EventID 21: Session logon succeeded

This event, logged to the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational channel, is logged when an RDP connection is successfully authenticated.

This event is logged on the destination endpoint.

Analysis Value

Username Evidence of Network Activity Source Identification

Operating System Availability

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

✅

Server 2003

❌

Windows XP

❌

Artifact Location(s)

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Artifact Interpretation

Field

Interpretation

Reference

UserData/EventXML/User

This field logs only the username and domain that the RDP connection was attempting to establish a session for.

Username

UserData/EventXML/Address

This field provides the source IP address of an RDP session.

Source Identification

UserData/EventXML/SessionID

This field provides the Session ID, which can be used to correlate between other events in the same log provider.

System/Correlation ActivityID

Provides the ActivityID for the RDP session.

Analysis Tips

Correlation by ActivityID

This event logs an ActivityID, available in the XML path System/Correlation ActivityID. This may be used to correlate activity between other events logged that are related to this activity, such as:

EventID 1149: User Authentication Succeeded

RDP Activity Timeline

Together with EventID 24: Session has been disconnected, by correlating the SessionID field of both events, one can determine the start and end time of an RDP session.

Example

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-TerminalServices-LocalSessionManager" Guid="{5d896912-022d-40aa-a3a8-4fa5515c76d7}" /> 
  <EventID>21</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x1000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-07-12T12:01:05.5944806Z" /> 
  <EventRecordID>1520</EventRecordID> 
  <Correlation ActivityID="{f4204024-08a2-45cd-951b-f756f64b0000}" /> 
  <Execution ProcessID="1440" ThreadID="18112" /> 
  <Channel>Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</Channel> 
  <Computer>HLPC01</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <UserData>
- <EventXML xmlns="Event_NS">
  <User>HLPC01\john.doe</User> 
  <SessionID>4</SessionID> 
  <Address>192.168.180.57</Address> 
  </EventXML>
  </UserData>
  </Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044</

Last updated 2 years ago

hashtagAnalysis Value

hashtagOperating System Availability

hashtagArtifact Location(s)

hashtagArtifact Interpretation

hashtagAnalysis Tips

hashtagCorrelation by ActivityID

hashtagRDP Activity Timeline

hashtagExample