EventID 21: Session logon succeeded
This event, logged to the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
channel, is logged when an RDP connection is successfully authenticated.
Analysis Value
UsernameEvidence of Network ActivitySource IdentificationOperating System Availability
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
✅
Server 2008
✅
Windows Vista
✅
Server 2003
❌
Windows XP
❌
Artifact Location(s)
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Artifact Interpretation
UserData/EventXML/User
This field logs only the username and domain that the RDP connection was attempting to establish a session for.
UserData/EventXML/Address
This field provides the source IP address of an RDP session.
UserData/EventXML/SessionID
This field provides the Session ID, which can be used to correlate between other events in the same log provider.
System/Correlation ActivityID
Provides the ActivityID for the RDP session.
Analysis Tips
Correlation by ActivityID
This event logs an ActivityID, available in the XML path System/Correlation ActivityID
. This may be used to correlate activity between other events logged that are related to this activity, such as:
RDP Activity Timeline
Together with EventID 24: Session has been disconnected, by correlating the SessionID
field of both events, one can determine the start and end time of an RDP session.
Example
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-TerminalServices-LocalSessionManager" Guid="{5d896912-022d-40aa-a3a8-4fa5515c76d7}" />
<EventID>21</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x1000000000000000</Keywords>
<TimeCreated SystemTime="2023-07-12T12:01:05.5944806Z" />
<EventRecordID>1520</EventRecordID>
<Correlation ActivityID="{f4204024-08a2-45cd-951b-f756f64b0000}" />
<Execution ProcessID="1440" ThreadID="18112" />
<Channel>Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</Channel>
<Computer>HLPC01</Computer>
<Security UserID="S-1-5-18" />
</System>
- <UserData>
- <EventXML xmlns="Event_NS">
<User>HLPC01\john.doe</User>
<SessionID>4</SessionID>
<Address>192.168.180.57</Address>
</EventXML>
</UserData>
</Event>
This example was produced on Windows 10, Version 10.0.19044 Build 19044</
Last updated