Channels:
Security.
Event: 4624 (LogonType 10).
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational.
Event: 1149.
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.
Events: 21, 22, 23, 25.
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational.
Events: 131.
Security.
Event: 4624 (LogonType 10).
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational.
Event: 1149.
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.
Events: 21, 22, 23, 25.
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational.
Events: 131.
Overview
| Channel | Conditions | Events |
|---|---|---|
Security |
Default configuration. Also logged for other logon types ( Network, Console, Batch, Service, …). |
Event 4624: An account was successfully logged on, with LogonType 10. |
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |
Default configuration. | Event 1149: Remote Desktop Services: User authentication succeeded. Access to the Windows login screen, not necessarily a successful session opening. This event is however only generated upon successful authentication if Network Level Authentication (NLA) is required. |
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational |
Default configuration. | Event 21: Remote Desktop Services: Session logon succeeded. |
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational |
Default configuration. | Event 22: Remote Desktop Services: Shell start notification received |
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational |
Default configuration. | Event 23: Remote Desktop Services: Session logoff succeeded |
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational |
Default configuration. | Event 25: Remote Desktop Services: Session reconnection succeeded Events with a source network address set to LOCAL can sometimes be generated for console, non Remote Desktop logins. |
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational |
Introduced in Windows Server 2012. Default configuration. |
Event 131: The server accepted a new TCP connection from client <IP>. Only indicates a network access to the Remote Desktop service. For the aforementioned events, a Source Network Address of ::%16777216 could indicate that a ngrok tunnel was used to make Remote Desktop access. |
Tool(s)
The LogParser’s KAPE module LogParser_RDPUsageEvents
can be used to parse EVTX files and extract the aforementioned Remote Desktop
events into a CSV timeline.
View on GitHub