Windows events for Remote Desktop connections
Posted by jpluimers on 2021/01/25
Some notes and links, as eventually I want to react on Windows events raised for successful Remote Desktop connections.
Log-files:
- Name
Microsoft-Windows-TerminalServices-LocalSessionManager/Admin - Path
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx - Name
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational - Path
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
EventID 25:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-TerminalServices-LocalSessionManager" Guid="{5D896912-022D-40AA-A3A8-4FA5515C76D7}" /> <EventID>25</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x1000000000000000</Keywords> <TimeCreated SystemTime="2019-02-06T13:48:02.978377900Z" /> <EventRecordID>5358</EventRecordID> <Correlation ActivityID="{F4203346-1BFB-421E-8668-C7503D590000}" /> <Execution ProcessID="308" ThreadID="12552" /> <Channel>Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</Channel> <Computer>MACHINE-NAME.subdomain.domain</Computer> <Security UserID="S-1-5-18" /> </System> <UserData> <EventXML xmlns="Event_NS"> <User>DOMAIN\jeroen</User> <SessionID>2</SessionID> <Address>192.168.1.42</Address> </EventXML> </UserData> </Event>
Links on the events:
- [WayBack] Is there a log file for RDP connections?
- [WayBack] Windows RDP-Related Event Logs: Identification, Tracking, and Investigation | Ponder The Bits
A cohesive and comprehensive walk-through of the most common and empirically useful RDP-related Windows Event Log Sources and ID’s, grouped by stage of occurrence (Connection, Authentication, Logon, Disconnect/Reconnect, Logoff).
…
Event ID: 25
Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager
Description: “Remote Desktop Services: Session reconnection succeeded:”
Notes: The user has reconnected to an RDP session, when the “Source Network Address” contains a remote IP address. A “Source Network Address” of “LOCAL” simply indicates a local session reconnection and does NOTindicate a remote RDP session reconnection. Note the “Source Network Address” for the source of the RDP connection. This is typically paired with an Event ID 40. Take note of the SessionID as a means of tracking/associating additional Event Log activity with this user’s RDP session.TL;DR: The user has reconnected to an existing RDP session, so long as the “Source Network Address” is NOT “LOCAL”.
- [WayBack] Jeroen Pluimers on Twitter: “How can I run a script (batch or powershell) when a remote desktop connection starts? (either re-connects to an existing Windows logon session, or starts a new Windows logon session)? I know how to cover the last, but not the first.”
- [WayBack] CHUA Chee Wee on Twitter: “Watch Windows event log for RDP events. You’ll figure which one out, then execute a designated script.”
- [WayBack] Jeroen Pluimers on Twitter: “Thanks, found it: Log Name Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Log Path %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx EventID 25 Now I need to find how to initiate a script on this.”
- [WayBack] CHUA Chee Wee on Twitter: “Manually, it’s within eventvwr, click on the event and right click, select attach task to this event. Programmatically, you’ll need to figure out the equivalent.”
- [WayBack] Jeroen Pluimers on Twitter: “Thanks. In the mean time I was collecting some links for a blog post about this which includes blogs.technet.microsoft.com/wincat/… That’s a more elaborate version of what you describe, so both of these will get me going.”
Links on triggers and scripts running because of events:
- [WayBack] Automation example using Windows Event as trigger : sysadmin
- [WayBack] Trigger a PowerShell Script from a Windows Event – Server and Cloud Partner and Customer Solutions Team Blog
- [WayBack] PowerShell: BgInfo Automation script | Wim’s System Center blog
- [WayBack] Complex Event Processing (Middleware)—a Technical Reference Guide for Designing Mission-Critical Middleware Solutions
- [WayBack] Configure Event Log Forwarding in Windows Server 2012 R2
- [WayBack] Run a scheduled task after a Windows service is started – Super User
- [WayBack] Advanced XML filtering in the Windows Event Viewer | Ask the Directory Services Team
- [WayBack] How to Disable Automatic Updates on Windows 10 | NUCUTA: Disable Windows 10 Update with Windows Task Scheduler
There is no convenient way to disable automatic updates on Windows 10, This guide presents 8 working methods to disable automatic updates with ease.
- [WayBack] Trigger a PowerShell Script from a Windows Event – Server and Cloud Partner and Customer Solutions Team Blog
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment