# EventID 21: Session logon succeeded This event, logged to the `Microsoft-Windows-TerminalServices-LocalSessionManager/Operational` channel, is logged when an RDP connection is successfully authenticated. {% hint style="info" %} This event is logged on the **destination** endpoint. {% endhint %} ## Analysis Value {% content-ref url="../../../artifacts-by-activity/account-activity/username" %} [username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username) {% endcontent-ref %} {% content-ref url="../../../artifacts-by-activity/network-activity/evidence-of-network-activity" %} [evidence-of-network-activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity) {% endcontent-ref %} {% content-ref url="../../../artifacts-by-activity/network-activity/source-identification" %} [source-identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification) {% endcontent-ref %} ## Operating System Availability | Major Version | Support | Major Version | Support | | ------------- | ------- | ------------- | ------- | | Windows 11 | ✅ | Server 2019 | ✅ | | Windows 10 | ✅ | Server 2016 | ✅ | | Windows 8 | ✅ | Server 2012 | ✅ | | Windows 7 | ✅ | Server 2008 | ✅ | | Windows Vista | ✅ | Server 2003 | ❌ | | Windows XP | ❌ | | | ## Artifact Location(s) * `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx` ## Artifact Interpretation | Field | Interpretation | Reference | | ------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | `UserData/EventXML/User` | This field logs only the username and domain that the RDP connection was attempting to establish a session for. | [username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username "mention") | | `UserData/EventXML/Address` | This field provides the **source** IP address of an RDP session. | [source-identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification "mention") | | `UserData/EventXML/SessionID` | This field provides the Session ID, which can be used to correlate between other events in the same log provider. | | | `System/Correlation ActivityID` | Provides the ActivityID for the RDP session. | | ## Analysis Tips {% hint style="info" %} ### Correlation by ActivityID This event logs an ActivityID, available in the XML path `System/Correlation ActivityID`. This may be used to correlate activity between other events logged that are related to this activity, such as: [terminal-services-remote-1149](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149 "mention") {% endhint %} {% hint style="info" %} ### RDP Activity Timeline Together with [terminal-services-local-24](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24 "mention"), by correlating the `SessionID` field of both events, one can determine the start and end time of an RDP session. {% endhint %} ## Example ``` - - 21 0 4 0 0 0x1000000000000000 1520 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational HLPC01 - - HLPC01\john.doe 4
192.168.180.57
 ``` This example was produced on Windows 10, Version 10.0.19044 Build 19044\