Automatically generated based on tag:

ETW - Remote Desktop - Destination host Page Destination host of a Remote Desktop access.

Main events:

Channel: Security.
Event ID 4624: "An account was successfully logged on", with LogonType 10.

Event ID 1149: "Remote Desktop Services: User authentication succeeded".

Event ID 21: "Remote Desktop Services: Session logon succeeded".
Event ID 23: "Remote Desktop Services: Session logoff succeeded".
Event ID 25: "Remote Desktop Services: Session reconnection succeeded".

Event: 4624 (LogonType 10).

Event: 1149.

Events: 21, 22, 23, 25.

Events: 131.
ETW - Remote Desktop - Remote Desktop Gateway Page For Remote Desktop access through a Remote Desktop Gateway (Windows server role that implements Remote Desktop Protocol (RDP) over HTTPS.

Main events:

Channel: Microsoft-Windows-TerminalServices-Gateway/Operational.
Event ID 200: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> met resource authorization policy [...] to access the TS Gateway server".
Event ID 302: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> connected to <REMOTE_HOST_FQDN>".
Event 303: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> disconnected from <REMOTE_HOST_FQDN>. Before <DOMAIN>\<USERNAME> disconnected, the client transferred <BYTES_SENT> bytes and received <BYRES_RECEIVED> bytes. The client session duration was <SESSION_DURATION> seconds".

Events: 200, 300, 302, 303, 308, 312, 313.
RDP - Processes Page The following processes are related to RDP activity:

- mstsc.exe: Windows built-in RDP. The remote host may (but not necessarily) specified using the command-line parameter "/v:".

- rdpclip.exe: RDP Clipboard Monitor, executed on the remote host every time a remote interactive RDP session is successfully established.

- TSTheme.exe: TSTheme Server Module, starting with Windows 7, executed on the remote host every time a remote interactive RDP session is successfully established and upon session closure.

View on GitHub