information of interest: IP address of the remote host and eventual saved username associated with the remote host.

The the last write timestamp may be an indicator of the first access to the remote host.

Registry key: HKCU\SOFTWARE\Microsoft\Terminal Server Client\Servers\<IP>

View on GitHub